Ok I'm in awe of @tehjh. Not 100% sure I've got it but did he speculatively execute (x64) a speculative program (BPF) by colliding the branch target buffer in order to leak via a cache side effect? Words cannot describe skullduggery of this magnitude.
-
-
Variant 2 is blowing my mind
1 reply 0 retweets 19 likes -
Yeah. The audacity of speculatively executing a piece of kernel code that isn't enabled.
1 reply 0 retweets 19 likes -
-
Replying to @jessfraz @scarybeasts and
I’m also super curious if the eBPF bug he found a little bit ago was just a result of all this or completely separates, kinda wonder if there’s a funny story of a rabbit hole there
1 reply 1 retweet 13 likes
I think https://bugs.chromium.org/p/project-zero/issues/detail?id=1251 … (from May) was me starting to fiddle together the variant 1 PoC; noticed that the verifier log had a weird number in it. The more recent ones are unrelated.
2:54 AM - 4 Jan 2018
0 replies
3 retweets
17 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.