From owner-freebsd-security@freebsd.org  Thu Jan  4 15:53:37 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72E1CEBEAF7
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Thu,  4 Jan 2018 15:53:37 +0000 (UTC)
 (envelope-from brett@lariat.org)
Received: from mail.lariat.net (mail.lariat.net [66.62.230.51])
 by mx1.freebsd.org (Postfix) with ESMTP id 24A696FAB7
 for <freebsd-security@freebsd.org>; Thu,  4 Jan 2018 15:53:36 +0000 (UTC)
 (envelope-from brett@lariat.org)
Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost
 [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id IAA17267;
 Thu, 4 Jan 2018 08:52:43 -0700 (MST)
Message-Id: <201801041552.IAA17267@mail.lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 04 Jan 2018 08:52:23 -0700
To: Dag-Erling Smørgrav <des@des.no>,
        Erich Dollansky <freebsd.ed.lists@sumeritec.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: Intel hardware bug
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>,
 "Ronald F. Guilmette" <rfg@tristatelogic.com>
In-Reply-To: <86vaghu0ps.fsf@desk.des.no>
References: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org>
 <19876.1515025752@segfault.tristatelogic.com>
 <20180104132807.266fe46c.freebsd.ed.lists@sumeritec.com>
 <86vaghu0ps.fsf@desk.des.no>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jan 2018 15:53:37 -0000

At 08:01 AM 1/4/2018, Dag-Erling Smørgrav wrote:

>This is irrelevant.  We are talking about timing-based side-channel
>attacks.  The attacker is not able to access protected memory directly,
>but is able to deduce its contents by repeatedly performing illegal
>memory accesses and then checking how they affect the cache.

This is something I do not yet fully understand; perhaps someone here
on the list can help explain it to me. The "Spectre" attack is claimed
to work by altering the contents of the cache via a speculatively
executed instruction. But the contents of that memory are not revealed
directly to the program. So, how does it deduce the contents of physical
memory merely from the fact that there's a cache miss on its address?

--Brett Glass