[SystemSafety] Reading privileged memory with a side-channel
Derek M Jones
derek at knosof.co.uk
Thu Jan 4 14:54:31 CET 2018
All,
We are going to be hearing a lot about the 'bug' in
Intel's cpu (and perhaps other vendors as well) over the
coming weeks and months.
A very good write-up of the nitty-gritty technical details here:
https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
Short explanation:
Processors do speculative execution (i.e., several
possible control flow paths are executed at the same time;
saves waiting until it is known which one is needed).
Processors support small amounts of faster memory than RAM, cache
memory.
The first time something is read from RAM a sequence of
consecutive memory locations are loaded into the cache; this
means flushing some other values from the cache.
Speculative execution can be used to cause a value in a privileged area
of memory to be read. The cpu does not throw a privilege violation
because this speculative flow of control does not subsequently
get selected.
However, the read of the privileged value causes some other values
to be flushed from the cache.
A timing analysis can be used to figure out whether a cache flush has
occurred.
This process can be used to extract 1-bit of information about a value
in privileged memory (e.g., the OS kernel).
Rinse and repeat for 32, or more, bits.
--
Derek M. Jones Software analysis
tel: +44 (0)1252 520667 blog:shape-of-code.coding-guidelines.com
More information about the systemsafety
mailing list