Sujet : Re: YASV (Yet Another Security Vulnearability)
De : anton (at) *nospam* mips.complang.tuwien.ac.at (Anton Ertl)
Groupes : comp.archDate : 26. Jul 2024, 17:17:50
Autres entêtes
Organisation : Institut fuer Computersprachen, Technische Universitaet Wien
Message-ID : <2024Jul26.181750@mips.complang.tuwien.ac.at>
References : 1 2 3
User-Agent : xrn 10.11
EricP <
ThatWouldBeTelling@thevillage.com> writes:
One thing they mention is Intel and AMD incorporating privilege level
tagging into the BTB, as I suggested when this all started.
Combine that with purging the user mode entries from the predictor tables
on thread switch and I would think that would shut this all down.
1) The attacker can still attack the context (even if the notion of
context includes the privilege level) from within itself. E.g.,
the kernel can be attacked by training the kernel-level branch
prediction by performing appropriate system calls, and then
performing a system call that reveals data through a
mis-speculation side channel. IIRC such Spectre attacks have
already been demonstrated years ago.
2) Users are supposedly not prepared to pay the cost of invisible
speculation (-5-20%, depending on which paper you read) , are they
prepared to pay the cost of purging the user-mode entries of branch
predictors on thread switches?
My guess is that the stuff plays out as usual: The hardware
manufacturers don't want to implement a proper fix like invisible
speculation, and they suggest software mitigations like purging
user-mode entries on thread switch. The software people then
usually consider the mitigation too expensive in performance or in
development effort, so only a miniscule amount of software contains
Spectre mitigations.
- anton
-- 'Anyone trying for "industrial quality" ISA should avoid undefined behavior.' Mitch Alsup, <c17fcd89-f024-40e7-a594-88a85ac10d20o@googlegroups.com>