Reply to post: Re: How does knowing where imply knowing what?

Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs

Martin Howe
Thumb Up

Re: How does knowing where imply knowing what?

Thanks - that took me a couple of re-reads but it helps a lot.

To save anyone else the re-reads, the key is the number 256, the number of values a byte can hold plus the memory accessed in the second step need not be protected memory.

1) Access kernel memory to put value in register.

2) Speculative execution subsystem tries to execute as if (1) was OK. It will then speculatively execute "memory access at address **in non privileged memory areas that we have legitimate access to** of which the register forms part of the resolved address (as an index/scale/whatever to a base address) that causes **one of 256** pages to be pulled into cache. It doesn't matter what data values are in these pages, nor which pages, as long as the pages are accessible to us and there are *exactly* 256 possible pages that could be accessed. It is the fact that the data values are now in cache that matters. They could be the number of fleas on your cat, number of bugs in the Pentium FPU, doesn't matter.

3) (1) faults due to privilege level. (2) Is "thrown away" as fault prevents the CPU getting to it "in the real world", **but the cache lines involved are not flushed**".

4) By using timing analysis to find out *which* page was cached, that's also the number in the register and that number was loaded from kernel memory and used in an index register of sorts **before (2) was thrown away**. Thus, you now know which number is in the address in kernel memory.

At least, that's how I read it in simple terms. Ouch!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019