Rocksolid Light

Welcome to Rocksolid Light

mail  files  register  newsreader  groups  login

Message-ID:  

Excessive login or logout messages are a sure sign of senility.

devel / comp.arch / Inception hardware bug exploit

SubjectAuthor
* Inception hardware bug exploitAnton Ertl
`* Re: Inception hardware bug exploitPeter Lund
 `* Re: Inception hardware bug exploitTerje Mathisen
  +* Re: Inception hardware bug exploitScott Lurndal
  |`- Re: Inception hardware bug exploitTerje Mathisen
  +* Re: Inception hardware bug exploitAnton Ertl
  |`- Re: Inception hardware bug exploitMitchAlsup
  `- Re: Inception hardware bug exploitPeter Lund

1
Inception hardware bug exploit

<2023Aug9.181616@mips.complang.tuwien.ac.at>

  copy mid

https://news.novabbs.org/devel/article-flat.php?id=33578&group=comp.arch#33578

  copy link   Newsgroups: comp.arch
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED.80-108-20-68.cable.dynamic.surfer.at!not-for-mail
From: anton@mips.complang.tuwien.ac.at (Anton Ertl)
Newsgroups: comp.arch
Subject: Inception hardware bug exploit
Date: Wed, 09 Aug 2023 16:16:16 GMT
Organization: Institut fuer Computersprachen, Technische Universitaet Wien
Message-ID: <2023Aug9.181616@mips.complang.tuwien.ac.at>
Injection-Info: dont-email.me; posting-host="80-108-20-68.cable.dynamic.surfer.at:80.108.20.68";
logging-data="16880"; mail-complaints-to="abuse@eternal-september.org"
X-newsreader: xrn 10.11
 by: Anton Ertl - Wed, 9 Aug 2023 16:16 UTC

https://comsec.ethz.ch/wp-content/files/inception_sec23.pdf

This one affects AMD Zen-Zen4 CPUs (the authors also mention that some
subproblem also affects Intel, but they have not worked out (yet?) how
that can be exploited). Apparently you can train the branch predictor
to predict a branch where there is none. And they use that for
constructing some versatile exploits in conjunction with speculative
execution. I have to read the paper thoroughly to properly understand
it.

- anton
--
'Anyone trying for "industrial quality" ISA should avoid undefined behavior.'
Mitch Alsup, <c17fcd89-f024-40e7-a594-88a85ac10d20o@googlegroups.com>

Re: Inception hardware bug exploit

<3e7bc3f5-b9ba-4b20-bef9-c534ca635813n@googlegroups.com>

  copy mid

https://news.novabbs.org/devel/article-flat.php?id=33603&group=comp.arch#33603

  copy link   Newsgroups: comp.arch
X-Received: by 2002:ac8:5996:0:b0:40f:f509:3a75 with SMTP id e22-20020ac85996000000b0040ff5093a75mr38181qte.7.1691771161695;
Fri, 11 Aug 2023 09:26:01 -0700 (PDT)
X-Received: by 2002:a17:902:ec8d:b0:1bc:2547:b17c with SMTP id
x13-20020a170902ec8d00b001bc2547b17cmr803867plg.1.1691771161133; Fri, 11 Aug
2023 09:26:01 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.arch
Date: Fri, 11 Aug 2023 09:26:00 -0700 (PDT)
In-Reply-To: <2023Aug9.181616@mips.complang.tuwien.ac.at>
Injection-Info: google-groups.googlegroups.com; posting-host=80.62.116.239; posting-account=iwcJjQoAAAAIecwT8pOXxaSOyiUTZMJr
NNTP-Posting-Host: 80.62.116.239
References: <2023Aug9.181616@mips.complang.tuwien.ac.at>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <3e7bc3f5-b9ba-4b20-bef9-c534ca635813n@googlegroups.com>
Subject: Re: Inception hardware bug exploit
From: peterfirefly@gmail.com (Peter Lund)
Injection-Date: Fri, 11 Aug 2023 16:26:01 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
 by: Peter Lund - Fri, 11 Aug 2023 16:26 UTC

On Wednesday, August 9, 2023 at 6:24:11 PM UTC+2, Anton Ertl wrote:
> that can be exploited). Apparently you can train the branch predictor
> to predict a branch where there is none. And they use that for

It's just a fairly obvious aliasing in the branch predictor tables -- many addresses alias to the same entry.

Obviously, one can use that to predict branches where there isn't one... the surprise is really that nobody (publicly) did that years ago.

-Peter

Re: Inception hardware bug exploit

<ub5un9$ul0p$2@dont-email.me>

  copy mid

https://news.novabbs.org/devel/article-flat.php?id=33605&group=comp.arch#33605

  copy link   Newsgroups: comp.arch
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: terje.mathisen@tmsw.no (Terje Mathisen)
Newsgroups: comp.arch
Subject: Re: Inception hardware bug exploit
Date: Fri, 11 Aug 2023 20:30:01 +0200
Organization: A noiseless patient Spider
Lines: 19
Message-ID: <ub5un9$ul0p$2@dont-email.me>
References: <2023Aug9.181616@mips.complang.tuwien.ac.at>
<3e7bc3f5-b9ba-4b20-bef9-c534ca635813n@googlegroups.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 11 Aug 2023 18:30:01 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="656e07e0bac898f6a02fe36e3dda52ea";
logging-data="1004569"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/BHVfL8gejs87xRTj1uwIO3cV8sRGO+kZSDNm2d9Uq4A=="
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Firefox/91.0 SeaMonkey/2.53.17
Cancel-Lock: sha1:VNsyOQK1c0p4zZo3OBoglG/WZlY=
In-Reply-To: <3e7bc3f5-b9ba-4b20-bef9-c534ca635813n@googlegroups.com>
 by: Terje Mathisen - Fri, 11 Aug 2023 18:30 UTC

Peter Lund wrote:
> On Wednesday, August 9, 2023 at 6:24:11 PM UTC+2, Anton Ertl wrote:
>> that can be exploited). Apparently you can train the branch predictor
>> to predict a branch where there is none. And they use that for
>
> It's just a fairly obvious aliasing in the branch predictor tables -- many addresses alias to the same entry.
>
> Obviously, one can use that to predict branches where there isn't one... the surprise is really that nobody (publicly) did that years ago.

No, the surprise is that a CPU could even care about the branch
predictor withjout actually facing a branch instruction.

(I'm assuming this is what happens?)

Terje

--
- <Terje.Mathisen at tmsw.no>
"almost all programming can be viewed as an exercise in caching"

Re: Inception hardware bug exploit

<0fvBM.107836$X02a.101062@fx46.iad>

  copy mid

https://news.novabbs.org/devel/article-flat.php?id=33606&group=comp.arch#33606

  copy link   Newsgroups: comp.arch
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.cmpublishers.com!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx46.iad.POSTED!not-for-mail
X-newsreader: xrn 9.03-beta-14-64bit
Sender: scott@dragon.sl.home (Scott Lurndal)
From: scott@slp53.sl.home (Scott Lurndal)
Reply-To: slp53@pacbell.net
Subject: Re: Inception hardware bug exploit
Newsgroups: comp.arch
References: <2023Aug9.181616@mips.complang.tuwien.ac.at> <3e7bc3f5-b9ba-4b20-bef9-c534ca635813n@googlegroups.com> <ub5un9$ul0p$2@dont-email.me>
Lines: 23
Message-ID: <0fvBM.107836$X02a.101062@fx46.iad>
X-Complaints-To: abuse@usenetserver.com
NNTP-Posting-Date: Fri, 11 Aug 2023 18:38:52 UTC
Organization: UsenetServer - www.usenetserver.com
Date: Fri, 11 Aug 2023 18:38:52 GMT
X-Received-Bytes: 1686
 by: Scott Lurndal - Fri, 11 Aug 2023 18:38 UTC

