Spectre Attacks: Exploiting Speculative Execution
Normally, I prefer to keep these blog posts very academic. However, I'd like to move to a more conversational format, and I think this paper presents the perfect starting point for such a shift. This paper is one of the more "advanced" papers I've read. It requires a rich and detailed understanding of computer architecture details AND operating system constructs. This post may contain misinformation, and therefore I advise any potential reader to consider reading the paper.
***
Spectre leverages speculative execution to expose a timing side-channel. The two main variants described in this paper are the Variant 1: Bounds Check Bypass and Variant 2: Branch Target Injection. It is worth noting that Spectre attacks are perhaps most useful in the case of trying to access data within the same process. The common example of this is a web browser which runs multiple threads and JavaScript. The site's Java script can use Spectre to gain access to what you are typing in other browser tabs, for example. While chrome does a good job at mitigating this form of attack, it is only one such example.
Variant 1: Bounds Check Bypass (BCB) In this variant the attacker trains the branch predictor to predict a branch that a segment of code will access a valid address. Once the predictor is primed, a bad address can be used which would fail the bounds check. However, speculatively, we can access the code beyond the bypass. This will leave cache effects, which can then be timed.
Variant 2: Branch Target Injection (BTI) and Return-oriented Programming (ROP) This variant involves training a branch within the victim's address space. First, a "gadget" is selected within the victim's address space. This can be done by frequently calling a function with a valid input. Once primed, the function can be called with an invalid input which leaves side-effects.
This is as much detail as I feel comfortable providing in this write-up. The important note here is that this type of speculative attack leaves many vulnerabilities, and, is not fixed KPTI/KAISER.
Full Text
***
Spectre leverages speculative execution to expose a timing side-channel. The two main variants described in this paper are the Variant 1: Bounds Check Bypass and Variant 2: Branch Target Injection. It is worth noting that Spectre attacks are perhaps most useful in the case of trying to access data within the same process. The common example of this is a web browser which runs multiple threads and JavaScript. The site's Java script can use Spectre to gain access to what you are typing in other browser tabs, for example. While chrome does a good job at mitigating this form of attack, it is only one such example.
Variant 1: Bounds Check Bypass (BCB) In this variant the attacker trains the branch predictor to predict a branch that a segment of code will access a valid address. Once the predictor is primed, a bad address can be used which would fail the bounds check. However, speculatively, we can access the code beyond the bypass. This will leave cache effects, which can then be timed.
Variant 2: Branch Target Injection (BTI) and Return-oriented Programming (ROP) This variant involves training a branch within the victim's address space. First, a "gadget" is selected within the victim's address space. This can be done by frequently calling a function with a valid input. Once primed, the function can be called with an invalid input which leaves side-effects.
This is as much detail as I feel comfortable providing in this write-up. The important note here is that this type of speculative attack leaves many vulnerabilities, and, is not fixed KPTI/KAISER.
Full Text
Comments
Post a Comment