Re: Restricting rdtsc [was: kernel aslr]

To: Taylor R Campbell <campbell+netbsd-tech-kern%mumble.net@localhost>
Subject: Re: Restricting rdtsc [was: kernel aslr]
From: Alexander Nasonov <alnsn%yandex.ru@localhost>
Date: Fri, 5 Jan 2018 09:25:04 +0000

Taylor R Campbell wrote:
> > Date: Tue, 28 Mar 2017 16:58:58 +0200
> > From: Maxime Villard <max%m00nbsd.net@localhost>
> > 
> > Having read several papers on the exploitation of cache latency to defeat
> > aslr (kernel or not), it appears that disabling the rdtsc instruction is a
> > good mitigation on x86. However, some applications can legitimately use it,
> > so I would rather suggest restricting it to root instead.
> 
> Put barriers in the way of legitimate applications to thwart
> hypothetical attackers who will... step around them and use another
> time source, of which there are many options in the system?  This
> sounds more like cutting off the nose to spite the face than a good
> mitigation against real attacks.

Old thread but the authors of the spectre paper did exactly what Taylor said:

https://spectreattack.com/spectre.pdf

"JavaScript does not provide access to the rdtscp instruction, and
Chrome intentionally degrades the accuracy of its high-resolution
timer to dissuade timing attacks using performance.now() [1]. However,
the Web Workers feature of HTML5 makes it simple to create a separate
thread that repeatedly decrements a value in a shared memory location
[18, 32]. This approach yielded a high-resolution timer that provided
sufficient resolution."

-- 
Alex

References:
- Restricting rdtsc [was: kernel aslr]
  - From: Maxime Villard
- Re: Restricting rdtsc [was: kernel aslr]
  - From: Taylor R Campbell

Prev by Date: Re: meltdown
Next by Date: Re: meltdown
Previous by Thread: Re: Restricting rdtsc [was: kernel aslr]
Next by Thread: Re: Restricting rdtsc [was: kernel aslr]
Indexes:

Home | Main Index | Thread Index | Old Index