26

Re: Meltdown and Spectre

Hello, Cyberax, you wrote: a C> It is possible to organize samples which flow away on one bit of contents. And with shift it is already enough one bit to receive all remaining. As a result, storage is read with a speed of 500 kilobyte per second. Thanks.  it is possible. And how from to make same of JS? The C> This code, naturally, falls on SIGSEGV. But a problem that CPU has time  to execute one of samples speculatively. And then by means of cache testing it is possible to find out what sample worked. And a cache as test? On temporary barracks?

27

Re: Meltdown and Spectre

Hello, Grizzli, you wrote: AD>> Depending on OS and a method from 122 to ~500 KB/WITH. G> it seemed to me, contents  change in a second of thousand times at least? It is unimportant, while there is statistically a reliable check, whether any line got to fresh loading (and, considering total LRU in processors, time it got under way recently, it will be not soon washed from a cache). That there thus happens to contents tail - . And, while the cache effectively fulfills the role, here the algorithm not so is important (casual substitution, as in early AMD) suits even.

28

Re: Meltdown and Spectre

Hello, netch80, you wrote: N> It is unimportant, while there is statistically a reliable check, whether any line got to fresh loading (and, considering total LRU in processors, time it got under way recently, it will be not soon washed from a cache). That there thus happens to contents tail - . Also what with this mold of contents  to do? What it generally significance can be? What probability, what from thousand variants of contents  in a second  a mold contains though  the essential information?

29

Re: Meltdown and Spectre

Hello, Pzz, you wrote: a C>> It is possible to organize samples which flow away on one bit of contents. And with shift it is already enough one bit to receive all remaining. As a result, storage is read with a speed of 500 kilobyte per second. Pzz> thanks. Pzz> Ohrenet is possible. And how from to make same of JS? Not so understood itself if it is fair. The C>> This code, naturally, falls on SIGSEGV. But a problem that CPU has time  to execute one of samples speculatively. And then by means of cache testing it is possible to find out what sample worked. Pzz> and a cache as test? On temporary barracks? Yes, most simple to count number of clock periods. But it is not restricted to it. And even the cache is not necessary, one of methods - to use instructions with variable number of clock periods (division, for example) and to look how many clock periods it is fulfilled depending on the data.

30

Re: Meltdown and Spectre

Hello, Grizzli, you wrote: G> Also what with this mold of contents  to do? What it generally significance can be? What probability, what from thousand variants of contents  in a second  a mold contains though  the essential information? Cache contents . For successful attack it is necessary to find out only presence at a cache of the necessary line. Its contents are unimportant.

31

Re: Meltdown and Spectre

Hello, Cyberax, you wrote: Cs> Became known details Meltdown and Spectre. If it is short: all is bad. Already and article : https://habrahabr.ru/post/346078/Actually, the essence of attack that is very simple and beautiful enough: we Drop a processor cache. We read a variable interesting to us from address space of a kernel, it causes an exception, but it will be processed not at once. Speculatively we do reading of an array which is allocated in our, user address space, on the basis of variable value from point 2. Sequentially we read an array and accurately we measure access time. All elements, except one, will be slowly read, and here an element which corresponds to value to the address inaccessible to us. Thus, object of attack is the processor microarchitecture, and attack in a software not to repair. I.e. Reading sequentially byte behind byte from the table (as I understand in the size in 256) and measuring access time to each byte, catch value of this byte outside of the user of a space. And , and? Though certainly there are subtleties, for example, the exception can to come earlier, than the table will be read up to the end. Or each time should be dropped also , to that-that the table can be , well etc.

32

Re: Meltdown and Spectre

Hello, Cyberax, you wrote: Cs> Became known details Meltdown and Spectre. If it is short: all is bad. Any more I am not surprised. Modern IT is a shit on a shit and a shit sends on errands. If you want safety - the offline the computer + constants  is necessary.

