For any instruction that can be executed during speculation, if it has
an effect, it's arguably usable as a covert channel (;-))
--dave
On 2018-08-09 10:03 a.m., Russell Reiter via talk wrote:
More Intel woes.
http://www.digitaljournal.com/tech-and-science/technology/new-security-flaw-with-intel-processors/article/529077
Quote from the whitepaper link in the article.
3 GENERAL ATTACK OVERVIEW
Before detailing specific attack scenarios, in this section, we
introduce the basics of how RSB-based speculative execution can be
achieved and be abused. We explore whether and how attackers may
manipulate the RSB entries in order to leak sensitive data using
speculative execution that they could not access otherwise. Similar to
recent microarchitectural attacks [8, 10, 22, 26, 29], we trick the
CPU to execute instructions that would not have been executed in a
sequential execution. The goal is to leak sensitive information in
speculation, e.g., by caching a certain memory area that can be
detected in a normal (non-speculative) execution. The general idea of
our attack can be divided into three steps:
(A1) trigger misspeculations in the return address predictor, i.e.,
enforce that returns mispredict
(A2) divert the speculative execution to a known/controlled code
sequence with the required context
(A3) modify the architectural state in speculation, such that it can
be detected from outside
(A1) Triggering Misspeculation: From an attacker’s perspective,
enforcing that the return predictor misspeculates upon function return
is essential to reliably divert speculative execution to
attacker-controlled code (see A2 for how to control the speculated
code). Misspeculations can be achieved in several ways, depending on
the RSBs underflow behavior (as discussed in Section 2.3).
---
Talk Mailing List
[email protected]
https://gtalug.org/mailman/listinfo/talk
--
David Collier-Brown, | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
[email protected] | -- Mark Twain
---
Talk Mailing List
[email protected]
https://gtalug.org/mailman/listinfo/talk