@paxteam Is the owl still around? ani
-
-
-
maybe, only one way to find out ;)
End of conversation
New conversation -
-
-
weird machines were coined by
@sergeybratus a little bit at least, no? That's more recent history compared to ASLR :) -
See my paper - it states that it was Sergey who coined the term.
-
yeah sorry about that, my memory is apparently just a tad bit better than mayhem's ;).
-
maybe you've got yourself a case of neural weird machine? ;)
-
Don't we all? ;)
End of conversation
New conversation -
-
-
hmm. does that qualify as a weird state? you could argue that, in the paper's terminology, it all happens in transitory states between sane states, and the CPU never actually moves into a weird state. (IOW: the CPU still behaves according to architectural spec.)
-
yeah, it is a bit more complicated in this case. the weird state is already entered when the CPU fails to do what the implementor thought/intended it would do; the ifsm for OS would not include kernel/user or user/user side channels?
-
but the CPU will always be doing some stuff the implementor didn't specify, which is the whole reason you introduced transitory states. which part of an attack crosses the line from transitory to weird for you? the timing measurement that turns uarch state into arch state?
-
I don’t think anything about either attack is a “weird state” nor is it some metastability or not fully enumerated entry in an internal state machine. It’s all precisely behaving according to spec, it’s just leaking information.
-
Today its D cache and branch predictors, tomorrow it will be attacks against other parts of the machine. We have seen even papers showing how instruction sequences can damage machine life due to internal pipeline transitions they can force. There are so many possible vectors.
-
I am waiting for differential timing analysis of pipelines (not the caches) to infer what instructions are in flight -
@lavados started down this path with his blog in July which initially thought about the meltdown problem in far more levels of sophistication than required here -
Oh and I doubt just removing high precision timers will do it. If you can have a high enough bandwidth link between two cores (via the cache) you can time a counting loop on a second core in lieu of having high precision time on the other. Hope android considered that case.
-
But you already thought of that didn’t you
@lavados ? ;) you must have... - 1 more reply
New conversation -
-
-
for v2, afaics how much power you get in the end should mostly depend on what gadgets you have and how much register/memory control you have? mostly like normal attacks with gadgets, except you get more control over indirect calls, some things don't work, and there's a time limit
-
would be interesting to see though how well classic ROP works in there, considering that all the returns would probably be mispredicted
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.