Re: YASV (Yet Another Security Vulnearability)

On Fri, 26 Jul 2024 16:17:50 GMT
anton@mips.complang.tuwien.ac.at (Anton Ertl) wrote:

EricP <ThatWouldBeTelling@thevillage.com> writes:

One thing they mention is Intel and AMD incorporating privilege level
tagging into the BTB, as I suggested when this all started.
Combine that with purging the user mode entries from the predictor
tables on thread switch and I would think that would shut this all
down. 

 
1) The attacker can still attack the context (even if the notion of
   context includes the privilege level) from within itself.  E.g.,
   the kernel can be attacked by training the kernel-level branch
   prediction by performing appropriate system calls, and then
   performing a system call that reveals data through a
   mis-speculation side channel.  IIRC such Spectre attacks have
   already been demonstrated years ago.
 
2) Users are supposedly not prepared to pay the cost of invisible
   speculation (-5-20%, depending on which paper you read) , are they
   prepared to pay the cost of purging the user-mode entries of branch
   predictors on thread switches?
  
   My guess is that the stuff plays out as usual: The hardware
   manufacturers don't want to implement a proper fix like invisible
   speculation, and they suggest software mitigations like purging
   user-mode entries on thread switch.  The software people then
   usually consider the mitigation too expensive in performance or in
   development effort, so only a miniscule amount of software contains
   Spectre mitigations.
 
- anton

That's how it should be.
Not really attacks -> not really mitigations.
I am not willing to pay even 0.001% in performance to mitigate
non-threats. And as far as I am concerned, anything that requires
running arbitrary binary code on my computer, even on least privileged
account, is a non-threat.