[Cerowrt-devel] KASLR: Do we have to worry about other arches than x86?

dpreed at deepplum.com dpreed at deepplum.com
Thu Jan 4 15:28:55 EST 2018

Meltdown is very easy to exploit, and doesn't need heavy CPU usage (well, the obvious exploit is dumping all of kernel data space, which might be somewhat slower than a memcpy() of that data. :-)
Essentially, you run a loop that uses speculative memory tests to load a unique userspace cache line for each bit of kernel memory, and after loading some cache lines, you check to see if those userspace locations are in the cache. If you stick lo L1 cache, you can do this concurrently on multiple cores. But you don't need multiple cores, one will do.
That assumes that you are running a program that wants to read your kernel data looking for passwords in the clear, etc.
Sceptre may require heavy CPU usage, but Meltdown doesn't.
Depending on how you set up your "home router", you might allow "infected" or "trojan" programs to run in userspace there. I wouldn't do that, because hardware is cheap. But some people like to throw all kinds of server code into their router setups - even stuff like node.js servers.
The really core issue with Meltdown at the highest level is that the kernel is addressable from userspace, except for the "privilege level" in the page table entries. That's a couple of bits between userspace and data that userspace isn't supposed to ever see. And those bits are ignored during specutlative execution's memory accesses.
-----Original Message-----
From: "Dave Taht" <dave.taht at gmail.com>
Sent: Thursday, January 4, 2018 9:53am
To: "Jonathan Morton" <chromatix99 at gmail.com>
Cc: cerowrt-devel at lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arches than x86?

On Thu, Jan 4, 2018 at 6:49 AM, Jonathan Morton <chromatix99 at gmail.com> wrote:
>> On 4 Jan, 2018, at 3:59 pm, Dave Taht <dave.taht at gmail.com> wrote:
>> Alan cox has been doing a good job of finding the good stuff. Power
>> and the IBM z-series are also affected.
> Conversely, the ARM-1176, Cortex-A7 and Cortex-A53 cores used by various iterations of the Raspberry Pi are not affected. These are all in-order execution CPUs with short pipelines, and I think they're representative of what you'd want in CPE.

Well, I'd hope that this string of bugs stalls deployment of more
advanced arches in this space until the speculative execution bugs are
fully resolved.

(and I *vastly* prefer short pipelines)

> - Jonathan Morton


Dave Täht
CEO, TekLibre, LLC
Tel: 1-669-226-2619
Cerowrt-devel mailing list
Cerowrt-devel at lists.bufferbloat.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20180104/624aeacc/attachment-0001.html>

More information about the Cerowrt-devel mailing list