Intel junk...Kernel-memory-leaking Intel processor design flaw forcesLinux, Windows redesign

Den 2018-01-06 kl. 19:23, skrev Tim Streater:
In article , Johnny Billquist
wrote:

And then they figured out a clever way of mining the contents of the cache.

One could argue that the cache should be invalidated in such a scenario,
but that is not happening either.

Never mind invalidating it. WTF is going on if a non-priv process has
the right to do anything at all to the cache? Non-priv processes
shouldn't even be aware that there *is* a cache, never mind having the
right to execute instructions *about* the cache.


The non-priv process doesn't know there is a cache and it doesn't
do anything with the cache. Short summary...

You have two arrays in your code, ar1 is 16 bytes and ar2 is 256*1024
or 262144 bytes (see * below).

Then you have an read from the smaller array using an index:

ar1[x]

so far so good. But then you add a range check:

if (x 16):
ar1[x]

And then you use the value read from ar1 as an index into ar2:

if (x 16):
y = ar2[(ar1[x] * 1024)]

Then you run this a number of times with x 16 to "learn" the
predictive execution unit that x is "usually lower then 16". So
the next time, the processor guesses that it will probably need
to run the code after the if, so it does that at once, at more or
less the same time as the if is evaluated. The value of x must of
course be fetched, but it is optimized over to the second statement
before any priv-checkes has been done.

One other important thing, is that you have also run some other
code of your own so that ar2 is completely removed from the cache.
Any read from ar2 will have to go to real memory.

The value ar1[x] will be lost, but one member of ar2 will have
been read and is now cached. And the address is a direct track
back to the (protected) value read using an invalid value of
x using ar1. Anyware in any physically accessable memory.

Now, another important thing. There are counters within modern
CPUs that ticks at a very high speed, say the core speed.
These can be use to time critical code paths or to debug the
processor itself. These timers are not critical as such, but
here comes the clever part...

You now read the whole of ar2, taking note of the time to read/load
each member of the ar2 array. When it finds a member whos access
time is way lower then the rest of the ar2 array, it has found the
addess that was cached and it can count back and calculate the
value that must have been read from the protected memory.

And there you are. Just rerun. Clear the cache, feed the optimizer
with values of x 16, read the next protected memory address and
then re-read ar2 counting the access times.

The protection built in in the processor stops you from directly
see the value read from ar1 (using the out of bounds value of x).

Enjoy!

Jan-Erik.


(*)
I'm not sure about the size of the second array, why not just 256 bytes?
I think it has something to do with the way the cache is organized in
"pages", or whatever it is called.

Den 2018-01-06 kl. 23:34, skrev Tim Streater:
In article , Johnny Billquist
wrote:

On 2018-01-06 19:23, Tim Streater wrote:
In article , Johnny Billquist
wrote:

And then they figured out a clever way of mining the contents of the
cache.

One could argue that the cache should be invalidated in such a
scenario, but that is not happening either.

Never mind invalidating it. WTF is going on if a non-priv process has
the right to do anything at all to the cache? Non-priv processes
shouldn't even be aware that there *is* a cache, never mind having the
right to execute instructions *about* the cache.

Normally, that is true. But clever people can do a lot around this.
When I was doing my CS major, we had a course on advanced computer
architectures, in where we learned how to write a very simple program
that told us everything about cache size, associativeness, line size, TLB
size, TLB associativeness, and so on...
All you need to do is understand how the computer is affected by these
things, and then write programs that detect the effects.

In short, you write small loops that exercise the cache in different
ways, and time the whole thing. You don't even need any high precision
timers for it. All user level, and all very simple.

Does that involve instructions that operate on the cache. Such as
"clear cache"?


You just read some unrelated (to the actual tests) data, so that the
test that you are running are 100% non-chached. If that is what your
tests are about.

And anyway, you can never "clear" any memory, being it the cache or any
other memory. Each byte will always have a value between x'00' and x'FF'.

Den 2018-01-07 kl. 00:09, skrev Andy Burns:
Tim Streater wrote:

Does that involve instructions that operate on the cache. Such as
"clear cache"?

