Re: Hyper-Threading Vulnerability

From: Tommy Reynolds
Date: Mon May 16 2005 - 12:41:52 EST

Next message: Alexey Dobriyan: "Re: 2.6.12-rc4-mm2"
Previous message: Hans Reiser: "Re: [RFD] What error should FS return when I/O failure occurs?"
In reply to: Linus Torvalds: "Re: Hyper-Threading Vulnerability"
Next in thread: Bill Davidsen: "Re: Hyper-Threading Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Uttered Linus Torvalds <torvalds@xxxxxxxx>, spake thus:

> It does show that if you want to hide key operations, you want to be
> careful. I don't think HT is at fault per se.

Trivially easy when two processes share the same FS namespace.
Consider two files:

$ ls -l /tmp/a /tmp/b
-rw------ 1 owner owner xxxxx /tmp/a
-rw------ 1 owner owner xxxxx /tmp/b

One file serves as a clock. Note that the permissions deny all
access to everyone except the owner. The owner user then does this,
intentionally or unintentionally:

for x in 0 0 0 1 0 0 0 0 0 1
do
rm -f /tmp/a /tmp/b
case "$x" in
0 ) rm -f /tmp/a;;
1 ) touch /tmp/a;;
esac
touch /tmp/b
sleep 2
done

And the baddie does this:

let n=1
let char=0
while (($n < 8))
do
while [ ! -f /tmp/b ]; do
sleep 0.5
done
let char=((char << 1))
if [ -f /tmp/a ]; do
let char=((char + 1))
done
done
printf "The letter was: %c\n" $char

This is one of the classic TEMPEST problems that secure systems have
long had to deal with. See, at no time did HT ever raise its ugly
head ;-)

Cheers

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Alexey Dobriyan: "Re: 2.6.12-rc4-mm2"
Previous message: Hans Reiser: "Re: [RFD] What error should FS return when I/O failure occurs?"
In reply to: Linus Torvalds: "Re: Hyper-Threading Vulnerability"
Next in thread: Bill Davidsen: "Re: Hyper-Threading Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]