Overclock.net - An Overclocking Community - View Single Post - [The Register] SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability

View Single Post
post #15 of (permalink) Old 03-05-2019, 12:16 PM
rluker5
Not a linux lobbyist
 
rluker5's Avatar
 
Join Date: Feb 2014
Location: Wisconsin
Posts: 1,642
Rep: 43 (Unique: 34)
Quote: Originally Posted by Defoler View Post
So to those who skimmed it (or didn't read):

They use SPOILER as a way to determine physically addresses using virtual memory pages read/write and see where the "spike" is where the virtual page is sitting on two physical pages (which causes longer read/write).
Using that information, they calculate where the physical pages are sitting.
Then, once they know that, they can use a dram attack called Double Sided Rowhammer.
That attack is meant to force row refreshes inside the same bank of the dram memory that contain said pages, in order to force rows inside the dram to flip bits when adjusted rows (on either side, hence double sided) around them get refreshed constantly, until memory bits in the unrefreshed, flip. That is a dram vulnerability, not an intel specific one though.

That way, they basically force a change on the memory, and if they are doing it in the right place, can use that to exploit information, gain access, etc.

Rowhammer was found in 2014. But it was hard to use as it was hard to determine where the physical pages were inside the virtual space of an application.
Using SPOILER though, they can "bypass" that issue, and allow Rowhammer to do its dirty work.

It will be very hard for intel to fix the issue, because how the virtual memory and physical memory works. And it can't be fixed via firmware if right, because that issue of finding those physical page locations is inherent in the read/write of the virtual pages.
It is not like they can fix the "spike time" that notify where the pages are, since reading two pages inside the memory, will always takes longer.
And once they can determine physical page locations, Rowhammer (or other physical memory exploits), can come back on the table.

To "fix" it, intel will need to find a way to block Rowhammer from flipping bits in the cache, since they can't stop SPOILER. And that will require that when rows gets refresh, they must also start to refresh everything around it, and so on, and it will cause a chain reaction of heavy slowdown.

Why they couldn't make it happen in AMD or ARM, is because they couldn't distinguish the little spikes in read that say whether a virtual page was sitting on two physical pages.
This seems pretty complicated, but it seems like using multiple hits to get timings and then try to rowhammer them would put the data into the L4 cache of a Broadwell-c, which may have different outcomes when it is read in conjunction with data from regular ram, or evicted to regular ram partially through the process. I.E. corrupted nonsense vs a successful hack.
Attached Thumbnails
Click image for larger version

Name:	Screenshot (183).jpg
Views:	16
Size:	343.3 KB
ID:	257342  


L5
(18 items)
Lea2
(11 items)
L7
(11 items)
CPU
5950hq
Motherboard
z97 Classified
GPU
Aorus 1080ti Waterforce
RAM
16 G Gskill Trident @ 2400,cas10,1.575v
RAM
16 G Team Extreme @ 2400,cas10,1.575v
Hard Drive
2xSamsung 840 EVO 250G
Hard Drive
seagate barracuda 3T
Hard Drive
Optane 900p 480G OS
Optical Drive
Asus BW-16D1HT
Power Supply
EVGA Supernova 1300 G2
Cooling
Cooler Master MasterLiquid Pro 120 (cpu)
Cooling
2 140mm case fans, 2 120mm
Case
Fractal Design R4 (no window)
Operating System
W10 64 pro
Monitor
panasonic TC-58AX800U
Audio
Focal Elear
Audio
SoundbasterX AE-5
Other
Megatron
CPU
4770k
Motherboard
Asus Z87 Deluxe
GPU
Fury Nitro
RAM
8Gb patriot 1600mhz
Hard Drive
ROG Raidr 240Gb pcie
Hard Drive
1Tb WD blue
Power Supply
Pc Power&Cooling silencer Mk2 950w
Cooling
Deepcool Lucifer V2
Case
DIYPC P48-W
Operating System
W10 64 pro
Monitor
40"tv
CPU
4980hq
Motherboard
Asus H81T/CSM
RAM
16GB 1600 generic
Hard Drive
Samsung 850 evo 120gb
Power Supply
Skyvast 90w brick for hp pavilion something
Cooling
SilverStone Tek Super Slim
Case
SilverStone Tek PT13B
Operating System
W10 64 pro
Monitor
50" samsung plasma 720p
Keyboard
Logitech K400+
Other
Intel wifi ac card and noname antennas
▲ hide details ▲
rluker5 is offline