Comments (8)
I have a full exploit: https://www.youtube.com/watch?v=De4rBaAdKNA
It works very well on 7th and 6th generation of Intel CPUs.
from meltdown-exploit.
It just about racing with an access to the memory. While on some older archs it takes data to be in L1 cache to win it modern archs can be tricked into reading memory from the uncached memory, even if application is actively tries to keep data outside the cache (executes cflush
in a loop).
Most likely there are tricks that can speculatively load data into L1 cache of a given CPU e.g. via some syscall. My exploit was intended as a reliable test (and is merged since to Linux Test Project) so I decided to go for a data that is guaranteed to be in kernel and can be read easily. Thus I read linux_proc_banner
.
For detailed explanation on premises please take a look here: https://github.com/IAIK/meltdown/issues/9
from meltdown-exploit.
@paboldin
1γCan you explain in detail who races with who?
2γIf meltdown poc can read any memory (cached , uncached), it must first succeed in fetching the memory from RAM( especially if uncached ) to the CPU cache . However, the privilege bit (if this bit works well in all memory loads, from L1, L2, L3, RAM ) verification in the page tables would cause the protection exception and forbidden CPU to do this, so how can this be exploited successfully ? Does CPU verify the memory access privilege and fetch the data to cache at the same time where racing problem may occur?
3γIf meltdown can indeed read any memory area, does it mean that the instructions in out-of-order execution unit can do things without privilege verification before retirement? If so, when do the CPU handle these exception events afterwards and where do the CPU store these exception information?
from meltdown-exploit.
Memory access races with privilege check. Privilege check is rather slow as it requires traversing of page table (tree). So it is postponed until the access is done in Intel's CPUs (AMD claims to have no such vulnerability at all and it looks like true). By the time privilege check is done speculative execution already have read the data and accessed target array at the calculated offset. The thing L1 is virtually indexed so no page table traverse is required to access the data here and it is executed in parallel with the privilege check.
I have no theory on how it works for non-cached data. Probably, there is another speculative cache hit in play there.
from meltdown-exploit.
Also, please refer to the original paper for details: https://meltdownattack.com/meltdown.pdf
from meltdown-exploit.
Privilege bit and virtual-physical address mappings are in the same page table. Resolving a virtual address and check it's privilege can be done simultaneously. It doesn't make sense to say privilege check is slow because of traversing the page table tree.
from meltdown-exploit.
Yes. But once again: L1 cache is Virtually Indexed Physically Tagging meaning there is no need to resolve virtual address when accessing memory that is in L1 cache.
from meltdown-exploit.
@paboldin CPU translate a virtual address through MMU unit that would resolve where the virtual memory is in the physical memory space(cache, main memory, etc) and check the privilege. I suppose that these two action should always be carried out simultaneously. So as you said in the scenario of L1 cache fetch, only data value is cached in L1 while the privilege information is not cached? If not cached, then it makes sense that a racing situation can happen. If cached, there should be another deep reason for meltdown.
from meltdown-exploit.
Related Issues (20)
- Not Vulnerable HOT 1
- Suggestion: add another standard location of System.map HOT 1
- Question regarding making and running on 32-bit CPU HOT 3
- Is there another way to fully cache the target memory without using pread()? HOT 1
- continue.... root cause... HOT 2
- Confusion about part of the assembly code. HOT 1
- Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz
- Core(TM)2 Duo CPU T5800 @ 2.00GHz
- Meltdown as KASLR bypass
- Thank you! paboldin
- Intel(R) Celeron(R) M CPU 530 @ 1.73GHz VULNERABLE ON
- CPU
- Not Vulnerable
- i7-9750H
- what does the pread() function do
- Intel(R) Celeron(R) CPU N2830 @ 2.16GHz
- AMD Athlon(tm) Neo X2 Dual Core Processor L325
- Test on Windows ?
- 5.19.0-41-generic | Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from meltdown-exploit.