| 1 |
Rich Freeman <rich0@g.o> wrote: |
| 2 |
> On Thu, May 10, 2018 at 1:34 AM Martin Vaeth <martin@×××××.de> wrote: |
| 3 |
> |
| 4 |
>> As a simple example, assume that you have read a password file |
| 5 |
>> into a string of your language and now access a single password. |
| 6 |
>> No matter, how you mark the end of the password (fixed-length, \0, \n, |
| 7 |
>> ...) speculative execution might always access the next password(s) |
| 8 |
>> unless you prevent it globally. Whether it is exploitable depends |
| 9 |
>> of course on other things. There is no difference to C. |
| 10 |
> |
| 11 |
> [...] I don't see how |
| 12 |
> having the next password speculatively read would on its own create a |
| 13 |
> vulnerability. |
| 14 |
|
| 15 |
That's what I meant by "whether it is exploitable depends of course |
| 16 |
on other things". *Most* speculative executions are probably not |
| 17 |
exploitable, whether in C or any other language: you need a |
| 18 |
really unfortunate setup. |
| 19 |
However, to be on the really safe side you just have to prevent |
| 20 |
everything which might potentially exploitable. |
| 21 |
|
| 22 |
> You would also need some kind of indirect memory access |
| 23 |
> based on the speculatively-accessed data |
| 24 |
|
| 25 |
For the "classical" spectre (v2?) variant: |
| 26 |
In the "speculative" execution you copied more data. |
| 27 |
Exploitability depends completely on the subsequent code, |
| 28 |
i.e. what will happen with this data (and on whether an attacker |
| 29 |
can execute and time the whole function). |
| 30 |
|
| 31 |
However, everybody expected (and perhaps spectre-ng will confirm that) |
| 32 |
that there are a lot more of processor bugs involved with speculative |
| 33 |
execution: AFAIK, there were already reports that some internal |
| 34 |
processor bits were cleared/set depending on some results (i.e. |
| 35 |
meltdown type bugs). So maybe just doing the right thing in another |
| 36 |
process might reveal some information. Whether it is again possible |
| 37 |
to fix this in the kernel is unclear yet. |
| 38 |
|
| 39 |
> Consider: |
| 40 |
> |
| 41 |
> for x = 1 to 10 : y=5+3 : next x |
| 42 |
|
| 43 |
I don't understand what you want to say here. |
| 44 |
Of course, non-sensical code is not exploitable. |
| 45 |
The question is whether the compiler can recognize it. |
| 46 |
I haven't tried, but I am rather sure that the above loop disappears |
| 47 |
in C w/ gcc -O2 due to flow analysis (the constant assertion is |
| 48 |
pulled out and then the loop recognized as empty). |
| 49 |
|
| 50 |
> I still tend to think that the additional context around these memory |
| 51 |
> accesses that is available in a high-level language could be used by a |
| 52 |
> compiler |
| 53 |
|
| 54 |
The compiler needs to detect whether a speculative execution |
| 55 |
might be dangerous. This is similarly hard for every Turing-complete |
| 56 |
language; I do not see any language having a considerable advantage |
| 57 |
for this. |
Archives