Yet another Intel CPU security vulnerability!

[Rroff]

You need to read the white paper, they have answered how they go about getting the data and I have already covered all of that. There is no argument here for me to answer.

You might want to re-read it bearing what I said in mind - their specially crafted victim process repeatedly stores the data they are after so that it becomes prominent amongst the data that is normally in and out of that buffer:

"Our first experiment performs the attack discussed ear-lier against a victim running in the same or other hardware thread and repeatedly storing a secret to a fixed memory address."

That isn't normal application behaviour and is what they need to do to overcome the various synchronisation and noise issues - nothing I am saying is at odds with the whitepaper.

Even assuming somehow they managed to get their exploit running with all the other obstacles when it comes to the browser and JS and a normal desktop environment - their attack needs a victim process that is storing the target data over and over as fast as the system is running to leak data at 1B/s in the real world that data is probably in that buffer 2 or 3 times over a session not the 1000s of times they need to leak it. (Additionally those 2-3 times it is there they would have no way of knowing so as to read the evicted data in a timely fashion).

It is academically interesting because it theoretically shouldn't be possible to leak that data at all across that boundary but doesn't represent something that works in the real world - although the theory could be put into play in certain environments (namely things like shared hosting environments) if an attacker found a weakness they could repeatedly invoke from unprivileged code at will - hence the passwd example but that is another one that due to factors is unrealistic in the real world.

 

[zx128k]

You might want to re-read it bearing what I said in mind - their specially crafted victim process repeatedly stores the data they are after so that it becomes prominent amongst the data that is normally in and out of that buffer:

"Our first experiment performs the attack discussed ear-lier against a victim running in the same or other hardware thread and repeatedly storing a secret to a fixed memory address."

That isn't normal application behaviour and is what they need to do to overcome the various synchronisation and noise issues - nothing I am saying is at odds with the whitepaper.

Even assuming somehow they managed to get their exploit running with all the other obstacles when it comes to the browser and JS and a normal desktop environment - their attack needs a victim process that is storing the target data over and over as fast as the system is running to leak data at 1B/s in the real world that data is probably in that buffer 2 or 3 times over a session not the 1000s of times they need to leak it. (Additionally those 2-3 times it is there they would have no way of knowing so as to read the evicted data in a timely fashion).

It is academically interesting because it theoretically shouldn't be possible to leak that data at all across that boundary but doesn't represent something that works in the real world - although the theory could be put into play in certain environments (namely things like shared hosting environments) if an attacker found a weakness they could repeatedly invoke from unprivileged code at will - hence the passwd example but that is another one that due to factors is unrealistic in the real world.

I again site the white paper as my source. I am not required to speculate. For other people they reliably steal the data and speculate about the fact they can make the process quicker.

 

[Rroff]

I again site the white paper as my source. I am not required to speculate.

There is no speculation required - just a little bit of technical experience to understand what is going on. Nothing I say is in any shape or form at odds with the white paper.

 

[zx128k]

There is no speculation required - just a little bit of technical experience to understand what is going on. Nothing I say is in any shape or form at odds with the white paper.

The source is clear. They outline their success and their method. If you need clarification about anything in the while paper I would advise contacting the author.

 

[Rroff]

The source is clear. They outline their success and their method. If you need clarification about anything in the while paper I would advise contacting the author.

Nothing I just posted in #261 needs clarification from the author(s) - neither is it wrong or at odds with anything they've stated in the white paper.

 

[zx128k]

Nothing I just posted in #261 needs clarification from the author(s) - neither is it wrong or at odds with anything they've stated in the white paper.

What you have posted is an opinion without any evidence. I just refer you to the source as proof of my position. It's up to you to create a valid argument and proved proof. It's not my job to answer every thought that crosses your mind.

 

[Rroff]

What you have posted is an opinion without any evidence. I just refer you to the source as proof of my position. It's up to you to create a valid argument and proved proof. It's not my job to answer every thought that crosses your mind.

Nothing in post #261 is an opinion - everything I've based what I'm saying in that post is either in the white paper or well known standard operating functionality of an OS and applications.

You are getting quite desperate to dismiss what I'm saying if you have to claim that post is in any way based on opinion or speculation.

 

[IT Troll]

Straight out of the white paper.

Also straight out of the whitepaper:

"For simplicity, our exploit uses an old-style built-in high-resolution timer in SpiderMonkey to measure cache evictions."

