[Cerowrt-devel] Spectre and EBPF JIT

Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed

From: "dpreed@deepplum.com" <dpreed@deepplum.com>
To: "Joel Wirāmu Pauling" <joel@aenertia.net>
Cc: "Jonathan Morton" <chromatix99@gmail.com>,
	cerowrt-devel@lists.bufferbloat.net
Subject: [Cerowrt-devel] Spectre and EBPF JIT
Date: Thu, 4 Jan 2018 17:58:48 -0500 (EST)	[thread overview]
Message-ID: <1515106728.430510671@apps.rackspace.com> (raw)
In-Reply-To: <CAKiAkGTZdkg8XG4h_4d+1v5PLKPBvXeUJ_CwGYSmiPKXFSvp5w@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1908 bytes --]

As I continue to study the Spectre bug, I read the Project Zero post about POC's they developed for Spectre.

[ https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html ]( https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html )

(the Meltdown and Spectre papers, linked from that page are far better at explaining the mechanics of the issue. Read Meltdown first, it's simpler.).

It was very enlightening to see that one exploit used the "in-kernel eBPF JIT interpreter". This one also looks very practical to exploit, and it is "network related" so of some interest here.  The Project Zero post doesn't describe the exploit itself, but reading the Spectre paper gives one context on how Spectre works.

Unlike Meltdown, Spectre really depends on the attacker being able to force certain instruction sequences to get executed in some address space, such that the effect can be observed in another address space where the attacker's observer resides.

What this means is that to read data from the kernel, Spectre needs to force a specific code sequence to be executed, with a branch mispredicted, *in the kernel*.

That's where the eBPF JIT comes into play, apparently. Because the eBPF JIT allows *kernel code* to be constructed from the attackers userspace code. Hmmm... sounds like the user can change the kernel binary code and get it executed!

So this is a relatively practical thing to do, and it gives full access to anything in the kernel address space, from a userspace program.

Now it's easy to disable the JIT feature. Just a packet processing performance hit.

But I bet designing the JIT so it won't generate Spectre-exploitable code would be tricky indeed.

Especially since the Spectre-exploitable code is highly processor architecture specific, unlike Meltdown, which appears to be Intel-only.

[-- Attachment #2: Type: text/html, Size: 3998 bytes --]

next prev parent reply	other threads:[~2018-01-04 22:58 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-01 23:08 [Cerowrt-devel] KASLR: Do we have to worry about other arches than x86? Dave Taht
     [not found] ` <CAJq5cE23bbiPE0a_9zd1VLnO7=c7bjmwwxVwaD2=to3fg5TOjA@mail.gmail.com>
2018-01-01 23:27   ` Jonathan Morton
2018-01-02 19:06 ` Jonathan Morton
2018-01-04 12:09   ` Jonathan Morton
2018-01-04 13:38     ` Dave Taht
2018-01-04 13:48       ` Jonathan Morton
2018-01-04 13:59         ` Dave Taht
2018-01-04 14:49           ` Jonathan Morton
2018-01-04 14:53             ` Dave Taht
2018-01-04 20:28               ` dpreed
2018-01-04 21:20                 ` Jonathan Morton
2018-01-04 21:40                 ` Dave Taht
2018-01-04 21:51                   ` valdis.kletnieks
2018-01-04 21:44     ` Joel Wirāmu Pauling
2018-01-04 21:47       ` Dave Taht
2018-01-04 21:52         ` Joel Wirāmu Pauling
2018-01-04 21:54           ` Dave Taht
2018-01-04 21:57             ` Joel Wirāmu Pauling
     [not found]           ` <1515103187.670416570@apps.rackspace.com>
2018-01-04 22:02             ` Joel Wirāmu Pauling
     [not found]       ` <1515103048.715224709@apps.rackspace.com>
2018-01-04 22:00         ` Joel Wirāmu Pauling
2018-01-04 22:09           ` dpreed
2018-01-04 22:13             ` Joel Wirāmu Pauling
2018-01-04 22:15             ` Dave Taht
2018-01-04 22:26             ` Jonathan Morton
2018-01-04 22:35               ` Joel Wirāmu Pauling
2018-01-04 22:58                 ` dpreed [this message]
2018-01-05  4:53                   ` [Cerowrt-devel] Spectre and EBPF JIT Dave Taht
2018-01-05 14:07                     ` Jonathan Morton
2018-01-05 15:35                       ` dpreed
2018-01-05 19:18                         ` Jonathan Morton
2018-01-05 20:15                           ` David Lang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1515106728.430510671@apps.rackspace.com \
    --to=dpreed@deepplum.com \
    --cc=cerowrt-devel@lists.bufferbloat.net \
    --cc=chromatix99@gmail.com \
    --cc=joel@aenertia.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox