okay i actually fucking LOVE this bug so much omg. this is even better than i thought it was. sorry, i apologize, i'm gonna fangirl a little bit here sorry https://twitter.com/argvee/status/948682737057189888 …
-
This Tweet is unavailable.Show this thread
-
first of all: the attack isn't intel-specific. it's not (QUITE) a hardware bug. it's extraordinarily clever.
5 replies 34 retweets 222 likesShow this thread -
if i understand right: the simplest variant works like this. basically all modern CPUs speculate loads far beyond the point where they know it's safe. this is necessary for even half-decent performance in a big pipeline.
5 replies 44 retweets 190 likesShow this thread -
so if you do this: a = x[4]; b = y[a]; c = z[b]; it may load "c" long before it even knows the load of "a" was safe! this is fine as long as it can roll things back in the case the first load failed. completely normal
3 replies 47 retweets 208 likesShow this thread -
the catch here is: doing the load puts that data in the cache. so... imagine you're not supposed to be able to know "b" because it's in kernel memory. it'll load b, and then load z[b] to get c. then at some point it will fail and roll back.
2 replies 17 retweets 147 likesShow this thread -
but this will have a side effect: the chunk of memory containing "c" will end up getting loaded into cache. the rollback *isn't total*. it's like the CPU went ahead to the next page of an assignment before it was supposed to, but didn't completely hide that fact.
8 replies 24 retweets 197 likesShow this thread -
and given the right circumstances, you can use this to recover "b", one bit at a time.
4 replies 15 retweets 134 likesShow this thread -
you can now recover arbitrary data from any memory in the system. you win.
2 replies 22 retweets 187 likesShow this thread -
(there's other variants that use branch prediction, etc to apply the approximate same attack. but the core idea is the same: construct a case where the CPU leaves a visible trail of its speculative execution)
1 reply 9 retweets 129 likesShow this thread -
someone who read more of the article than me tell me if i'm wrong tho
10 replies 2 retweets 84 likesShow this thread
yup, that's the basic idea behind all three variants
-
-
Replying to @tehjh
(fangirl noises) approval by the actual author!!! i absolutely *love* this bug though. out of curiosity, how confident are you in AMD's claimed safety (due to refusal to speculate past privilege boundaries)?
2 replies 0 retweets 7 likes -
Replying to @FioraAeterna
I don't know enough about how CPUs actually work to be able to say anything useful about that
0 replies 0 retweets 2 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.