[RndTbl] Uh oh, Spectre redux
Trevor Cordes
trevor at tecnopolis.ca
Mon Feb 6 18:12:34 CST 2023
https://gruss.cc/files/prefetch.pdf
CVE-2023-0597
The CVE's are empty (reserved) until people install the fixes. Fedora
already has a fix, as I'm sure many other distros do.
This looks like a bad one. Spectre-like in its scope. Another
fundamental flaw in the design of modern CPUs in terms of side-channel
attacks.
But this one is on address-space knowledge, allowing the defeat of
ASLR/SMAP.
So in that sense it is not a direct attack vector, but one that could
be leveraged by other attacks that can benefit from address space
knowledge. (I think? Thoughts?)
Yet another fix that is going to slow down our systems. The authors
claim "only" up to 5% slowdown. All of these 5% slowdowns from the
last 3 years are starting to add up...
It's like the atomic bomb: at times one might wish no one had discovered
it...
:-/
More information about the Roundtable
mailing list