Yes, for the example I saw

https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6/revisions


but I think it was only using spectre techniques to read from a chunk of
memory within the same process, to demonstrate how the timing works.

The x86-64 reference manual

https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf


states

"The CLFLUSH instruction can be used at all privilege levels and is subject
to all permission checking and faults associated with a byte load"

so perhaps the example is too simplistic and a real attack wouldn't be able
to flush the target area of memory from the cache lines, unless it already
had permission to access that memory?

You just have to make sure that nothing that is related to what you are
doing is cached. Such as loading some *other* data that belongs to you.

Tim Streater wrote:
It's not that bad, one or two cars at a time. These days it's not unusual
at all for houses to have 200A service and putting a 100A 240V outlet in
the garage for a charger does not require a major retrofit.

Garage ha ha ha. That'll work a treat on those streets of terraced
houses, eh?

A 50kWh battery is going to need 100A at 1kV to charge up in 30 mins.

You're not going to get that right now. Maybe in a decade. Right now
you're talking four hours to charge it up full.

You going to give the punter a cable at 1kV to shove in their car?

It's dangerous, sure, but ever seen a gasoline fire?
--scott


--
"C'est un Nagra. C'est suisse, et tres, tres precis."

In article , Ron C
wrote:

...and you believe cars will reach a higher standard?

absolutely.

all they need to do is be better than humans, which as i said, is not
that tough.

And yet we have this [many decades old] memory leak security hole.

that would not cause an autonomous vehicle to crash.

nospam wrote:
In article , Ron C
wrote:

My neighbor is a mechanic for a dealership. They send him to classes
for the latest updates and such. He's told some stories about the warnings
related to servicing electric cars. Most of the stories start with something
to the effect of "..if you touch THIS you're dead.."
Seems there's the potential for a lot of dead shade-tree mechanics, to say
nothing of the risks to EMTs responding to crashes.

if you touch the wrong thing in a gas vehicle you could be dead too.

That's the basic thing. People have had a century now to get used to gasoline
and learn how to prevent gasoline from exploding so easily. It still happens
now and then, even with a century of technology and training.

It's going to take some time for people to learn the safety measures and
procedures for electric stuff. It's scary, but no more scary than gasoline
was in 1910.

The really cool thing about electricity, and the thing that fascinated me
about it as a child, was that it follows rules and it follows them precisely.
If you know the rules and you pay attention to them, it's perfectly safe. If
you do not, it's very dangerous.
--scott


--
"C'est un Nagra. C'est suisse, et tres, tres precis."

Ron C wrote:
On 1/6/2018 6:22 PM, nospam wrote:
In article , Ron C
wrote:

My neighbor is a mechanic for a dealership. They send him to classes
for the latest updates and such. He's told some stories about the warnings
related to servicing electric cars. Most of the stories start with something
to the effect of "..if you touch THIS you're dead.."
Seems there's the potential for a lot of dead shade-tree mechanics, to say
nothing of the risks to EMTs responding to crashes.

if you touch the wrong thing in a gas vehicle you could be dead too.

Such as... ?

We hired a man to fix our car
Then he held on to a spark plug wire.
Now he's moving on.
He's moving on.
His soul cut loose when he felt the juice,
He's moving on.


--
"C'est un Nagra. C'est suisse, et tres, tres precis."

On Sat, 06 Jan 2018 15:54:21 -0500, nospam
wrote:

In article , Doomsdrzej
wrote:

The biggest problem in even considering a Tesla is that I live in a
very cold climate which, since mid-December, has seen its temperature
go no lower than -25c. In such a climate, the already poor range of an
electric car is even worse and there are good reasons to believe that
it wouldn't even start.

the batteries are heated in cold weather and the cars start just fine.

Are they heated through the use of a block heater or is there some
other solution I'm not aware of?

the batteries are heated and shortly before leaving, you can preheat
the cabin via a smartphone app.

_How_ are they heated?

via a heater module on the batteries.