Terje Mathisen <terje.mathisen@tmsw.no> writes:
>Peter Lund wrote:
>> On Wednesday, August 9, 2023 at 6:24:11 PM UTC+2, Anton Ertl wrote:
>>> that can be exploited). Apparently you can train the branch predictor
>>> to predict a branch where there is none. And they use that for
>>
>> It's just a fairly obvious aliasing in the branch predictor tables -- many addresses alias to the same entry.
>>
>> Obviously, one can use that to predict branches where there isn't one... the surprise is really that nobody (publicly) did that years ago.
>
>No, the surprise is that a CPU could even care about the branch
>predictor withjout actually facing a branch instruction.
>
>(I'm assuming this is what happens?)

Perhaps Anton meant that a branch predictor can be
trained[*] to mispredict a conditional branch, causing
microarchitectural state to change as the core
speculatively executes instructions down the wrong
path (which can allow exploitation of microarchitectural
flaws).

[*] By an attacker.

Re: Inception hardware bug exploit

<ub5vt8$ur59$1@dont-email.me>

  copy mid

https://news.novabbs.org/devel/article-flat.php?id=33607&group=comp.arch#33607

  copy link   Newsgroups: comp.arch
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: terje.mathisen@tmsw.no (Terje Mathisen)
Newsgroups: comp.arch
Subject: Re: Inception hardware bug exploit
Date: Fri, 11 Aug 2023 20:50:16 +0200
Organization: A noiseless patient Spider
Lines: 35
Message-ID: <ub5vt8$ur59$1@dont-email.me>
References: <2023Aug9.181616@mips.complang.tuwien.ac.at>
<3e7bc3f5-b9ba-4b20-bef9-c534ca635813n@googlegroups.com>
<ub5un9$ul0p$2@dont-email.me> <0fvBM.107836$X02a.101062@fx46.iad>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 11 Aug 2023 18:50:16 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="656e07e0bac898f6a02fe36e3dda52ea";
logging-data="1010857"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18/5VmKpJhXqrxa+5BGAJcTEEb2TJ9gK9LFC5HLdebgHA=="
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Firefox/91.0 SeaMonkey/2.53.17
Cancel-Lock: sha1:UV7/soL4aso658SNUqqAY6b9Vdg=
In-Reply-To: <0fvBM.107836$X02a.101062@fx46.iad>
 by: Terje Mathisen - Fri, 11 Aug 2023 18:50 UTC

Scott Lurndal wrote:
> Terje Mathisen <terje.mathisen@tmsw.no> writes:
>> Peter Lund wrote:
>>> On Wednesday, August 9, 2023 at 6:24:11 PM UTC+2, Anton Ertl wrote:
>>>> that can be exploited). Apparently you can train the branch predictor
>>>> to predict a branch where there is none. And they use that for
>>>
>>> It's just a fairly obvious aliasing in the branch predictor tables -- many addresses alias to the same entry.
>>>
>>> Obviously, one can use that to predict branches where there isn't one... the surprise is really that nobody (publicly) did that years ago.
>>
>> No, the surprise is that a CPU could even care about the branch
>> predictor withjout actually facing a branch instruction.
>>
>> (I'm assuming this is what happens?)
>
> Perhaps Anton meant that a branch predictor can be
> trained[*] to mispredict a conditional branch, causing
> microarchitectural state to change as the core
> speculatively executes instructions down the wrong
> path (which can allow exploitation of microarchitectural
> flaws).
>
> [*] By an attacker.

That part has been possible since "forever", and is afaik a key part of
Spectre style attacks. You cannot train on the actual branch inside
OS/secure code, but you can train a bunch of other branches with aliased
addresses?

