AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Linux lite meltdown spectre12/4/2023 It's real, it's far worse than the most paranoid security scenarios ever imagined, and if you aren't under constant attack then you either don't realize you are being attacked, or your turn hasn't come yet. Many people who should be able to see and understand this stuff better than me still speak as if this is overblown. Not sure if I get attacked more than the average person (it seems to me I should be a boring target to either criminal or state attackers) or if there is widespread (psychological) denial. Every Intel and AMD processor I have is attacked remotely almost every day. And it is very easily exploited remotely. ![]() Several AMD FX and at least one APU are affected. Additionally, because of the reference to "recent program behavior" in Intel's optimization manual, a bunch of conditional branches that are always taken were inserted in front of the indirect call. Before each indirect call, the function pointer stored in memory was flushed out to main memory using CLFLUSH to widen the speculation time window. Both indirect calls were performed through the same callsite. The injecting process performed indirect calls to a function that accesses a (per-process) test variable the measuring process performed indirect calls to a function that tests, based on timing, whether the per-process test variable is cached, and then evicts it using CLFLUSH. Both instances were executed with ASLR disabled and had the same code at the same addresses. We are actively engaging with the Linux community, including Linus, as we seek to work together on solutions.Based on the assumption that branch predictor state is shared between hyperthreads, we wrote a program of which two instances are each pinned to one of the two logical processors running on a specific physical core, where one instance attempts to perform branch injections while the other measures how often branch injections are successful. “We take the feedback of industry partners seriously. In response to the e-mail chain, Intel released the following statement: “The whole IBRS_ALL ( Indirect Branch Restricted Speculation) feature to me very clearly says “Intel is not serious about this, we’ll have a ugly hack that will be so expensive that we don’t want to enable it by default, because that would look bad in benchmarks” Torvalds suggests. If this is such a big problem, then why is there even an opt in option? The addition of protections against an exploit already mitigated by Google Project Zero’s “retpoline” technique is also a questionable move on Intel’s part. Instead of just doing so across the board however, the administrator has to opt in at boot. ![]() “Is Intel really planning on making this shit architectural? Has anybody talked to them and told them they are f*cking insane? Please, any Intel engineers here – talk to your managers.” says Torvalds. Mostly, Torvalds is criticizing how sloppy Intel’s handling of it is. The two have been exchanging ideas and discussing Intel’s “fix” implementation. ![]() The statements come from a public e-mail chain between Torvalds and David Woodhouse, an engineer at Amazon in the UK. He calls it “COMPLETE AND UTTER GARBAGE” and claims it does “insane things” among other phrases. The always outspoken Linus Torvalds has some choice words to say about Intel and their handling of the Meltdown/Spectre flaw.
0 Comments
Read More
Leave a Reply. |