Hacker News new | comments | ask | show | jobs | submit login
Show HN: Spectre exploit demo (github.com)
26 points by idea4good 10 months ago | hide | past | web | favorite | 13 comments

This bit isn't right:

  void move_one_page_in_cache(uint8_t* addr) {    
      static unsigned int github_idea4good = 1;
      if (0 < github_idea4good) {
          volatile uint8_t temp = probe_pages[*addr * PAGE_SIZE];
Here, the probe is executed in the retired instruction stream. That's not Spectre. If you can retire an instruction that dereferences addr, your Javascript engine is busted already.

To demonstrate Spectre you need to put the probe in a path that isn't taken, but train the branch predictor to speculatively execute it anyway.

I can do change like this:

static unsigned int github_idea4good = -1;

if(0 < github_idea4good) will never be true.

But the result is same.

I believe the key is: github_idea4good must out of cache.

github_idea4good is unsigned. There’s an implicit cast at the assignment. The condition is still true and that path is always executed.

good catch!

Change it like this:

#define PROBE_TIMES 100000

static int github_idea4good = -1;

If probe times big enough, it works still.

This does not demonstrate Spectre! This just demonstrates different timing of cache access to memory you DO have access to. This dumps memory from the actual process which already has access to it!

I want show accessing the memory without read it directly.

Doing it in the same process has always been easy. The whole point of Spectre is you can do this in someone else's process.

sure, that will much complex. I would like focus on basic scenario.

What you are saying here is that you would like to demonstrate the possibility of commercial space flights to other solar systems by showing off a paper airplane. I'm not trying to be offensive but you really should understand the difference between Spectre and what you were doing.

So... what do you think I am doing?

Would you please give me a appropriate outline?

Besides the other flaws:

> If you translate the code into Javascript, you could dump IE browser data.

In JS you don't have access to clflush, so it would be a bit more complicated than that.

sure, need more code to do clflush things.

This demo has only 70 lines code.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact