Date: Fri, 5 Jan 2018 15:25:34 +0000 (UTC) From: Jules Gilbert <repeatable_compression@yahoo.com> To: =?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> Cc: "Ronald F. Guilmette" <rfg@tristatelogic.com>, Eric McCorkle <eric@metricspace.net>, Freebsd Security <freebsd-security@freebsd.org>, Poul-Henning Kamp <phk@phk.freebsd.dk>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, FreeBSD Hackers <freebsd-hackers@freebsd.org>, Shawn Webb <shawn.webb@hardenedbsd.org>, Nathan Whitehorn <nwhitehorn@freebsd.org> Subject: Re: Intel hardware bug Message-ID: <302406914.1010662.1515165934929@mail.yahoo.com> In-Reply-To: <861sj4tlak.fsf@desk.des.no> References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> <861sj4tlak.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Ah, sorry I'm wrong.=C2=A0 I apologize.=C2=A0 I won't intrude further.=C2=
=A0 I spoke up because selectively choosing to read sections of kernel memo=
ry is one thing, obtaining useful information from an arbitrary block of ke=
rnel memory you don't get to choose is quite another.
But their are several people here I respect very much and if they say I'm w=
rong about an area they focus on,... me bad.
On Friday, January 5, 2018, 9:48:50 AM EST, Dag-Erling Sm=C3=B8rgrav <d=
es@des.no> wrote: =20
=20
Jules Gilbert <repeatable_compression@yahoo.com> writes:
> Sorry guys, you just convinced me that no one, not the NSA, not the
> FSB, no one!, has in the past, or will in the future be able to
> exploit this to actually do something not nice.
The technique has already been proven by multiple independent parties to
work quite well, allowing an attacker to read kernel memory at speeds of
up to 500 kB/s.=C2=A0 But I guess you know better...
DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no =20
From owner-freebsd-hackers@freebsd.org Fri Jan 5 16:40:53 2018
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6C6FEEB30CB;
Fri, 5 Jan 2018 16:40:53 +0000 (UTC)
(envelope-from nwhitehorn@freebsd.org)
Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 5067171044;
Fri, 5 Jan 2018 16:40:52 +0000 (UTC)
(envelope-from nwhitehorn@freebsd.org)
Received: from comporellon.tachypleus.net (cpe-75-82-218-62.socal.res.rr.com
[75.82.218.62]) (authenticated bits=0)
by c.mail.sonic.net (8.15.1/8.15.1) with ESMTPSA id w05GeeDm023309
(version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
Fri, 5 Jan 2018 08:40:40 -0800
Subject: Re: Intel hardware bug
To: =?UTF-8?Q?C_Bergstr=c3=b6m?= <cbergstrom@pathscale.com>,
Eric McCorkle <eric@metricspace.net>
Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org>,
"freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>,
Shawn Webb <shawn.webb@hardenedbsd.org>,
Freebsd Security <freebsd-security@freebsd.org>,
Poul-Henning Kamp <phk@phk.freebsd.dk>,
"Ronald F. Guilmette" <rfg@tristatelogic.com>,
=?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@des.no>,
Brett Glass <brett@lariat.org>,
Jules Gilbert <repeatable_compression@yahoo.com>
References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net>
<2594.1515141192@segfault.tristatelogic.com>
<809675000.867372.1515146821354@mail.yahoo.com>
<250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net>
<CAOnawYpe5V-kUn4tLWKyBcDmsKqUP9-VNRhfDG48VMFWFbq6Vw@mail.gmail.com>
From: Nathan Whitehorn <nwhitehorn@freebsd.org>
Message-ID: <df99a36a-4e81-58c2-284e-c2fcdebb6040@freebsd.org>
Date: Fri, 5 Jan 2018 08:40:39 -0800
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <CAOnawYpe5V-kUn4tLWKyBcDmsKqUP9-VNRhfDG48VMFWFbq6Vw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Sonic-CAuth: UmFuZG9tSVZILE4do3EwanuIbHwb+oXQqQMbU4e5/RAi1Rs7bbWb8We8TNMbM+6jFRuna3/GZxymxTMek3deOLiPVdx5Re4Gm/lJED6aZkw=
X-Sonic-ID: C;anAGKjfy5xGXhCeh2dYaJA== M;xAySKjfy5xGXhCeh2dYaJA==
X-Spam-Flag: No
X-Sonic-Spam-Details: 0.0/5.0 by cerberusd
X-Mailman-Approved-At: Fri, 05 Jan 2018 16:47:30 +0000
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
<freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>,
<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>;
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jan 2018 16:40:53 -0000
On 01/05/18 06:55, C Bergström wrote:
> On Fri, Jan 5, 2018 at 8:42 PM, Eric McCorkle <eric@metricspace.net> wrote:
>
>> On 01/05/2018 05:07, Jules Gilbert wrote:
>>> Sorry guys, you just convinced me that no one, not the NSA, not the FSB,
>>> no one!, has in the past, or will in the future be able to exploit this
>>> to actually do something not nice.
>> Attacks have already been demonstrated, pulling secrets out of kernel
>> space with meltdown and http headers/passwords out of a browser with
>> spectre. Javascript PoCs are already in existence, and we can expect
>> them to find their way into adware-based malware within a week or two.
>>
>> Also, I'd be willing to bet you a year's rent that certain three-letter
>> organizations have known about and used this for some time.
>>
>>> So what is this, really?, it's a market exploit opportunity for AMD.
>> Don't bet on it. There's reports of AMD vulnerabilities, also for ARM.
>> I doubt any major architecture is going to make it out unscathed. (But
>> if one does, my money's on Power)
>>
> Nope, the only arch that I'm aware of that gets past this is SPARC(hah!)
> due to the seperate userland and kernel memory virtualization.
> _______________________________________________
POWER has the same thing. It's actually stronger separation, since user
processes don't share addresses either -- all processes, including the
kernel, have windowed access to an 80-bit address space, so no process
can even describe an address in another process's address space. There
are ways, of course, in which IBM could have messed up the
implementation, so the fact that it *should* be secure does not mean it
*is*.
SPARC avoids the issue because almost all implementations are in-order.
-Nathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?302406914.1010662.1515165934929>