[Info-vax] Intel x86-64 Processor Design Security Vulnerability?

Camiel Vanderhoeven iamcamiel at gmail.com
Thu Jan 4 04:16:40 EST 2018 

Op donderdag 4 januari 2018 08:43:04 UTC+1 schreef Johann 'Myrkraverk' Oskarsson:
> Derrell Piper wrote:
> 
> > I don't know what that site is, and I don't find it particularly
> > interesting either.  Any technical discussions about this bug are
> > welcome here.  Please leave your hype at the door.
> 
> I haven't looked at the other site, and this is a technical summary
> of the CPU flaws and security issues.
> 
> https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
> 
> It starts with
> 
>    Reading privileged memory with a side-channel
>    Posted by Jann Horn, Project Zero
> 
>    We have discovered that CPU data cache timing can be abused to
>    efficiently leak information out of mis-speculated execution, leading
>    to (at worst) arbitrary virtual memory read vulnerabilities across
>    local security boundaries in various contexts.
> 
>    Variants of this issue are known to affect many modern processors,
>    including certain processors by Intel, AMD and ARM. For a few Intel
>    and AMD CPU models, we have exploits that work against real software.
>    We reported this issue to Intel, AMD and ARM on 2017-06-01 [1].

We've been following this and assessing the ramifications for OpenVMS on x86 since we got the first hints that something was happening. Fortunately, our early decision to use separate page tables for the four modes seems to be the one sure way to avoid these vulnerabilities, and this is in fact what the patches for Windows and Linux do (use separate page tables for user and kernel mode within each process). There is still a small area in VMS that's potentially vulnerable of course, and that is the transition code between modes (part of SWIS). Now that the embargo is lifted, and we have access to the full disclosure of the vulnerabilities discovered, we're going through this code with a fine tooth comb to make sure we don't expose anything of interest through that surface.

More information about the Info-vax mailing list