Pre-heating the cabin essentially means that you've turned on the car
remotely. However, this is only possible if the car starts which, of
course, often requires the batteries to be heated.

for a gas powered vehicle, the engine must be running.

not true for an electric vehicle.

Very interesting to know, thanks.

On 01/06/2018 07:43 PM, nospam wrote:
In article , Ron C
wrote:

...and you believe cars will reach a higher standard?

absolutely.

all they need to do is be better than humans, which as i said, is not
that tough.

And yet we have this [many decades old] memory leak security hole.

that would not cause an autonomous vehicle to crash.


Well, we don't know that yet. :-) Maybe it can make the
autonomous car mistake a tractor-trailier for a billboard.

bill

On 1/6/2018 7:38 PM, Scott Dorsey wrote:
Tim Streater wrote:
It's not that bad, one or two cars at a time. These days it's not unusual
at all for houses to have 200A service and putting a 100A 240V outlet in
the garage for a charger does not require a major retrofit.

Garage ha ha ha. That'll work a treat on those streets of terraced
houses, eh?

A 50kWh battery is going to need 100A at 1kV to charge up in 30 mins.

You're not going to get that right now. Maybe in a decade. Right now
you're talking four hours to charge it up full.

You going to give the punter a cable at 1kV to shove in their car?

It's dangerous, sure, but ever seen a gasoline fire?
--scott


Thousands of people pump their own gas every day. Seldom
a conflagration. Several hundred volts and a little water in the
wrong place .. and zap!
I'd tend to trust some average rube with gasoline before I'd trust
them with high voltage stuff.
[YMMV]
--
==

Later...
Ron C
--


---
This email has been checked for viruses by AVG.
http://www.avg.com

Den 2018-01-07 kl. 01:50, skrev Doomsdrzej:
On Sat, 06 Jan 2018 15:54:21 -0500, nospam
wrote:

In article , Doomsdrzej
wrote:

The biggest problem in even considering a Tesla is that I live in a
very cold climate which, since mid-December, has seen its temperature
go no lower than -25c. In such a climate, the already poor range of an
electric car is even worse and there are good reasons to believe that
it wouldn't even start.

the batteries are heated in cold weather and the cars start just fine.

Are they heated through the use of a block heater or is there some
other solution I'm not aware of?

the batteries are heated and shortly before leaving, you can preheat
the cabin via a smartphone app.

_How_ are they heated?

via a heater module on the batteries.

Pre-heating the cabin essentially means that you've turned on the car
remotely. However, this is only possible if the car starts which, of
course, often requires the batteries to be heated.

for a gas powered vehicle, the engine must be running.

not true for an electric vehicle.


Or for a normal gas powered car, with built-in electric
pre-heating of the windshield (or whatever).

Many cars also have a separate gas or diesel powered heater
for the cabin. Today remote controled by your phone app...

Eberspächer being one of the oldest and larges manufacturer.

https://www.eberspacher.com/products...d-heaters.html
https://www.eberspacher.com/products...l-heaters.html

On Sat, 6 Jan 2018 17:46:57 -0500, Bill Gunshannon
wrote:

On 01/06/2018 05:27 PM, nospam wrote:
In article , Bill Gunshannon
wrote:

The biggest problem in even considering a Tesla is that I live in a
very cold climate which, since mid-December, has seen its temperature
go no lower than -25c. In such a climate, the already poor range of an
electric car is even worse and there are good reasons to believe that
it wouldn't even start.

the batteries are heated in cold weather and the cars start just fine.

Are they heated through the use of a block heater or is there some
other solution I'm not aware of?

the batteries are heated and shortly before leaving, you can preheat
the cabin via a smartphone app.

And that heating shortens your range. Or did you think it was
somehow free?

it's effectively free. the impact is a few miles less range, out of
200-300 miles total. most trips are well under that, so it's not even
remotely a concern.

Say what?

Honda FitEV - 82 miles
KIA SoulEV - 93 miles
Mercedes Benz B-Class Electric Drive - 124 miles
Mitsubishi I-MiEV - 106 miles
Nissan Leaf - 75 miles
Smart electric Drive - 90 miles
Volkswagen e-Up - 99 miles
Chevy Spark EV - 82 miles
BMW i3 - 114 miles

Not everybody can afford a Tesla.

