From owner-freebsd-security@freebsd.org Thu Jan 4 15:53:37 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72E1CEBEAF7 for ; Thu, 4 Jan 2018 15:53:37 +0000 (UTC) (envelope-from brett@lariat.org) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 24A696FAB7 for ; Thu, 4 Jan 2018 15:53:36 +0000 (UTC) (envelope-from brett@lariat.org) Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id IAA17267; Thu, 4 Jan 2018 08:52:43 -0700 (MST) Message-Id: <201801041552.IAA17267@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 04 Jan 2018 08:52:23 -0700 To: Dag-Erling Smørgrav , Erich Dollansky From: Brett Glass Subject: Re: Intel hardware bug Cc: "freebsd-security@freebsd.org" , "Ronald F. Guilmette" In-Reply-To: <86vaghu0ps.fsf@desk.des.no> References: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <19876.1515025752@segfault.tristatelogic.com> <20180104132807.266fe46c.freebsd.ed.lists@sumeritec.com> <86vaghu0ps.fsf@desk.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 15:53:37 -0000 At 08:01 AM 1/4/2018, Dag-Erling Smørgrav wrote: >This is irrelevant. We are talking about timing-based side-channel >attacks. The attacker is not able to access protected memory directly, >but is able to deduce its contents by repeatedly performing illegal >memory accesses and then checking how they affect the cache. This is something I do not yet fully understand; perhaps someone here on the list can help explain it to me. The "Spectre" attack is claimed to work by altering the contents of the cache via a speculatively executed instruction. But the contents of that memory are not revealed directly to the program. So, how does it deduce the contents of physical memory merely from the fact that there's a cache miss on its address? --Brett Glass