
“Negative Result: Reading Kernel Memory from User Mode” (Intel CPU Bug) - RandomBK
https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/#
======
provost
For those that may be confused, I was also confused by the author's "negative
result" comments at the top, but he elaborates near the end..

> So at this point my experiment is failed and thus the negative result.

> While I did set out to read kernel mode without privileges and that produced
> a negative result, I do feel like I opened a Pandora’s box. The thing is
> there was two positive results in my tests. The first is that Intel’s
> implementation of Tomasulo’s algorithm is not side channel safe.
> Consequently we have access to results of speculative execution despite the
> results never being committed. Secondly, my results demonstrate that
> speculative execution does indeed continue despite violations of the
> isolation between kernel mode and user mode.

------
versteegen
This is probably the most enlightening thing I've ever read about modern CPU
microarchitecture. Reading this, it becomes apparent how hard it is to prevent
side-channel information leaks in general. Anyone who read this back in July
could have concluded that Intel CPUs are possibly vulnerable to some side-
channel attack, but the author just didn't figure out how to exploit the leak
he found.

~~~
Relys
I remember reading about CPU side-channel attacks over a year ago but nobody
really talked about it:
[https://github.com/felixwilhelm/mario_baslr](https://github.com/felixwilhelm/mario_baslr)

------
0x0
If this is "the intel bug" that is about to be announced right now, then I
think it's remarkable that it's been sitting around in this blog post from
July 2017?

~~~
mackal
This blog post could not find an exploit, but proved enough that there could
be. The theory is that the KAISER researchers took this idea and found a way
to exploit it.

------
nmg
So, Intel prefetches restricted data on a request by an unprivileged user,
"conceals" the unauthorized but nevertheless prefetched data by nulling it
out, but the unprivileged user can infer sensitive information about what's
"behind the curtain" by timing the proceeding instructions?

------
robert_foss
This was an interesting read.

