[Cryptography] Spectre again (was Re: RISC-V branch predicting)
Jerry Leichter
leichter at lrw.com
Mon Feb 12 15:10:37 EST 2018
> Except Spectre also crosses hardware privilege domains: The other
> proof-of-concept was reading kernel memory from unprivileged user
> code. True, they had to "cheat" by using eBPF... But someone with more
> resources than a few motivated grad students could probably do
> interesting things without cheating.
That's not "cheating". eBPF is *exactly* a mechanism to execute user-written code *in kernel mode*.
The original "BPF" was restricted enough that there are no (known! - or perhaps I should say "published") attacks based on it. As always seem to be the case, since BPF was a "success" and "didn't cause any security problems", it got extended to eBPF - which granted enough power that it opened the door to Spectre.
This is not Spectre crossing hardware privilege domains. I haven't seen any examples of such attacks, though they may well exist. However, if they are found they can be mitigated much more cheaply than same-mode Spectre attacks, because the number of mode-crossings is way smaller than the number of instructions executed within a given mode.
-- Jerry
More information about the cryptography
mailing list