On Thu, Jan 4, 2018 at 9:12 PM, Walter Dnes <waltd...@waltdnes.org> wrote: > > There are 2 vulnerabities at play here, both caused by speculative > execution...
Actually, there are 3 related ones, with two names between them. Can't imagine why there is so much confusion... > 2) "Spectre" is the reading, by one userland process, of memory > belonging to another userland process. Since this does not require > jumping to kernel privilege level, AMD's ring-level permission checking > is not invoked, and AMD cpus are vulnerable. Think "cross-site-scripting > on steroids", or "cross-process memory access" on your PC. Spectre describes two variants. It can be used from userland to kernel, or between two userland processes. However, it doesn't require jumping priv levels - it is a side-channel leak. Variant 1 requires that code be executed in the context of the process being attacked. So, there isn't a cross-priv issue here - just a "skipped" bounds check. When the out-of-bounds memory is accessed the CPU sees that it is running in the correct priv level, which is probably why AMD is vulnerable. I'm a little hazy on variant 2, but I believe that this also requires execution in the target context. I suspect it doesn't run on AMD64 due to some details of how its CPUs actually work - it might not speculatively do an indirect call, or it might not get far enough into it to affect the cache. > This is a problem that's associated with "speculative execution". I > wonder how much of a performance hit it would be to turn off speculative > execution. That would probably require at least a microcode/firmware > update, if not a new cpu. Turning it off entirely would be a huge performance hit. However, Intel announced that they're going to add instructions to selectively turn it off, presumably so that compilers can use this in situations where Spectre is possible. That will require a microcode change. It sounds like there are also workarounds. For example, Intel suggests doing an lfence after a bounds check to defeat variant 1, and I've seen comments that suggest this works for some Intel users. It doesn't seem to work on my Phenom II or Ryzen 5. Go figure, Intel promoting an Intel-specific fix, though to be fair this is all rushed and they might not even realize it doesn't work on AMD, or maybe I'm doing it wrong. (My code is at: https://gist.github.com/rich0/056eebebc1f88a624e36680e0de36011 ). -- Rich
