7 comments

[ 4.6 ms ] story [ 30.1 ms ] thread
If this is "the intel bug" that is about to be announced right now, then I think it's remarkable that it's been sitting around in this blog post from July 2017?
This blog post could not find an exploit, but proved enough that there could be. The theory is that the KAISER researchers took this idea and found a way to exploit it.
For those that may be confused, I was also confused by the author's "negative result" comments at the top, but he elaborates near the end..

> So at this point my experiment is failed and thus the negative result.

> While I did set out to read kernel mode without privileges and that produced a negative result, I do feel like I opened a Pandora’s box. The thing is there was two positive results in my tests. The first is that Intel’s implementation of Tomasulo’s algorithm is not side channel safe. Consequently we have access to results of speculative execution despite the results never being committed. Secondly, my results demonstrate that speculative execution does indeed continue despite violations of the isolation between kernel mode and user mode.

This is probably the most enlightening thing I've ever read about modern CPU microarchitecture. Reading this, it becomes apparent how hard it is to prevent side-channel information leaks in general. Anyone who read this back in July could have concluded that Intel CPUs are possibly vulnerable to some side-channel attack, but the author just didn't figure out how to exploit the leak he found.
So, Intel prefetches restricted data on a request by an unprivileged user, "conceals" the unauthorized but nevertheless prefetched data by nulling it out, but the unprivileged user can infer sensitive information about what's "behind the curtain" by timing the proceeding instructions?