Meltdown/Spectre: Unauthorized Disclosure of Kernel Memory

Naib · Posted: Fri Jan 05, 2018 12:50 am Post subject:

I just tried it on my patched BUT disabled system...

gengreen · Apprentice Joined: 23 Dec 2017 Posts: 150

The Main Man · Posted: Fri Jan 05, 2018 12:55 am Post subject:

Well, I just realized that there is only a patch for Meltdown , for Spectre there's no cure at the moment and this test is for Spectre.
It's all so confusing

Still... I have to figure out why it's not working on my machine (which is good , I guess

)

gengreen · Apprentice Joined: 23 Dec 2017 Posts: 150

The Main Man · Posted: Fri Jan 05, 2018 12:59 am Post subject:

gengreen · Apprentice Joined: 23 Dec 2017 Posts: 150

The Main Man · Posted: Fri Jan 05, 2018 1:07 am Post subject:

eccerr0r · Posted: Fri Jan 05, 2018 1:16 am Post subject:

The PoC seems not to be clean for generic x86 as it uses clflush and rdtsc, so watch out for those older machines...
Also seems to be problems with my rdtsc on qemu KVM, so that bombs out.

Works scarily fine on 64-bit on an i7.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

ct85711 · Veteran Joined: 27 Sep 2005 Posts: 1791

Well, I complied it on my AMD A10-7850k (APU) system, and it appears to not be vulnerable to this issue.
Note: I did not do anything special to compile it, beyond a straight gcc Source.c using gcc-7.2.0.

nokilli · Apprentice Joined: 25 Feb 2004 Posts: 237

And I was all set to go all-in on Ethereum and its web3 stuff. Dapps, if you weren't aware, are highly javascript-dependent and of course, are dealing with passphrases and private keys for which loss offers little hope of recovery.

There are some of us who were waiting to see what the powers-that-be response to crypto would be. It is known that these same people have for long worked hard to subvert the security of our computer systems and for their own gain. Now we see a very conveniently-timed reveal of just such a subversion. Total market cap of crypto recently crossed $.75T USD.
_________________
We are the block device. The kernel is our client.

Hu · Administrator Joined: 06 Mar 2007 Posts: 23071

Ronaldlees · n00b Joined: 14 Dec 2017 Posts: 10

gengreen · Apprentice Joined: 23 Dec 2017 Posts: 150

A question remain and need some expert on this domain to give a proper answer since I haven't the sufficient knowledge in the low programming level :

This is not first time that their hardware are compromised :

- https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/
- http://news.softpedia.com/news/intel-x86-cpus-come-with-a-secret-backdoor-that-nobody-can-touch-or-disable-505347.shtml

Intel is a very big corporate and have probably multi billion of dollars, I don't get how this kind of bug can be a mistake. They have an unlimited (almost) budget, skilled dev / worker to make a product of quality.

From intel

eccerr0r · Posted: Fri Jan 05, 2018 7:01 am Post subject:

Should I be glad I haven't

emerge -e @world

on all my machines yet (after a new compiler is available)? Sounds like this will be needed again to work around spectre?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

nokilli · Apprentice Joined: 25 Feb 2004 Posts: 237

eccerr0r · Posted: Fri Jan 05, 2018 8:06 am Post subject:

They say that this was a problem ever since the ppro in 1994; I still have a ppro but unsure how to hack the code to test it as the PoC uses rdtsc and clflush which aren't supported by this old processor. I suspect the problem still exists but harder to ensure the code actually "worked" versus side effect of a context swap or interrupt which could invalidate the slurped data. (Anyone got this to work on a Core2, I can't seem to get rdtsc to work on my core2 machines.)

Incidentally, disabling rdtsc probably would make it harder to swipe data though it does NOT fix the problem as the problem still manifests without it.

Now the question I do have... Anyone with an Alpha and could test this, I'm curious... They say that ia64 does not have this problem (VLIW...)

[Edit] It seems rdtsc should have been available since the Pentium; so perhaps need to figure out why it's showing up as an invalid instruction...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

Aiken · Posted: Fri Jan 05, 2018 8:40 am Post subject:

PrSo · Tux's lil' helper Joined: 01 Jun 2017 Posts: 136

krinn · Watchman Joined: 02 May 2003 Posts: 7470

Interresting, to read it you have to flush the cpu cache, but it's an sse2 instruction.
https://software.intel.com/en-us/cpp-compiler-18.0-developer-guide-and-reference-cacheability-support-intrinsics

So unability to use _mm_clflush doesn't protect from it, but avoid the cache flush and so avoid it.
on my affect core2 running x86 it couldn't flush its cache.

Watcom · n00b Joined: 12 Apr 2006 Posts: 21

You can flush (evict) the cache by reading from a large array. It's less convenient, but still possible. It's actually described in the paper.

krinn · Watchman Joined: 02 May 2003 Posts: 7470

I knew it wasn't that easy, else it would had been made already

anyone also notice that pie made it worst?
when using the test program with -pie -fpie i get higher score (the program count backward, the higher the score, the fastest it has find the info), without pie i nearly always get a 2 score.
that's just for oddity, because as long as score is >0 you're doom.
(however i'm using pie with gcc 5.4, which might not be as good as 6.4)

Ant P. · Watchman Joined: 18 Apr 2009 Posts: 6920

JuNix · Posted: Fri Jan 05, 2018 11:00 am Post subject:

I have some interesting results for my Gentoo Xen HVM

I updated my system to 4.14.11-gentoo-r2 and the PoC code produces this

yamabiko · n00b Joined: 22 Jul 2017 Posts: 10

Atom2 · Apprentice Joined: 01 Aug 2011 Posts: 185

JuNix,