These are chat archives for arenanet/api-cdi

23rd
Jan 2018
smiley
@codemasher
Jan 23 2018 18:13

On Sun, 2018-01-21 at 11:34 -0800, Linus Torvalds wrote:
All of this is pure garbage.

Is Intel really planning on making this shit architectural? Has
anybody talked to them and told them they are f*cking insane?

Please, any Intel engineers here - talk to your managers.

ooh link to torvalds?
thanks
smiley
@codemasher
Jan 23 2018 18:14
yw <3
I love reading his mail
smiley
@codemasher
Jan 23 2018 18:14
just read about it on heise.de :D
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:06
What is this even about?
windwarrior
@windwarrior
Jan 23 2018 19:08
One of the later mails in the thread is a better tl;dr of what is wrong
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:09
Linus sure is passionate about it, damn
windwarrior
@windwarrior
Jan 23 2018 19:09
Yeah that one
Kernel people seem to talk a different cs dialect sometimes
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:15
I honestly can't really follow this XD
windwarrior
@windwarrior
Jan 23 2018 19:16
The mail @lye linked makes it somewhat more understandable
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:17
Yeah, even that is a bit above me. I've done assembly before, but never looked deep into things like microcode, or CPU security features...
I still barely understand how "rings" work
the only CPU I've ever looked at in this much detail is the 6502, and there certainly wasn't any microcode in that one
It's a bit over my head too, but it sounds like it's an awful mess.
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:18
I mean, it is; a security feature we've been depending on for decades is suddenly unusable
(and the new features intel is pushing don't do anything to help the mess)
these are microcode updates though, so maybe future hardware revisions will "fix" it
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:19
to be fair, there's really very little that software or even microcode updates can do to fix it
aka remove cross-ring branch speculation
I mean
windwarrior
@windwarrior
Jan 23 2018 19:19
Side channel attacks are nasty
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:19
okay, rephrase: there's very little that microcode can fix WITHOUT introducing penalties
I don't know enough about how the microcode works
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:20
as much as I know about microcode, it's basically an instruction set for the instruction set
like the decoder in the 6502, but dynamic
sure
windwarrior
@windwarrior
Jan 23 2018 19:21
Well that makes sense right, branch prediction is leaking information across rings, the only way to fix that is disallowing branch prediction and therefore making perf worse
but like, it seems to me that SYSRET/SYSEXIT instructions should (in addition to all the other stuff they do) flush the branch prediction state
(and probably also SYSCALL/SYSENTER)
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:22
Isn't that part of what they suggested?
I don't think so? Which bit am I missing
I guess IBRS
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:23
I don't even know what these acronyms are
IBRS = indirect branch restricted speculation
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:24
I don't even know what these acronyms mean
XD
It's designed to be set when you enter a more privileged execution mode (i.e. the kernel). It prevents branch targets learned in a less-privileged execution mode, BEFORE IT WAS MOST RECENTLY SET, from taking effect.
windwarrior
@windwarrior
Jan 23 2018 19:24
I don’t understand how it’s indirect
But also kinda over my head like the rest of us
an indirect branch is basically a virtual function pointer call
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:25
I'm still trying to get my head around prediction to begin with
e.g. invoking a virtual method in C++ or function pointer in C
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:26
So...like doing CALL on an indirect reference?
I remember some terminology from 6502 assembler..
like call/jmp to a register-stored value
windwarrior
@windwarrior
Jan 23 2018 19:27
Ahh
e.g.
void callFunction(void(*function)(void)) {
    function(); // this is an indirect branch
}
windwarrior
@windwarrior
Jan 23 2018 19:27
That’s the tricky bit, the address is not static
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:28
Okaaaay..so now I'm wondering exactly how one abuses such a thing to jump the processor to malicious code
you can use it to leak KASLR offsets and such
the gist of it is the indirected pointer values are supposed to be secret (that's what the point of KASLR is), so a userspace process can seed the branch predictor to create a timing attack
windwarrior
@windwarrior
Jan 23 2018 19:30
it’s also not direct code execution right, it’s a side channel attack no?
so you can probe the kernel address space
windwarrior
@windwarrior
Jan 23 2018 19:30
Yeah
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:31
image.png
I think meltdown was direct code execution though
hmm wikipedia says meltdown was read-only
(but with read access to the kernel pretty sure that can be escalated)
smiley
@codemasher
Jan 23 2018 19:32
wasn't that the one that allowed to dump a system's memory?
yeah
smiley
@codemasher
Jan 23 2018 19:33
i'm somehow glad that this was the easier one to fix...
the whole situation is a giant mess
smiley
@codemasher
Jan 23 2018 19:35
indeed
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:35
so uh...anyone got any things I can read to learn more about the technical aspect of microcode and stuff? google just brings up "oh the computer just adds numbers really fast, that's all!" articles
smiley
@codemasher
Jan 23 2018 19:35
i recommended an abacus to my boss when he asked me how i would deal with that
@Eearslya I wish I had some references.
tbh I just make up stuff that sounds about right most of the time.
smiley
@codemasher
Jan 23 2018 19:36
:D
(the trick is to be v good at that, lye)
Enno G.
@SchoolGuy
Jan 23 2018 19:36
I feel like a twelve year old who is thought molecular science :worried: and I am beginning to study it.... So wouldn't br a s
Solution to buy amd?
:smile:
windwarrior
@windwarrior
Jan 23 2018 19:37
I have a book somewhere s probably
Eearslya Sleiarion
@Eearslya
Jan 23 2018 19:37
iirc AMD was proven to be at least somewhat vulnerable as well
we'll see in a couple years how they work around it
windwarrior
@windwarrior
Jan 23 2018 19:37
But it’s about SPARC
Not x86
Enno G.
@SchoolGuy
Jan 23 2018 19:37
Wait, when, where? I am trying to follow this topic somehow...
AMD is vulnerable to spectre, but not meltdown. There's two separate exploits.
Meltdown is the really bad one.
Enno G.
@SchoolGuy
Jan 23 2018 19:39
That was my information stadius also yeah... So basically what can we do now? Nothing? I mean it's a big security whole....
There's wikipedia articles for both: Meltdown Spectre
windwarrior
@windwarrior
Jan 23 2018 19:40
Wait for the kernel people to have made patches, Linux has them for meltdown at least
pretty much keep your software up-to-date
Enno G.
@SchoolGuy
Jan 23 2018 19:41
Well so basically patch bugs to prevent bugs, great...
(the mouseover is so relatable... xD)
also, i feel this deserves an extra frame
image.png