1 |
Rich Freeman <rich0@g.o> wrote: |
2 |
> On Thu, May 10, 2018 at 1:34 AM Martin Vaeth <martin@×××××.de> wrote: |
3 |
> |
4 |
>> As a simple example, assume that you have read a password file |
5 |
>> into a string of your language and now access a single password. |
6 |
>> No matter, how you mark the end of the password (fixed-length, \0, \n, |
7 |
>> ...) speculative execution might always access the next password(s) |
8 |
>> unless you prevent it globally. Whether it is exploitable depends |
9 |
>> of course on other things. There is no difference to C. |
10 |
> |
11 |
> [...] I don't see how |
12 |
> having the next password speculatively read would on its own create a |
13 |
> vulnerability. |
14 |
|
15 |
That's what I meant by "whether it is exploitable depends of course |
16 |
on other things". *Most* speculative executions are probably not |
17 |
exploitable, whether in C or any other language: you need a |
18 |
really unfortunate setup. |
19 |
However, to be on the really safe side you just have to prevent |
20 |
everything which might potentially exploitable. |
21 |
|
22 |
> You would also need some kind of indirect memory access |
23 |
> based on the speculatively-accessed data |
24 |
|
25 |
For the "classical" spectre (v2?) variant: |
26 |
In the "speculative" execution you copied more data. |
27 |
Exploitability depends completely on the subsequent code, |
28 |
i.e. what will happen with this data (and on whether an attacker |
29 |
can execute and time the whole function). |
30 |
|
31 |
However, everybody expected (and perhaps spectre-ng will confirm that) |
32 |
that there are a lot more of processor bugs involved with speculative |
33 |
execution: AFAIK, there were already reports that some internal |
34 |
processor bits were cleared/set depending on some results (i.e. |
35 |
meltdown type bugs). So maybe just doing the right thing in another |
36 |
process might reveal some information. Whether it is again possible |
37 |
to fix this in the kernel is unclear yet. |
38 |
|
39 |
> Consider: |
40 |
> |
41 |
> for x = 1 to 10 : y=5+3 : next x |
42 |
|
43 |
I don't understand what you want to say here. |
44 |
Of course, non-sensical code is not exploitable. |
45 |
The question is whether the compiler can recognize it. |
46 |
I haven't tried, but I am rather sure that the above loop disappears |
47 |
in C w/ gcc -O2 due to flow analysis (the constant assertion is |
48 |
pulled out and then the loop recognized as empty). |
49 |
|
50 |
> I still tend to think that the additional context around these memory |
51 |
> accesses that is available in a high-level language could be used by a |
52 |
> compiler |
53 |
|
54 |
The compiler needs to detect whether a speculative execution |
55 |
might be dangerous. This is similarly hard for every Turing-complete |
56 |
language; I do not see any language having a considerable advantage |
57 |
for this. |