Before I retired my daily commute was between 60 and 70 miles. Very
close for some of these cars without using some of that electricity
for heat. One detour because of an accident on the highway and I am
screwed. And what do you think it will cost to have it flatbeded to
my house? Not to mention the wasted time, inconvenience and danger of
being stranded on the side of the road. especially in -20 temps.

Electric cars are about as ready for reality as autonomous cars.

I just put 450km of highway/city driving on my QX30 before it kindly
asked me whether I would buy it a drink of oil. None of those
affordable electric cars get anywhere near there. Only Tesla does...
and it has a wait time as well as a very high price tag.

On 01/06/2018 07:56 PM, Doomsdrzej wrote:
On Sat, 6 Jan 2018 17:46:57 -0500, Bill Gunshannon
wrote:

On 01/06/2018 05:27 PM, nospam wrote:
In article , Bill Gunshannon
wrote:

The biggest problem in even considering a Tesla is that I live in a
very cold climate which, since mid-December, has seen its temperature
go no lower than -25c. In such a climate, the already poor range of an
electric car is even worse and there are good reasons to believe that
it wouldn't even start.

the batteries are heated in cold weather and the cars start just fine.

Are they heated through the use of a block heater or is there some
other solution I'm not aware of?

the batteries are heated and shortly before leaving, you can preheat
the cabin via a smartphone app.

And that heating shortens your range. Or did you think it was
somehow free?

it's effectively free. the impact is a few miles less range, out of
200-300 miles total. most trips are well under that, so it's not even
remotely a concern.

Say what?

Honda FitEV - 82 miles
KIA SoulEV - 93 miles
Mercedes Benz B-Class Electric Drive - 124 miles
Mitsubishi I-MiEV - 106 miles
Nissan Leaf - 75 miles
Smart electric Drive - 90 miles
Volkswagen e-Up - 99 miles
Chevy Spark EV - 82 miles
BMW i3 - 114 miles

Not everybody can afford a Tesla.

Before I retired my daily commute was between 60 and 70 miles. Very
close for some of these cars without using some of that electricity
for heat. One detour because of an accident on the highway and I am
screwed. And what do you think it will cost to have it flatbeded to
my house? Not to mention the wasted time, inconvenience and danger of
being stranded on the side of the road. especially in -20 temps.

Electric cars are about as ready for reality as autonomous cars.

I just put 450km of highway/city driving on my QX30 before it kindly
asked me whether I would buy it a drink of oil. None of those
affordable electric cars get anywhere near there. Only Tesla does...
and it has a wait time as well as a very high price tag.


My Silverado gets over 500 on a tank except when I'm towing
my camper. Wonder how far a Tesla would pull that? :-)

bill

In article , Bill Gunshannon
wrote:

...and you believe cars will reach a higher standard?

absolutely.

all they need to do is be better than humans, which as i said, is not
that tough.

And yet we have this [many decades old] memory leak security hole.

that would not cause an autonomous vehicle to crash.

Well, we don't know that yet. :-) Maybe it can make the
autonomous car mistake a tractor-trailier for a billboard.

yes we do. meltdown/spectre won't have any effect on the algorithms
used in autonomous vehicles.

nothing is perfect so there will still be collisions, but far fewer
than with human drivers.

human drivers make all sorts of mistakes, some incredibly stupid.

In article , Ron C
wrote:

You going to give the punter a cable at 1kV to shove in their car?

It's dangerous, sure, but ever seen a gasoline fire?

Thousands of people pump their own gas every day. Seldom
a conflagration.

except when there is.

http://www.cnn.com/2013/11/03/justic...as-station-fir
e/index.html
A Georgia man will face criminal charges for accidentally setting
fire to his wife by flicking his lighter near his pickup truck's gas
tank while refueling.

https://www.reddit.com/r/Whatcouldgo.../lighting_a_ci
garette_in_a_gas_station/

plenty of others, including youtube videos.