OSDev.org

The Place to Start for Operating System Developers
It is currently Thu Mar 28, 2024 4:13 pm

All times are UTC - 6 hours




Post new topic Reply to topic  [ 143 posts ]  Go to page Previous  1 ... 6, 7, 8, 9, 10  Next
Author Message
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Wed Jan 10, 2018 6:16 am 
Offline
Member
Member
User avatar

Joined: Wed Dec 01, 2010 3:41 am
Posts: 1761
Location: Hong Kong
Solar wrote:
Sik wrote:
...I'm surprised we aren't encouraging programmers to optimize their code as much as possible for slower CPUs...


"We" are doing that. "They" aren't, because what's selling is moar features, moar eye candy, moar FPS, semi-transparent windows, inlined videos, ...


Also company more willing to add 50 middlewares to do simple things, in fact it's the "correct way" to use bloatwares in their philosophy.
Think about RN, why you want to run javascript with java glue code which in turn run inside a JVM, on a crappy mobile processor? It's crazy talk back in the old day.


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Wed Jan 10, 2018 6:35 am 
Offline
Member
Member
User avatar

Joined: Thu Nov 16, 2006 12:01 pm
Posts: 7612
Location: Germany
Well, to be quite honest, I vividly remember my first x86 laptop, purchased back in 1999, which had just enough CPU ooomph (PIII @ 500MHz) to play back a DVD without stuttering -- if I didn't do anything else.

(I had Amigas before, and while being fine machines in their own right, playing back DVDs was quite outside their range except for the very lastest PowerPC-driven ones.)

We do want HD quality today, going forward to 4k and 3D, and we do want it stutter-free while we're doing something else in another window.

So it's not as if all that CPU power were unnecessary if not for bloatware.

But we're getting sidetracked here. Let's keep this focussed on Meltdown / Spectre and their mitigation.

_________________
Every good solution is obvious once you've found it.


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Wed Jan 10, 2018 4:03 pm 
Offline
Member
Member
User avatar

Joined: Tue Mar 06, 2007 11:17 am
Posts: 1225
Probably Meltdown/Spectre are just the beginning of a public attempt to use any measurable hardware effects as a programming language from a simple microcontroller.

If that's the case, probably using paging as a measure to leak data will only be one of the weakest ways to gather any data in a system, probably wouldn't really be the fault of the architecture implementation (beyond doing temporary operations that leave measurable traces before making sure that the operation is allowed as when loading pages before making sure that privilege access will be allowed for operands), and probably there will always be ways to determine valuable things and which will become easier as processors become more advanced.

The only task of interest here is dealing with hardware effects as if they were input/output gates to manipulate, and if electronics prove to be always suitable for observing any desired data and effects through manual analysis from software, then the best choice will definitely be to isolate a machine from code designed for that in one way or another, because there would always be a way to measure things electronically through analyzing code.

Things like this will always be usable if privileged malware is installed.

_________________
Live PC 1: Image Live PC 2: Image

YouTube:
http://youtube.com/@AltComp126/streams
http://youtube.com/@proyectos/streams

http://master.dl.sourceforge.net/projec ... 7z?viasf=1


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Wed Jan 10, 2018 5:35 pm 
Offline
Member
Member
User avatar

Joined: Wed Aug 17, 2016 4:55 am
Posts: 251
Solar wrote:
Well, to be quite honest, I vividly remember my first x86 laptop, purchased back in 1999, which had just enough CPU ooomph (PIII @ 500MHz) to play back a DVD without stuttering -- if I didn't do anything else.

(I had Amigas before, and while being fine machines in their own right, playing back DVDs was quite outside their range except for the very lastest PowerPC-driven ones.)

We do want HD quality today, going forward to 4k and 3D, and we do want it stutter-free while we're doing something else in another window.

So it's not as if all that CPU power were unnecessary if not for bloatware.

And GPUs are better equipped for that task nowadays (while in 1999 they were still using fixed pipeline or very primitive shaders). For that kind of heavy tasks it's better to not use the CPU actually.

Solar wrote:
But we're getting sidetracked here. Let's keep this focussed on Meltdown / Spectre and their mitigation.

It's sorta related, seeing as the big issue is that it's a side-effect of speculation and whether we could live without it if really needed.

Reminds me, I'm seeing talks about there being patches to protect against Spectre. I thought it was unfixable? What do those patches do? (besides browser updates to mitigate the javascript proof of concept)


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Wed Jan 10, 2018 5:51 pm 
Offline
Member
Member

Joined: Thu May 17, 2007 1:27 pm
Posts: 999
They do what I posted on page 2: Replacing indirect jumps with a sequence that does loops forever (or discards speculative state) when it is reached by speculative execution. Of course, this comes at a performance cost and should only be enabled in programs that are expected to be exposed to many attacks. Here is a discussion of this "retpoline" mitigation: Click me!. Similar techniques exist to mitigate the bounds-check exploit.

_________________
managarm: Microkernel-based OS capable of running a Wayland desktop (Discord: https://discord.gg/7WB6Ur3). My OS-dev projects: [mlibc: Portable C library for managarm, qword, Linux, Sigma, ...] [LAI: AML interpreter] [xbstrap: Build system for OS distributions].


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Wed Jan 10, 2018 8:25 pm 
Offline
Member
Member
User avatar

Joined: Wed Dec 01, 2010 3:41 am
Posts: 1761
Location: Hong Kong
nvidia has release a patch on drivers w.r.t meltdown and spectre: https://nvidia.custhelp.com/app/answers ... /a_id/4611

Seems the issue not only affect OS, but drivers as well, anyone knows the detail?


