Discussion:
Talking about Spectre and Meltdown?
(too old to reply)
gareth evans
2020-09-01 11:46:50 UTC
Permalink
But how do these parasites actually gain access
to the memory cache, etc, when they themselves will be
subject to protections?

Yours, etc,

Confused of Tunbridge Wells.
Scott Lurndal
2020-09-01 14:32:56 UTC
Permalink
Post by gareth evans
But how do these parasites actually gain access
to the memory cache, etc, when they themselves will be
subject to protections?
By measuring how much time a 'load' instruction takes, one can
determine whether or not the data was loaded from a cache (low
latency) or from DRAM (high-latency).

When a processor speculatively executes a load instruction, it
can evict a cache line; malicious software can arrange for the
speculative load, in some cases, to be executed by the kernel
(e.g. by passing a pointer to a kernel system call); while the
load was never successful, it did evict a line from the cache.

With knowledge of how the cache is structured and the eviction
algorithm(s), code can use the change in timing of a subsequent
load to determine the value of an arbitrary location in memory (one bit at
a time, generally).
Johnatan Duck
2020-09-02 11:32:56 UTC
Permalink
Post by Scott Lurndal
Post by gareth evans
But how do these parasites actually gain access
to the memory cache, etc, when they themselves will be
subject to protections?
By measuring how much time a 'load' instruction takes, one can
determine whether or not the data was loaded from a cache (low
latency) or from DRAM (high-latency).
When a processor speculatively executes a load instruction, it
can evict a cache line; malicious software can arrange for the
speculative load, in some cases, to be executed by the kernel
(e.g. by passing a pointer to a kernel system call); while the
load was never successful, it did evict a line from the cache.
With knowledge of how the cache is structured and the eviction
algorithm(s), code can use the change in timing of a subsequent
load to determine the value of an arbitrary location in memory (one bit at
a time, generally).
And I always wondered: is it *actually* feasible to
figure out something useful (one bit at the time, with
all these uncertainty), provided that a malicious actor
has access to the machine?

Loading...