33

Re: Meltdown and Spectre

Hello, Pzz, you wrote: Pzz> Ohrenet is possible. And how from to make same of JS? Here it is a little on this subject is https://spectreattack.com/spectre.pdf

34

Re: Meltdown and Spectre

PD> https://support.microsoft.com/en-us/hel … -kb4056892 the Patch appeared in Windows Update for ten

35

Re: Meltdown and Spectre

Hello, Vain, you wrote: V> I.e. reading sequentially byte behind byte from the table (as I understand in the size in 256) and measuring access time to each byte, catch value of this byte outside of the user of a space. V> and , and? Not beautifully. There is a virtual storage and at each process it the. What hinders not to have the protected data in  address space generally?

36

Re: Meltdown and Spectre

Hello, Cyberax, you wrote: the Site https://spectreattack.com/

37

Re: Meltdown and Spectre

Hello, kov_serg, you wrote: V>> And , and? _> it is not beautiful. There is a virtual storage and at each process it the. What hinders not to have the protected data in  address space generally? That spared Intel at once in two places: 1. Operation with virtual storage vkljuchaetsja/is switched off for all system entirely, instead of for a separate mode or process, and space the general on all levels of privileges. This decision still in i386. Later it eliminated, but for the sake of virtualization and SMM. The main mode remained the same. For comparing: * SPARC: a kernel part it is basic can work only at ungeared dynamic address translation (DAT). In particular, it is mandatory for the output agent of page interruption because the processor does not conduct any tables of virtual storage itself, giving it on  the decision. * z/Arch: DAT it vkljuchaetsja/is ungeared by one bit in PSW. The kernel can use purely physical addressing, than and use. (Here the pattern is lubricated with virtualization, which there very effective, but  the difficult. We pass it.) that is it was possible to make correctly. Did not want. 2. Access rights to page are checked only at "implementation" of action of a command, but not at presampling with preexecution (which results are not fixed yet). And here it already absolutely  to which it was executed more than 20 years.

38

Re: Meltdown and Spectre

Hello, Cyberax, you wrote: Cs> Became known details Meltdown and Spectre. If it is short: all is bad. The C> Meltdown is specific to Intel and allows to read from userspace-process all physical storage, including a kernel and . Protection only through KAISER for Linux (https://lwn.net/Articles/741878/) or similar change for NT. AMD it is not subject was specific to this vulnerability. The C> Spectre is the more general vulnerability and security blanket from it meanwhile is not present. Judging by the description, a hole at processor level. But then it is impossible to correct it at the expense of a patch for OS, ? But then why for example MS reports that let out a patch?...

39

Re: Meltdown and Spectre

Hello, Cyberax, you wrote: a C> Yes, most simple to count number of clock periods. But it is not restricted to it. And even the cache is not necessary, one of methods - to use instructions with variable number of clock periods (division, for example) and to look how many clock periods it is fulfilled depending on the data. And often generally programs to which on quite lawful bases it is necessary  in nuclear addresses come across and to manage lung SIGSEGV', instead of the deserved death?

40

Re: Meltdown and Spectre

Hello, Pzz, you wrote: a C>> Yes, most simple to count number of clock periods. But it is not restricted to it. And even the cache is not necessary, one of methods - to use instructions with variable number of clock periods (division, for example) and to look how many clock periods it is fulfilled depending on the data. Pzz> and often generally programs to which on quite lawful bases it is necessary  in nuclear addresses come across and to manage lung SIGSEGV', instead of the deserved death? This question should be set, when entered Structure Exception Handling and analogs

41

Re: Meltdown and Spectre

Hello, Pzz, you wrote: Pzz> And often generally programs to which on quite lawful bases it is necessary  in nuclear addresses come across and to manage lung SIGSEGV', instead of the deserved death? Cyberax not correctly explained. Any SEGV will not be. char *data = 0xFFFFa123123;//In a kernel char myData [1024];//In userSpace dumpCaches (); if (someConditionThatWillBeFalse) {//here climbs branchPredictor and changes only cache! int oneOrZeroInKernel = (*data) and 0x01; myData [oneOrZeroInKernel*512]} checkWhatIsCachedInMyDataViaTiming ()//if myData [512] is cached than kernel had 1, else 0

42

Re: Meltdown and Spectre

Hello, novitk, you wrote: Pzz>> And often generally programs to which on quite lawful bases it is necessary  in nuclear addresses come across and to manage lung SIGSEGV', instead of the deserved death? N> Cyberax not correctly explained. Any SEGV will not be. He explained correctly, but at it Meltdown, and at you Spectre. Last it is more difficult, since there a certain way it is necessary to train this branch prediction that it went to be executed. While in direct reading at you practically a warranty.

