xxxxx@gmail.com wrote:
As we can see from recently disclosed exploitation of CPUs “features” called Spectre and Meltdown, it is possible to use speculative execution to bypass base Win/CPU code execution security model. In case of Spectre you can un-sandbox JavaScript in web-browser and read Ring 0 memory from usual app (Meltdown).
What do you think about danger of speculative execution for drivers and their code?
You know, I have to say that I am baffled by the panic over this
problem.  Yes, it’s ugly that user-mode code can smell kernel-mode
memory, but there are two things to remember. First, the attacker has
to get user-mode code running on my machine. Assuming the usual good
practices, that’s a very difficult thing to do. Second, the exploits
can read that memory very slowly, about 2k bytes per second.  If you’re
going to use this exploit, you’d want to read net and disk buffers, but
those are incredibly dynamic. They don’t stand still long enough for a
2k B/s reader to grab anything coherent.
Personally, unless I have missed a memo, I see this as much less of an
issue than the old FDIV bug.
And your last sentence reflects a misunderstanding of the problem. The
problem is not that speculative execution makes your code vulnerable.Â
The problem is that an attacker can USE speculative execution to snoop
information about static kernel memory.
Recently Microsoft published a blog post about introducing new compiler switch (/Qspectre) for VS2017 to prevent speculative execution in sensitive part of code (where conditional jumps are located). They are recommending to use it for software compilation.
But that’s silly. It is the ATTACKER that uses speculative execution.Â
There’s no danger added by having kernel code that uses speculative
execution.
Â
What do u think about using this switch for [device] drivers compilation? Are there present sensitive cases and conditions for drivers, where speculative execution can be used for unauthorized code execution/data access?
I don’t think it can. Certainly there’s no way to cause unauthorized
code execution. The best the attacker can do is sniff out the contents
of some kernel addresses.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.