
Detecting Spectre and Meltdown Using Hardware Performance Counters - DyslexicAtheist
https://www.endgame.com/blog/technical-blog/detecting-spectre-and-meltdown-using-hardware-performance-counters
======
xrayzerone
Former employee here. Endgame has one of the best, most humble security
research teams I've ever seen. Plus they're all around good dudes.

~~~
godelmachine
Has Endgame published any research papers? I am curious to have a look at
them.

~~~
nutate
Current endgame employee here. Yes. In R&D our data science team has published
a few and the vulnerability research & prevention team has as well. Some of
these were in the form of talks.

IIRC the most relevant to this blog post is here:
[https://www.blackhat.com/docs/us-16/materials/us-16-Pierce-C...](https://www.blackhat.com/docs/us-16/materials/us-16-Pierce-
Capturing-0days-With-PERFectly-Placed-Hardware-Traps-wp.pdf)

~~~
dustfinger
The article that your co-worker, Cody Pierce, wrote refers to MELTDOWN#1,2,3
and SPECTRE#1,2,3 in a number of headings describing the different detection
scenarios. Nowhere in the article is there an explanation about what those
numbered heading MELTDOWN / SPECTRE titles are referring to. May you provide
links to what these are referring to, or ask Cody Pierce to post an
explanation on the blog.

Thank you for your time!

------
agumonkey
please call that counter attack ghostbusters

~~~
strictfp
They should call ROP style Spectre "In Spectre Gadget"

~~~
agumonkey
jmp jmp gadget

ps: what a lovely name you made

------
willvarfar
Surely using performance counters only means the attacker has to do things
slowly and do other things to increase noise and so avoid detection?

~~~
Xylakant
This is already quite a slow attack (about 1-2kb of memory per second IIRC),
so if you slow that down by a single order of magnitude it might just as well
become impractical.

~~~
willvarfar
That's plenty fast enough. Secrets are secrets.

~~~
Xylakant
But you need to exhaust the memory space, especially in the variants that
cross VM boundaries. You can’t just go and read the few hundred bytes that
contain the neighbors private TLS keys. So if you can force the attacker to
read memory at a tenths of the current rate, chances of a successful attack
might be severely diminished.

~~~
willvarfar
There are plenty of small secrets with predictable locations, especially if
you defeat KALSR.

------
cryptonector
Is there a PoC for Spectre/Meltdown? Did I miss a link?

~~~
mastax
[https://news.ycombinator.com/item?id=16107578](https://news.ycombinator.com/item?id=16107578)

