Yes - Intel does have broken speculative execution, @scarybeasts (not an arbitrary read yet, but definitely a leak that shouldn't work)pic.twitter.com/qx2dcJsjzB
Yeah, I do @musllibc, FOSS & infosec stuff. But now is not the time for a mostly-/only-tech Twitter feed.
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Add this Tweet to your website by copying the code below. Learn more
Add this video to your website by copying the code below. Learn more
By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.
| Country | Code | For customers of |
|---|---|---|
| United States | 40404 | (any) |
| Canada | 21212 | (any) |
| United Kingdom | 86444 | Vodafone, Orange, 3, O2 |
| Brazil | 40404 | Nextel, TIM |
| Haiti | 40404 | Digicel, Voila |
| Ireland | 51210 | Vodafone, O2 |
| India | 53000 | Bharti Airtel, Videocon, Reliance |
| Indonesia | 89887 | AXIS, 3, Telkomsel, Indosat, XL Axiata |
| Italy | 4880804 | Wind |
| 3424486444 | Vodafone | |
| » See SMS short codes for other countries | ||
This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.
Hover over the profile pic and click the Following button to unfollow any account.
When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.
The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.
Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.
Get instant insight into what people are talking about now.
Follow more accounts to get instant updates about topics you care about.
See the latest conversations about any topic instantly.
Catch up instantly on the best stories happening as they unfold.
Yes - Intel does have broken speculative execution, @scarybeasts (not an arbitrary read yet, but definitely a leak that shouldn't work)pic.twitter.com/qx2dcJsjzB
I just read @anders_fogh's https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/ … - it's very close, but I found testing assumptions 1, 2 and 3 sequentially in reverse order to be practical. Loading caches during speculative execution gave me 1 bit of output, which I used to verify the rest.
I can read user memory using speculative exec reliably. Page faults halt speculative execution reliably. Loads from kernel memory show up as zero, but not reliably. Certain addresses (eg those shown above), return data some percent of the time. Next step is finding out which/why.
Probability looks the same in 64 byte blocks, implying cache lines. Theory: permission check happens when the memory isn't in some cache. If the permission check passes, it's brought into L1 (so user memory always works), otherwise the caches stay the same and it uses zero.
It's hard to get clear data, as probabilities change over time. But if that's right, I'll need an instruction or trick to get arbitrary kernel memory into L1 (prefetch instructions don't seem to work). I may write a kernel module to test the theory.
If this is truely the issue, kernel could mitigate by flushing L1 before returning rather than costly page table switches.
That's a really interesting point - I assume between the multiple kernel teams they've considered this, so maybe my theory is false, or maybe there's a trick to load kernel data into L1 without context switching? (A hyper-thread on the same core?)
I think that the latter is correct - I was also thinking about the L1$ flush mitigation, but HT thread should be able to force-populate L1 w/ kernel data indeed.
Indeed, but for many workloads I'd happily choose disabling HT over making syscalls 2-5x as costly.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.