Re: Spectre

To: tech-kern%NetBSD.org@localhost
Subject: Re: Spectre
From: Joerg Sonnenberger <joerg%bec.de@localhost>
Date: Thu, 18 Jan 2018 14:49:28 +0100

On Wed, Jan 17, 2018 at 09:38:27PM -0500, Mouse wrote:
> But, on the other hand, I can easily imagine a CPU designer looking at
> it and saying "What's the big deal if this code can read that location?
> It can get it anytime it wants with a simple load instruction anyway.",
> something I have trouble disagreeing with.

Consider something like BPF -- code executed in the kernel with an
enforced security model to prevent "undesirable" acceses. It will create
logic like:

    void *p = ...;
    if (!is_accesible(p))
      raise_error();
    load(p);

Now imagine that the expression for p is intentionally pointing into
userland and depends on the speculative execution of something else.
Loading the pointer speculatively results in a visible side effect that
defeats in part the access check. In short, it can effectively invert
access control checks for verified code.

Joerg

Follow-Ups:
- Re: Spectre
  - From: Mouse
- Re: Spectre
  - From: Paul.Koning

References:
- Spectre
  - From: coypu
- Re: Spectre
  - From: Mouse
- Re: Spectre
  - From: Paul.Koning
- Re: Spectre
  - From: Mouse

Prev by Date: Re: /dev/ksyms permissions
Next by Date: Re: Spectre
Previous by Thread: Re: Spectre
Next by Thread: Re: Spectre
Indexes:

Home | Main Index | Thread Index | Old Index