"Although we do not currently have a reliable RIDL exploit running inside unmodified Chrome, we believe that our results already cast doubt on the effectiveness of site isolation as a mitigation against side-channel attacks."

So that is facts 1 & 2 straight from the whitepaper. Are we just glossing over fact 3?

 

[zx128k]

Nothing in post #261 is an opinion - everything I've based what I'm saying in that post is either in the white paper or well known standard operating functionality of an OS and applications.

You are getting quite desperate to dismiss what I'm saying if you have to claim that post is in any way based on opinion or speculation.

I again refer you to the RIDL white paper as the source of my argument. If you feel the white paper can be improved or there is something wrong with the white paper or information there in. Feel free to drop the then contact the author a line.

 

[Rroff]

I again refer you to the RIDL white paper as the source of my argument. If you feel the white paper can be improved or there is something wrong with the white paper or information there in. Feel free to drop the then contact the author a line.

TBH this is getting a bit insulting - I refer you to read the white paper in the light of my post - you will find with a little technical experience what I said is 100% correct.

Again nothing I've said is claiming the white paper is wrong, nothing I've said is at odds with the white paper. They could improve on the depth of their explanation to better reflect the realities of their successes.

 

[zx128k]

Also straight out of the whitepaper:

"For simplicity, our exploit uses an old-style built-in high-resolution timer in SpiderMonkey to measure cache evictions."

"Although we do not currently have a reliable RIDL exploit running inside unmodified Chrome, we believe that our results already cast doubt on the effectiveness of site isolation as a mitigation against side-channel attacks."

So that is facts 1 & 2 straight from the whitepaper. Are we just glossing over fact 3?

I have answered this above, please do not present this non sense again.

 

[zx128k]

TBH this is getting a bit insulting - I refer you to read the white paper in the light of my post - you will find with a little technical experience what I said is 100% correct.

Again nothing I've said is claiming the white paper is wrong, nothing I've said is at odds with the white paper. They could improve on the depth of their explanation to better reflect the realities of their successes.

Not my job to answer all your sophistry arguments. You would think I was some employee of yours or something.

 

[Rroff]

Not my job to answer all your sophistry arguments. You would think I was some employee of yours or something.

Lets make it simple - do they or do they not need the victim data to be repeatedly hitting the relevant buffers (for instance line fill buffer) at an unrealistically high tempo so that their exploit can retrieve it?

 

[IT Troll]

I have answered this above, please do not present this non sense again.

Apart from glossing over fact 3.

Fact 3: They ran the taskset command locally to lock both the victim and attack processes to a specific CPU core (i.e. specially prepared environment). The don't show how they determined the core IDs but I would imagine it was executing lscpu locally beforehand.

 

[zx128k]

Lets make it simple - do they or do they not need the victim data to be repeatedly hitting the relevant buffers (for instance line fill buffer) at an unrealistically high tempo so that their exploit can retrieve it?

If you need clarification, please contact the authors of the white paper.

 

[Rroff]

If you need clarification, please contact the authors of the white paper.

No clarification needed - I'm asking you - if you disagree with what I'm saying then you must understand that fairly pivotal point for their whole exploit. Or have you just been arguing with me because you don't like what I'm saying?

If you can't provide an answer to this you really should retract what you've said in this thread so far.

 

[zx128k]

Apart from glossing over fact 3.

Fact 3: They ran the taskset command locally to lock both the victim and attack processes to a specific CPU core (i.e. specially prepared environment). The don't show how they determined the core IDs but I would imagine it was executing lscpu locally beforehand.

This argument was answered above. I don't have to cover all points. In a debate I just have to show one of your points are wrong. I did that. So there is no need for me to revisit a failed argument.

 

[zx128k]

No clarification needed - I'm asking you - if you disagree with what I'm saying then you must understand that fairly pivotal point for their whole exploit. Or have you just been arguing with me because you don't like what I'm saying?

I don't have to answer, not my job to help you present an argument.

 

[Rroff]

I don't have to answer, not my job to help you present an argument.

Sure you don't - but it underpins every criticism you have made about what I've posted on this subject so if you refuse to answer it kind of calls your understanding of the white paper into doubt.

 

[zx128k]

Sure you don't - but it underpins every criticism you have made about what I've posted on this subject so if you refuse to answer it kind of calls your understanding of the white paper into doubt.

Dude you have no argument. My source is the white paper and also most of the tech articles on the internet. I have no burden of proof to meet. So why would I help you to attack me? I've given reasonable proof.