Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the detailed analysis of the latest side channel attacks in CVE-2018-3639, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Preface

Out of interest in CPU-related vulnerabilities, I did an in-depth study of CVE-2018-3639 (Spectre4, Ghost 4). Any inaccuracies are welcome to be corrected.

According to a Microsoft blog, there are four branches (Speculation primitives) that can be used to speculate about side channel attacks, namely conditional branch prediction error (conditional branchmisprediction), indirect branch prediction error (indirect branchmisprediction), exception transfer or delay (exception deliveryor deferral), and today's protagonist speculative storage bypass (Speculative StoreBypass).

Detailed analysis

Go directly to the most important part of the code, which has been personally annotated and modified some BUG. You can download the source code at the end of the article to check the meaning of each variable:

The most important code is at 115 and 122 lines. There is no problem at the C language level. Please check the assembly code:

The red part of the assembly code is 115 lines of code, the green part is 122 lines of code, and the purple part is the key code that went wrong.

The reason for the problem with these two lines of code is that the core of the execution of the current code believes that the two instructions are only related to output, so they can be executed in parallel using register renaming. The relevant explanation can be found in "computer Architecture: quantitative Research methods (Fifth Edition)":

Parallel execution is not necessarily a problem, but also need to let the execution unit first execute testfun+138 instructions and then execute test+135 instructions, so as to ensure that testfun+138 will incorrectly affect cache. The reason why the sample code can achieve this condition is that the test+135 instruction is related to the testfun+128 instruction, so you need to wait for the previous code to finish executing, and test+138 does not have this concern.

Continue to drill down into the execution unit within the core to see how it completes parallel execution. The following figure shows the Sandy Bridge micro-architecture execution unit of Intel:

Query the 17-generation processor microarchitecture document of AMD and find the following information:

Therefore, it can be judged that the above two macro instructions are translated into a single storage-related microinstruction and a single load-related microinstruction respectively, combined with the above register renaming technology, so it can be judged that port2 and port4 are used to execute the two instructions in parallel in this micro-architecture.

Although after the execution of the test+135 storage instruction, the test+138 instruction will fall back due to errors, but the affected cache will not fall back, so we can test the cache lin in combination with the rdtscp instruction to see if cache hit can determine how much the data is.

I don't know if the reader still remembers Ghost 1, but it is mainly due to the wrong cache line caching the wrong data caused by the wrong branch prediction. Ghost 4, mainly due to erroneous speculation execution (secretly speculating that the two instructions are unrelated) caused the Meltdown, the source can not remember. Although AMD also has abnormal suppression technology, the reason why it is not affected by this vulnerability is that the core execution unit is limited. I think it should be that AMD's Store and load execution units are the same, so they need to be verified later, and several Intel and AMD architectures are attached for reference:

Intel Haswell Microarchitecture:

Intel Sandy Bridge Microarchitecture:

AMD 17th architecture:

DEMO program compilation command:

Gcc-o Spec4 Speculative4.c-Wall-DHIT_THRESHOLD=50-DNO_INTERRUPTS-ggdb

After reading the above, do you have any further understanding of how to conduct a detailed analysis of the latest side channel attacks in CVE-2018-3639? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.