
Show HN: Spectre exploit demo - idea4good
https://github.com/idea4good/spectre
======
caf
This bit isn't right:

    
    
      void move_one_page_in_cache(uint8_t* addr) {    
          static unsigned int github_idea4good = 1;
          _mm_clflush(&github_idea4good);
          if (0 < github_idea4good) {
              volatile uint8_t temp = probe_pages[*addr * PAGE_SIZE];
    

Here, the probe _is_ executed in the retired instruction stream. That's not
Spectre. If you can retire an instruction that dereferences addr, your
Javascript engine is busted already.

To demonstrate Spectre you need to put the probe in a path that _isn 't_
taken, but train the branch predictor to speculatively execute it anyway.

~~~
idea4good
I can do change like this:

static unsigned int github_idea4good = -1;

if(0 < github_idea4good) will never be true.

But the result is same.

I believe the key is: github_idea4good must out of cache.

~~~
amscanne
github_idea4good is unsigned. There’s an implicit cast at the assignment. The
condition is still true and that path is always executed.

~~~
idea4good
good catch!

Change it like this:

#define PROBE_TIMES 100000

static int github_idea4good = -1;

If probe times big enough, it works still.

------
dmitrygr
This does not demonstrate Spectre! This just demonstrates different timing of
cache access to memory you DO have access to. This dumps memory from the
actual process which already has access to it!

~~~
idea4good
I want show accessing the memory without read it directly.

~~~
dmitrygr
Doing it in the same process has always been easy. The whole point of Spectre
is you can do this in someone else's process.

~~~
idea4good
sure, that will much complex. I would like focus on basic scenario.

~~~
dmitrygr
What you are saying here is that you would like to demonstrate the possibility
of commercial space flights to other solar systems by showing off a paper
airplane. I'm not trying to be offensive but you really should understand the
difference between Spectre and what you were doing.

~~~
idea4good
So... what do you think I am doing?

Would you please give me a appropriate outline?

------
ot
Besides the other flaws:

> If you translate the code into Javascript, you could dump IE browser data.

In JS you don't have access to clflush, so it would be a bit more complicated
than that.

~~~
idea4good
sure, need more code to do clflush things.

------
idea4good
This demo has only 70 lines code.