Terje

--
- <Terje.Mathisen at tmsw.no>
"almost all programming can be viewed as an exercise in caching"

Re: Inception hardware bug exploit

<2023Aug12.082608@mips.complang.tuwien.ac.at>

  copy mid

https://news.novabbs.org/devel/article-flat.php?id=33608&group=comp.arch#33608

  copy link   Newsgroups: comp.arch
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: anton@mips.complang.tuwien.ac.at (Anton Ertl)
Newsgroups: comp.arch
Subject: Re: Inception hardware bug exploit
Date: Sat, 12 Aug 2023 06:26:08 GMT
Organization: Institut fuer Computersprachen, Technische Universitaet Wien
Lines: 26
Message-ID: <2023Aug12.082608@mips.complang.tuwien.ac.at>
References: <2023Aug9.181616@mips.complang.tuwien.ac.at> <3e7bc3f5-b9ba-4b20-bef9-c534ca635813n@googlegroups.com> <ub5un9$ul0p$2@dont-email.me>
Injection-Info: dont-email.me; posting-host="2ff738c98414fa90554011cf37d58574";
logging-data="1313051"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19Sl/PyVAjyaSdWEpXXa3fP"
Cancel-Lock: sha1:ouwR4xYSMjbUQIFxLqfX/DHtTz0=
X-newsreader: xrn 10.11
 by: Anton Ertl - Sat, 12 Aug 2023 06:26 UTC

Terje Mathisen <terje.mathisen@tmsw.no> writes:
>No, the surprise is that a CPU could even care about the branch
>predictor withjout actually facing a branch instruction.

With CPUs having to predict 2-3 branches per cycle and following one
predicted-taken branch per cycle, while the instruction fetch takes
maybe 4 cycles (if the I-cache and uOp-cache latencies are similar to
similar-sized D-caches), they cannot wait until the instruction fetch
is complete and the possible branch is decoded before acting on the
prediction. I see two ways around this problem:

1) Have a tag in the next-line predictor and don't follow the
predictor if the tag does not match. But what should the CPU do then?

2) Cancel the prediction and everything dependent on it as soon as the
instruction is decoded and turns out not to be a branch. This should
be early enough that the speculative execution has not changed any
microarchitectural state.

Approach 1) appears more practical. If Intel manages to only predict
branches, maybe they have taken it.

- anton
--
'Anyone trying for "industrial quality" ISA should avoid undefined behavior.'
Mitch Alsup, <c17fcd89-f024-40e7-a594-88a85ac10d20o@googlegroups.com>

Re: Inception hardware bug exploit

<55eb07e4-c682-4fcf-8a6a-8539663cd05dn@googlegroups.com>

  copy mid

https://news.novabbs.org/devel/article-flat.php?id=33612&group=comp.arch#33612

  copy link   Newsgroups: comp.arch
X-Received: by 2002:a05:622a:18a7:b0:403:b12b:881d with SMTP id v39-20020a05622a18a700b00403b12b881dmr54737qtc.4.1691833421737;
Sat, 12 Aug 2023 02:43:41 -0700 (PDT)
X-Received: by 2002:a17:902:c789:b0:1bc:6799:3f86 with SMTP id
w9-20020a170902c78900b001bc67993f86mr1417568pla.12.1691833421392; Sat, 12 Aug
2023 02:43:41 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.arch
Date: Sat, 12 Aug 2023 02:43:40 -0700 (PDT)
In-Reply-To: <ub5un9$ul0p$2@dont-email.me>
Injection-Info: google-groups.googlegroups.com; posting-host=80.62.116.239; posting-account=iwcJjQoAAAAIecwT8pOXxaSOyiUTZMJr
NNTP-Posting-Host: 80.62.116.239
References: <2023Aug9.181616@mips.complang.tuwien.ac.at> <3e7bc3f5-b9ba-4b20-bef9-c534ca635813n@googlegroups.com>
<ub5un9$ul0p$2@dont-email.me>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <55eb07e4-c682-4fcf-8a6a-8539663cd05dn@googlegroups.com>
Subject: Re: Inception hardware bug exploit
From: peterfirefly@gmail.com (Peter Lund)
Injection-Date: Sat, 12 Aug 2023 09:43:41 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 2110
 by: Peter Lund - Sat, 12 Aug 2023 09:43 UTC

On Friday, August 11, 2023 at 8:30:05 PM UTC+2, Terje Mathisen wrote:
> Peter Lund wrote:
> > On Wednesday, August 9, 2023 at 6:24:11 PM UTC+2, Anton Ertl wrote:
> >> that can be exploited). Apparently you can train the branch predictor
> >> to predict a branch where there is none. And they use that for
> >
> > It's just a fairly obvious aliasing in the branch predictor tables -- many addresses alias to the same entry.
> >
> > Obviously, one can use that to predict branches where there isn't one.... the surprise is really that nobody (publicly) did that years ago.
> No, the surprise is that a CPU could even care about the branch
> predictor withjout actually facing a branch instruction.

