Date: Fri, 5 Jan 2018 10:07:01 +0000 (UTC) From: Jules Gilbert <repeatable_compression@yahoo.com> To: "Ronald F. Guilmette" <rfg@tristatelogic.com>, Eric McCorkle <eric@metricspace.net>, Freebsd Security <freebsd-security@freebsd.org>, Brett Glass <brett@lariat.org>, =?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>, Poul-Henning Kamp <phk@phk.freebsd.dk>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, FreeBSD Hackers <freebsd-hackers@freebsd.org>, Shawn Webb <shawn.webb@hardenedbsd.org>, Nathan Whitehorn <nwhitehorn@freebsd.org> Subject: Re: Intel hardware bug Message-ID: <809675000.867372.1515146821354@mail.yahoo.com> In-Reply-To: <2594.1515141192@segfault.tristatelogic.com> References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry guys, you just convinced me that no one, not the NSA, not the FSB, no=
one!, has in the past, or will in the future be able to exploit this to ac=
tually do something not nice.
I'm not saying that the hardware shouldn't be fixed, I am saying that we do=
n't need to worry about this.
In the early days of DOS their was a hardware bug in nearly all floppy cont=
rollers, it wasn't even discovered until (I think,) 1985 or so.=C2=A0 The t=
hing is..., no one reported unusual problems.
So what is this, really?, it's a market exploit opportunity for AMD.
=20
On Friday, January 5, 2018, 3:33:31 AM EST, Ronald F. Guilmette <rfg@tr=
istatelogic.com> wrote: =20
=20
=20
In message <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net>,=20
Eric McCorkle <eric@metricspace.net> wrote:
>The attack looks like this:
>
>1) Fetch kernel/other process memory, which eventually faults
>2) Do a bit-shift/mask operation to pluck out one bit of the fetched
>value.=C2=A0 This gets executed speculatively on the fetched value in (1).
>3) Execute fetches of two different addresses depending on some bit in
>the fetched value in (1) (say, 0x100000 for 0 vs 0x200000 for 1).=C2=A0 Th=
is
>also gets executed speculatively despite the fact that (1) ends up faultin=
g.
>4) Recover from fault in (1)
>5) Measure performance of accesses to the two addresses to determine
>which one is cached.
I must say, that's one hell of a round-about way to read just one bit that
you wern't supposed to have access to.=C2=A0 But of course, that doesn't re=
ally
matter if you are an attacker.
If the above steps can be repeated, programatically, ad infinitum, to read
bits from "protected" memory... and I see no reason why they can't be...
then yea, this bug is every bit as bad as the media is making it out to be,
and maybe even worse.
All your secrets are belong to us!
Time to invest in abacuses... or is that abacai?
Regards,
rfg
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
=20
From owner-freebsd-hackers@freebsd.org Fri Jan 5 12:42:55 2018
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by mailman.ysv.freebsd.org (Postfix) with ESMTP id F0D1AEA6BA7;
Fri, 5 Jan 2018 12:42:55 +0000 (UTC)
(envelope-from eric@metricspace.net)
Received: from mail.metricspace.net (mail.metricspace.net
[IPv6:2001:470:1f11:617::107])
by mx1.freebsd.org (Postfix) with ESMTP id C44D8670C3;
Fri, 5 Jan 2018 12:42:55 +0000 (UTC)
(envelope-from eric@metricspace.net)
Received: from [172.16.0.82] (unknown [172.16.0.82])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client did not present a certificate) (Authenticated sender: eric)
by mail.metricspace.net (Postfix) with ESMTPSA id 3ED298850;
Fri, 5 Jan 2018 12:42:54 +0000 (UTC)
Subject: Re: Intel hardware bug
To: Jules Gilbert <repeatable_compression@yahoo.com>,
"Ronald F. Guilmette" <rfg@tristatelogic.com>,
Freebsd Security <freebsd-security@freebsd.org>,
Brett Glass <brett@lariat.org>, =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?=
<des@des.no>, Poul-Henning Kamp <phk@phk.freebsd.dk>,
"freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>,
FreeBSD Hackers <freebsd-hackers@freebsd.org>,
Shawn Webb <shawn.webb@hardenedbsd.org>,
Nathan Whitehorn <nwhitehorn@freebsd.org>
References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net>
<2594.1515141192@segfault.tristatelogic.com>
<809675000.867372.1515146821354@mail.yahoo.com>
From: Eric McCorkle <eric@metricspace.net>
Message-ID: <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net>
Date: Fri, 5 Jan 2018 07:42:53 -0500
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <809675000.867372.1515146821354@mail.yahoo.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Fri, 05 Jan 2018 12:48:51 +0000
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
<freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>,
<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>;
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jan 2018 12:42:56 -0000
On 01/05/2018 05:07, Jules Gilbert wrote:
> Sorry guys, you just convinced me that no one, not the NSA, not the FSB,
> no one!, has in the past, or will in the future be able to exploit this
> to actually do something not nice.
Attacks have already been demonstrated, pulling secrets out of kernel
space with meltdown and http headers/passwords out of a browser with
spectre. Javascript PoCs are already in existence, and we can expect
them to find their way into adware-based malware within a week or two.
Also, I'd be willing to bet you a year's rent that certain three-letter
organizations have known about and used this for some time.
> So what is this, really?, it's a market exploit opportunity for AMD.
Don't bet on it. There's reports of AMD vulnerabilities, also for ARM.
I doubt any major architecture is going to make it out unscathed. (But
if one does, my money's on Power)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?809675000.867372.1515146821354>