1

Topic: Meltdown and Spectre

Details Meltdown and Spectre became known. If it is short: all is bad. Meltdown it is specific to Intel and allows to read from userspace-process all physical storage, including a kernel and . Protection only through KAISER for Linux (https://lwn.net/Articles/741878/) or similar change for NT. AMD it is not subject was specific to this vulnerability. Spectre is the more general vulnerability and security blanket from it meanwhile is not present.

2

Re: Meltdown and Spectre

Hello, Cyberax, you wrote: Cs> Became known details Meltdown and Spectre. If it is short: all is bad. Mine (modest) judgement: badly, but nevertheless it is not deadly. The C> Spectre is the more general vulnerability and security blanket from it meanwhile is not present. Meanwhile for successful attack implementation of the code in target process/kernel is required. Also there are no such crucial tasks/scenarios where it could not be avoided. And AMD states the reverse: Variant One Bounds Check Bypass Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected. http://www.amd.com/en/corporate/speculative-execution

3

Re: Meltdown and Spectre

4

Re: Meltdown and Spectre

5

Re: Meltdown and Spectre

Hello, vsb, you wrote: vsb> Vulnerability it is, of course, bad, but is not clear, what for to decelerate all computers because of it. At me on the computer from the "left" code only  in the browser, according to here, vulnerability can be exploited from javascript https://spectreattack.com/spectre.pdf> to the remaining code I trust.  use the methods for  this vulnerability, that is and through  this attack does not transit, when browsers . And plug-ins too?

6

Re: Meltdown and Spectre

7

Re: Meltdown and Spectre

8

Re: Meltdown and Spectre

Hello, Pavel Dvorkin, you wrote: vsb>> Vulnerability it is, of course, bad, but is not clear, what for to decelerate all computers because of it. At me on the computer from the "left" code only  in the browser, PD> According to here, vulnerability can be exploited from javascript PD> https://spectreattack.com/spectre.pdf Spectre generally does not manage in any way, as far as I understand, with it it is necessary to live the nearest years 10. There is especially nothing So here to consider. But as a whole it is necessary on exact timers, and browsers possibility of obtaining of the exact information on time in  truncate in upcoming versions.>> I trust the remaining code.  use the methods for  this vulnerability, that is and through  this attack does not transit, when browsers . PD> And plug-ins too? About plug-ins I do not know, I do not use them and for a long time was not interested, as there all is arranged. If all is similar to the code on page, probably too.

9

Re: Meltdown and Spectre

Hello, Pavel Dvorkin, you wrote: PD> Hello, Cyberax, you wrote: the C>> Meltdown is specific to Intel and allows to read from userspace-process all physical storage, including a kernel and . Protection only through KAISER for Linux (https://lwn.net/Articles/741878/) or similar change for NT. AMD it is not subject was specific to this vulnerability. PD> with Windows something not absolutely clear. Basically, some code for Windows is already accessible for to check up most https://github.com/turbo/KPTI-PoC-Collection

10

Re: Meltdown and Spectre

Hello, Cyberax, you wrote: Cs> Became known details Meltdown and Spectre. If it is short: all is bad. , myshchh is not present, it can if is live told that the Russian hacker known as Chris Kasperski found in 2008 https://lenta.ru/news/2008/07/15/kris/, found out vulnerability in processors of Intel which allows to make remote breaking of system by means of a script on JavaScript or a TCP/IP-package without dependence from an operating system. About it writes PC World referring to the short description of the presentation prepared by Kasperski.

11

Re: Meltdown and Spectre

Hello, vsb, you wrote: vsb> I try to concern a choice of a software responsibly. "The responsible choice of a software" somehow relieves of appearance in it  from time to time? W>> it you not . "To follow the new processor" it is necessary to at whom it is loaded on 100 %, that is to sellers . vsb> I personally buy the processor for peak productivity, instead of for average loading. I think the majority does as. Here you, perhaps, are right, partly.

12

Re: Meltdown and Spectre

Hello, Michael7, you wrote: M> Basically, some code for Windows is already accessible for to check up most https://github.com/turbo/KPTI-PoC-Collection Collected and launched. Neither on Intel i5-2300, nor on AMD Phenom II X4 955 guess and real at 20-30 iterations do not coincide. To wait, while the cycle while (TRUE) terminates, did not become, as by then coincidence can be simple owing to the probability theory. For interested persons to try laid out EXE. Setting  libraries from VS2017 is required. http://files.rsdn.org/187/KPTI.exe If will try - unsubscribe

13

Re: Meltdown and Spectre

Hello, Cyberax, you wrote: the C> Meltdown is specific to Intel and allows to read from userspace-process all physical storage, including a kernel and . Protection only through KAISER for Linux (https://lwn.net/Articles/741878/) or similar change for NT. AMD it is not subject was specific to this vulnerability. And explain, please, to a mine, stupid how possibility to nose out kernel pages layout from user space turns to possibility to read contents of nuclear storage?

14

Re: Meltdown and Spectre

Hello, Pzz, you wrote: Pzz> And explain, please, to a mine, stupid how possibility to nose out kernel pages layout from user space turns to possibility to read contents of nuclear storage? As a result speculative execution the kernel memory area boots in a cache. Therefrom it can be got with the help of the technics similar Spectre.

