Hi! > > What did it leak? Nothing. Attacker had to know > > array+attacker_controlled_index, and he now knows > > (array+attacker_controlled_index)%CACHELINE_SIZE. > > > > With (void) array2[val];, the attack gets interesting -- I now know > > *(array+attacker_controlled_index) % CACHELINE_SIZE ... allowing me to > > get information from arbitrary place in memory -- which is useful for > > .. reading ssh keys, for example. > > Right, but how far away from "val = array[attacker_controlled_index];" > in the instruction stream do you need to look before you're > comfortable there's no 'val' dependent reads in the speculation window > on all possible architectures. Until we have variable annotations and > compiler help my guess is that static analysis has an easier time > pointing us to the first potentially bad speculative access. Well, you are already scanning for if (attacker_controlled_index < limit) .... array[attacker_controlled_index] and those can already be far away from each other.... Anyway, likely in the end human should be creating the patch, and if there's no array2[val], we do not need the patch after all. Best regards, Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Attachment:
signature.asc
Description: Digital signature
