[Cryptography] Spectre again (was Re: RISC-V branch predicting)

[Jerry Leichter]

> Except Spectre also crosses hardware privilege domains: The other
> proof-of-concept was reading kernel memory from unprivileged user
> code. True, they had to "cheat" by using eBPF... But someone with more
> resources than a few motivated grad students could probably do
> interesting things without cheating.
That's not "cheating".  eBPF is *exactly* a mechanism to execute user-written code *in kernel mode*.

The original "BPF" was restricted enough that there are no (known! - or perhaps I should say "published") attacks based on it.  As always seem to be the case, since BPF was a "success" and "didn't cause any security problems", it got extended to eBPF - which granted enough power that it opened the door to Spectre.

This is not Spectre crossing hardware privilege domains.  I haven't seen any examples of such attacks, though they may well exist.  However, if they are found they can be mitigated much more cheaply than same-mode Spectre attacks, because the number of mode-crossings is way smaller than the number of instructions executed within a given mode.
                                                        -- Jerry