15

Re: Meltdown and Spectre

Hello, wildwind, you wrote: Pzz>> And explain, please, to a mine, stupid how possibility to nose out kernel pages layout from user space turns to possibility to read contents of nuclear storage? W> as a result speculative execution the kernel memory area boots in a cache. Therefrom it can be got with the help of the technics similar Spectre. The first is clear. And it is possible selected hardly more in detail?

16

Re: Meltdown and Spectre

Hello, Pzz, you wrote: W>> As a result speculative execution the kernel memory area boots in a cache. Therefrom it can be got with the help of the technics similar Spectre. Pzz> the First is clear. And it is possible selected hardly more in detail? Esteem here, "Theoretical explanation". If it is absolutely short: 1) at reading to the certain address, by access time dimension, it is possible to define, whether there was data  from a cache or from the storage; 2) during time speculative execution it is readable from the necessary address in the register and it is there and then readable from  areas on the offset depending on value of the register; 3) it is defined under item 1), what area , we calculate that was in the register.

17

Re: Meltdown and Spectre

Hello, wildwind, you wrote: W> Esteem here, "Theoretical explanation". Well, I interrogate you because you already esteemed and understood W> If absolutely short: W> 1) at reading to the certain address, by access time dimension, it is possible to define, whether there was data  from a cache or from the storage; W> 2) during time speculative execution we read from the necessary address in the register and there and then we read from  areas on the offset depending on value of the register; W> 3) we define under item 1), what area , we calculate that was in the register. Approximately clearly. Interesting, and with what speed such method it is possible given to find?

18

Re: Meltdown and Spectre

Hello, Pzz, you wrote: Pzz> it is Approximately clear. Interesting, and with what speed such method it is possible given to find? Depending on OS and a method from 122 to ~500 KB/WITH.

19

Re: Meltdown and Spectre

Hello, andrey.desman, you wrote: AD> Depending on OS and a method from 122 to ~500 KB/WITH. It seemed to me, contents  change in a second of thousand times at least?

20

Re: Meltdown and Spectre

Hello, wildwind, you wrote: the C>> Spectre is the more general vulnerability and security blanket from it meanwhile is not present. W> Meanwhile for successful attack implementation of the code in target process/kernel is required. Here already found other sequences which allow to exploit Spectre. Also it is visible that the such will proceed still for a long time.

21

Re: Meltdown and Spectre

For sure Putin's agents tried. Well now Elbrus tramples! Who there spoke about its poor performance?

22

Re: Meltdown and Spectre

Hello, vsb, you wrote: vsb> Spectre generally does not manage in any way, as far as I understand, with it it is necessary to live the nearest years 10. There is especially nothing So here to consider. But as a whole it is necessary on exact timers, and browsers possibility of obtaining of the exact information on time in  truncate in upcoming versions. They had to disconnect SharedByteArray - a unique method to organize a multithreading with the divided data in JS.

23

Re: Meltdown and Spectre

Hello, Pzz, you wrote: the C>> Meltdown is specific to Intel and allows to read from userspace-process all physical storage, including a kernel and . Protection only through KAISER for Linux (https://lwn.net/Articles/741878/) or similar change for NT. AMD it is not subject was specific to this vulnerability. Pzz> and explain, please, to a mine, stupid how possibility to nose out kernel pages layout from user space turns to possibility to read contents of nuclear storage? It is possible to organize samples which flow away on one bit of contents. And with shift it is already enough one bit to receive all remaining. As a result, storage is read with a speed of 500 kilobyte per second. From my understanding: char *data = 0xFFFFa123123;//In a kernel if ((*data) and 0x01! = 0) {//Falls here char *probe1 = 0x123123123;//In our address space *probe1 = 123;} else {char *probe1 = 0x234123412;//In our address space *probe1 = 234;} This code, naturally, falls on SIGSEGV. But a problem that CPU has time  to execute one of samples speculatively. And then by means of cache testing it is possible to find out what sample worked.

24

Re: Meltdown and Spectre

Hello, Cyberax, you wrote: vsb>> Spectre generally does not manage in any way, as far as I understand, with it it is necessary to live the nearest years 10. There is especially nothing So here to consider. But as a whole it is necessary on exact timers, and browsers possibility of obtaining of the exact information on time in  truncate in upcoming versions. The C> It should be disconnected SharedByteArray - a unique method to organize a multithreading with the divided data in JS. Well it is unpleasant, of course, but an essence that the problem is at present solved. And then invent something. I so understand, Spectre allows to read only from the process, that is it is enough to launch JavaScript in separate process.

25

Re: Meltdown and Spectre

Hello, vsb, you wrote: the C>> It should be disconnected SharedByteArray - a unique method to organize a multithreading with the divided data in JS. vsb> Well it is unpleasant, of course, but an essence that the problem is at present solved. And then invent something. I so understand, Spectre allows to read only from the process, that is it is enough to launch JavaScript in separate process. Spectre works and in a kernel, but demands certain sequences of the code (for example, standard check of boundaries). Now write a plug-in for gcc which will avoid dangerous sequences, but it is already clear that inquisitive minds of hackers will find new methods of bypass.