43

Re: Meltdown and Spectre

Hello, Pavel Dvorkin, you wrote: PD> If will try - unsubscribe Microsoft Windows [Version 10.0.16299.192]:... 0x100f: guess: 0xc6, real:0xcc 0x1010: guess: 0xc6, real:0x48 0x1011: guess: 0xc6, real:0x89 0x1012: guess: 0xc6, real:0x5c 0x1013: guess: 0xc2, real:0x24 0x1014: guess: 0xc6, real:0x08...

44

Re: Meltdown and Spectre

Hello, andrey.desman, you wrote: N>> Cyberax not correctly explained. Any SEGV will not be. AD> he explained correctly, but at it Meltdown, and at you Spectre. Last it is more difficult, since there a certain way it is necessary to train this branch prediction that it went to be executed. AD> while in direct reading at you practically a warranty. I simply looked upside-down and question Pzz thought was on JS where it is used Spectre. However, I not absolutely understand what for is necessary SEGV. The basic essence Meltdown-a seems to me that Intel gives access to a ring-0 from a ring-3 in speculative calculations, and to catch there SEGV or simply to tangle branch predictor if-om not especially important. Difference from Spectre in that that in last links between rings do not skip.

45

Re: Meltdown and Spectre

Hello, MadHuman, you wrote: MH> but then why for example MS reports that let out a patch?... And it is not clear that they there . There is what that patches that is is specific from enumerated they correct - me personally not clearly. The melt to mine ms yet did not correct, so, for a spectrum some variants closed. And can on the contrary.

46

Re: Meltdown and Spectre

Hello, kov_serg, you wrote: V>> And , and? _> it is not beautiful. There is a virtual storage and at each process it the. What hinders not to have the protected data in  address space generally? Productivity. Switching of mapping tables at passage userspace-> kernel and reversely causes reset TLB and noticeable deceleration.

47

Re: Meltdown and Spectre

Hello, MadHuman, you wrote: MH> but then it is impossible to correct it at the expense of a patch for OS, ? MH> but then why for example MS reports that let out a patch?... From Meltdown completely it is possible to be protected by means of a patch. For Spectre it is possible to cover only certain ways of its maintenance.

48

Re: Meltdown and Spectre

Hello, Pzz, you wrote: a C>> Yes, most simple to count number of clock periods. But it is not restricted to it. And even the cache is not necessary, one of methods - to use instructions with variable number of clock periods (division, for example) and to look how many clock periods it is fulfilled depending on the data. Pzz> and often generally programs to which on quite lawful bases it is necessary  in nuclear addresses come across and to manage lung SIGSEGV', instead of the deserved death? Well reversal on (void *) (unsigned long) (-1) - frequent enough phenomenon and on POSIX should be SIGSEGV or SIGBUS. Both it is possible to catch. By the way, even if the program dies instead of signal catching - nobody hinders to make fork () in accuracy before sample.

49

Re: Meltdown and Spectre

Hello, Cyberax, you wrote: a C> From Meltdown completely it is possible to be protected by means of a patch. For Spectre it is possible to cover only certain ways of its maintenance. And what possible principle of this patch (from Spectre)? After all works  the code. Even system calls are not present, except  for which it is possible to invent mass of variants. Saw any information as it probably?.

50

Re: Meltdown and Spectre

Hello, Cyberax, you wrote:... Advancements on the markets of the new processor? https://ru.wikipedia.org/wiki/-16