Re: meltdown

To: <tls%panix.com@localhost>
Subject: Re: meltdown
From: <Paul.Koning%dell.com@localhost>
Date: Sat, 6 Jan 2018 14:11:06 +0000

> On Jan 5, 2018, at 8:55 PM, Thor Lancelot Simon <tls%panix.com@localhost> wrote:
> 
> On Thu, Jan 04, 2018 at 04:58:30PM -0500, Mouse wrote:
>>> As I understand it, on intel cpus and possibly more, we'll need to
>>> unmap the kernel on userret, or else userland can read arbitrary
>>> kernel memory.
>> 
>> "Possibly more"?  Anything that does speculative execution needs a good
>> hard look, and that's damn near everything these days.
> 
> I wonder about just "these days".  The potential for this kind of problem
> goes all the way back to STRETCH or the 6600, doesn't it?  If they had
> memory permissions, which I frankly don't know.  And even in microprocessors
> it's got to go back to... the end of the 1980s (R6000?) certainly the 1990s.

No, the issue here isn't permissions, the issue is speculative execution
that leaves observable side effects (such as the existence of cache entries)
after the speculative path is abandoned.  And in the case of Meltdown (though
not Spectre) it also requires having the speculative load issue omit the
access permission check.

CDC 6600 has memory relocation, but not permissions, and in any case it
does not have speculative execution of any type.  It does have multiple
issue, of course, but that alone is not sufficient to create the 
vulnerability.

> Though of course "fail early" is an obvious principle to security types,
> given the cost of aborting work in progress I can easily see the
> opposite being true for CPU designers (I'm not one, so I don't really
> know).  Which idiom (check permissions, then speculate / speculate, then
> check permissions) is more common?

Clearly it depends on the design, either on what's straightforward or 
efficient to do, or on what is considered essential by the particular
designers involved.

Presumably (one hopes) the result of the current work is that design
techniques will change.  And especially, that a better and wider understanding
of side channel attacks will appear.

Side channel attacks can be quite strange and esoteric.  They are worth
reading about.  My favorite is one I read a year or so ago, a paper
describing capturing the sound made by the electronics inside a cell phone
as it was performing an RSA crypto operation.  This allowed the attacker
to reconstruct the RSA secret key without having to install any special
software in the phone, and without having to tamper with the phone physically
in any way.

	paul

References:
- meltdown
  - From: maya
- Re: meltdown
  - From: Mouse
- Re: meltdown
  - From: Thor Lancelot Simon

Prev by Date: Re: amd64: svs
Next by Date: Re: meltdown
Previous by Thread: Re: meltdown
Next by Thread: RE: meltdown
Indexes:

Home | Main Index | Thread Index | Old Index