The Spectre class of hardware vulnerabilities truly is a gift that keeps on giving. New variants are still being discovered in current CPUs nearly eight years after the disclosure of this problem, and developers are still working to minimize the performance costs that come from defending against it. The masked user-space access mechanism is a case in point: it reduces the cost of defending against some speculative attacks, but it brought some challenges of its own that are only now being addressed.
Spectre 类硬件漏洞真是“源源不断的麻烦”。自从这个问题被披露近八年后,新的变种仍在现有 CPU 中被发现,开发者仍在努力降低防御这些漏洞所带来的性能损耗。掩码用户空间访问机制就是一个典型例子:它降低了防御某些推测性攻击的成本,但也带来了一些自身的挑战,而这些挑战直到现在才被解决。
The Spectre vulnerabilities can be used to exfiltrate data from the kernel in a number of ways, but the attacks usually come down to exercising a kernel path that will speculatively execute with an attacker-provided address, leaving traces of the target data that can then be recovered via a side channel. One of the most common ways to defeat such attacks is to simply prevent speculative execution of some code; it is effective, but also expensive.
Spectre 漏洞可以通过多种方式从内核中窃取数据,但攻击通常归结为利用内核路径对攻击者提供的地址进行推测性执行,从而在目标数据上留下可通过侧信道恢复的痕迹。击败此类攻击的最常见方法之一是简单地阻止某些代码的推测性执行;这种方法有效,但代价也很高。
Defending user-space access
One common target for speculative attacks is accesses to user space by the kernel, since the address in question is often controlled by user space. Since the tests for the validity of an address nearly always succeed, speculative execution tends to take the "address is valid" path, even when the address is anything but. The functions used by most of the kernel for user-space access (such as copy_from_user()) are well defended, but the kernel has a number of places where faster access is required for acceptable performance.
最低0.47元/天 解锁文章
扫一扫
635
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