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Thu Jan 11, 2018 12:30 pm 
Offline
Member
Member

Joined: Mon Mar 25, 2013 7:01 pm
Posts: 5100
bluemoon wrote:
Seems the issue not only affect OS, but drivers as well, anyone knows the detail?

Spectre affects almost all software, including drivers. KPTI (and the equivalent methods employed by Windows and other OSes) only defends against Meltdown.


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Thu Jan 11, 2018 7:16 pm 
Offline
Member
Member
User avatar

Joined: Wed Jul 13, 2011 7:38 pm
Posts: 558
Nvidia's graphics cards have a couple non-CUDA microprocessors on them for various side tasks. They probably needed patching.


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Fri Jan 12, 2018 12:05 am 
Offline
Member
Member
User avatar

Joined: Wed Dec 01, 2010 3:41 am
Posts: 1761
Location: Hong Kong
Octocontrabass wrote:
bluemoon wrote:
Seems the issue not only affect OS, but drivers as well, anyone knows the detail?

Spectre affects almost all software, including drivers. KPTI (and the equivalent methods employed by Windows and other OSes) only defends against Meltdown.


In reality, spectre only affect software that does its own code isolation (e.g. chrome isolating js, or isolation between modules which don't have the "data pointer"). For a single program it can access to all its memory anyway.

That make me wonder, what have been isolated by GPU driver? Or are they just recompile with updated toolchain just to be safe?


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Fri Jan 12, 2018 12:19 am 
Offline
Member
Member

Joined: Thu Jul 05, 2007 8:58 am
Posts: 223
bluemoon wrote:
Octocontrabass wrote:
bluemoon wrote:
Seems the issue not only affect OS, but drivers as well, anyone knows the detail?

Spectre affects almost all software, including drivers. KPTI (and the equivalent methods employed by Windows and other OSes) only defends against Meltdown.


In reality, spectre only affect software that does its own code isolation (e.g. chrome isolating js, or isolation between modules which don't have the "data pointer"). For a single program it can access to all its memory anyway.

That make me wonder, what have been isolated by GPU driver? Or are they just recompile with updated toolchain just to be safe?


That is not exactly true. If software can be manipulated into executing the needed instructions (which is definitely a risk for any software that takes input, particularly those that take external input), it is possible to use external software to do the cache timing measurements.

This means that any software that takes some form of external input is vulnerable, which is problematic for things like windowing servers and kernels (including their drivers if they take input directly enough, hence the GPU driver updates), which have access to sensitive information.

From what I understand, google has suggested and implemented some tricks into compilers that makes the resulting output code less likely to contain instruction sequences that can be exploited for a spectre attack, but I am unsure of how it works exactly.


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Tue Jan 16, 2018 7:15 pm 
Offline

Joined: Wed Jan 03, 2018 4:51 pm
Posts: 2
One thing I'm trying to wrap my head around is how a userspace program can even attempt to make an access to a kernel space address. All a userspace program can do is access a VA (except through syscall I guess). Does it rely on the VA translating into kernel space PA before the mismatch in address space (user VA hits a TLB entry that has a valid kernel space VA->PA translation)?

How does the userspace program attempt to access a specific PA space address?


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Tue Jan 16, 2018 7:26 pm 
Offline
Member
Member
User avatar

Joined: Wed Aug 17, 2016 4:55 am
Posts: 251
Yeah, the kernel's virtual addresses are still mapped. They can't be properly accessed (they're limited to ring=0, and hence will throw an error if userspace code tries to normally access it), but the issue is that the CPU knows how to map them to physical addresses and on Intel CPUs the speculated code can load them, presumably on the assumption that if the access should have been forbidden then it wouldn't matter as the speculated results would just be tossed away. Except it affected the cache state, which affects its timing, which is what Meltdown is probing to leak the data. The patches against Meltdown change the page tables so the kernel is not mapped in even that way (at the expense of wasting more cycles).

AMD CPUs don't attempt to speculate across privilege boundaries so they're safe from that (but still vulnerable to Spectre which doesn't need a privilege violation). Other CPUs may or may not do it.


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Wed Jan 17, 2018 12:07 pm 
Offline

Joined: Wed Jan 03, 2018 4:51 pm
Posts: 2
Thanks, that makes more sense. Any idea what the patches for Spectre do? I can’t imagine they flush all the cache on return to EL0...


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Wed Jan 17, 2018 12:23 pm 
Offline
Member
Member

Joined: Thu Jul 05, 2007 8:58 am
Posts: 223
The only one I am aware of is googles retpoline construction. This is designed to effectively inhibit branch prediction on specific jumps, details can be found here: https://support.google.com/faqs/answer/7625886.


Top
 Profile  
 
 Post subject: Re: CPU bug makes virtually all chips vulnerable
PostPosted: Sat Jan 27, 2018 1:34 pm 
Offline

Joined: Sat Jan 27, 2018 1:23 pm
Posts: 4
As far as I know 'jmp reg' is always treated as unpredicted (but maybe I am wrong, but it definately WAS in the past).
Is it possible to replace all indirect jumps with this to mitigate the issue Korona describes:
Code:
lea   rax, [@f]
lea   rcx, [target]
cmp   value1, value2
cmova rax, rcx
jmp   rax
@@:

?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 143 posts ]  Go to page Previous  1 ... 6, 7, 8, 9, 10  Next

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 22 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group