The CPU has to fetch (guided by the branch predictor) long before it knows if there is a branch instruction or not.

-Peter

Re: Inception hardware bug exploit

<ebb51179-b64e-4e73-8eff-cdb8954919d2n@googlegroups.com>

  copy mid

https://news.novabbs.org/devel/article-flat.php?id=33614&group=comp.arch#33614

  copy link   Newsgroups: comp.arch
X-Received: by 2002:a05:622a:487:b0:40f:e2a5:30f5 with SMTP id p7-20020a05622a048700b0040fe2a530f5mr79180qtx.5.1691859450520;
Sat, 12 Aug 2023 09:57:30 -0700 (PDT)
X-Received: by 2002:a17:902:d505:b0:1bb:9e6e:a9f1 with SMTP id
b5-20020a170902d50500b001bb9e6ea9f1mr1999055plg.13.1691859450293; Sat, 12 Aug
2023 09:57:30 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.arch
Date: Sat, 12 Aug 2023 09:57:29 -0700 (PDT)
In-Reply-To: <2023Aug12.082608@mips.complang.tuwien.ac.at>
Injection-Info: google-groups.googlegroups.com; posting-host=2600:1700:291:29f0:f13f:c8fd:311b:b1a;
posting-account=H_G_JQkAAADS6onOMb-dqvUozKse7mcM
NNTP-Posting-Host: 2600:1700:291:29f0:f13f:c8fd:311b:b1a
References: <2023Aug9.181616@mips.complang.tuwien.ac.at> <3e7bc3f5-b9ba-4b20-bef9-c534ca635813n@googlegroups.com>
<ub5un9$ul0p$2@dont-email.me> <2023Aug12.082608@mips.complang.tuwien.ac.at>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <ebb51179-b64e-4e73-8eff-cdb8954919d2n@googlegroups.com>
Subject: Re: Inception hardware bug exploit
From: MitchAlsup@aol.com (MitchAlsup)
Injection-Date: Sat, 12 Aug 2023 16:57:30 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 2836
 by: MitchAlsup - Sat, 12 Aug 2023 16:57 UTC

On Saturday, August 12, 2023 at 1:37:42 AM UTC-5, Anton Ertl wrote:
> Terje Mathisen <terje.m...@tmsw.no> writes:
> >No, the surprise is that a CPU could even care about the branch
> >predictor withjout actually facing a branch instruction.
> With CPUs having to predict 2-3 branches per cycle and following one
> predicted-taken branch per cycle, while the instruction fetch takes
> maybe 4 cycles (if the I-cache and uOp-cache latencies are similar to
> similar-sized D-caches), they cannot wait until the instruction fetch
> is complete and the possible branch is decoded before acting on the
> prediction. I see two ways around this problem:
>
> 1) Have a tag in the next-line predictor and don't follow the
> predictor if the tag does not match. But what should the CPU do then?
>
> 2) Cancel the prediction and everything dependent on it as soon as the
> instruction is decoded and turns out not to be a branch. This should
> be early enough that the speculative execution has not changed any
> microarchitectural state.
<
3) Branch target caching--the predictor selects one of several sets of
instructions at one of the predicted branch targets.
>
> Approach 1) appears more practical. If Intel manages to only predict
> branches, maybe they have taken it.
> - anton
> --
> 'Anyone trying for "industrial quality" ISA should avoid undefined behavior.'
> Mitch Alsup, <c17fcd89-f024-40e7...@googlegroups.com>

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor