Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 04 Jan 2018 09:21:24 -0700
From:      Brett Glass <brett@lariat.org>
To:        Eric McCorkle <eric@metricspace.net>, Dag-Erling Smørgrav <des@des.no>, Erich Dollansky <freebsd.ed.lists@sumeritec.com>
Cc:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, "Ronald F. Guilmette" <rfg@tristatelogic.com>
Subject:   Re: Intel hardware bug
Message-ID:  <201801041621.JAA17566@mail.lariat.net>
In-Reply-To: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net>
References:  <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <19876.1515025752@segfault.tristatelogic.com> <20180104132807.266fe46c.freebsd.ed.lists@sumeritec.com> <86vaghu0ps.fsf@desk.des.no> <201801041552.IAA17267@mail.lariat.net> <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 09:03 AM 1/4/2018, Eric McCorkle wrote:

>The attack looks like this:
>
>1) Fetch kernel/other process memory, which eventually faults
>2) Do a bit-shift/mask operation to pluck out one bit of the fetched
>value.  This gets executed speculatively on the fetched value in (1).
>3) Execute fetches of two different addresses depending on some bit in
>the fetched value in (1) (say, 0x100000 for 0 vs 0x200000 for 1).  This
>also gets executed speculatively despite the fact that (1) ends up faulting.
>4) Recover from fault in (1)
>5) Measure performance of accesses to the two addresses to determine
>which one is cached.

Hmmmm. The obvious way to combat this would be to make this class of fault
fatal rather than allowing recovery to occur. Of course, this would 
reveal errors
in sloppy code, which some developers would not like. (I recall how much some
folks squawked back in the olden days, when segmentation faults - remember
segments? - revealed bugs in their code. I, personally, liked segmentation
because I was a perfectionist.... I wanted my code to crash dramatically if
there was an error so I could fix it.)

--Brett Glass

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801041621.JAA17566>