Meltdown attack and Spectre attack的区别
2018-01-09 12:26
183 查看
Meltdown attack and Spectre attack的区别
Meltdown和Spectre常一并提起,两者有相同之处,但差异也是很明显的。记录下来做个笔记吧。两者都运用了speculation execution技术,但是Meltdown偏向于Out of order(OOO),而Spectre偏向于 Branch prediction。
[b]《Spectre Attacks: Exploiting Speculative Execution》[/b]
Meltdown is distinct from Spectre Attacks in two main ways. First, unlike Spectre,
Meltdown does not use branch prediction for achieving speculative execution. Instead, it relies on the observation that when an instruction causes a trap, following instructions that were executed out-of-order are aborted.
Second, Meltdown exploits a privilege escalation vulnerability specific to Intel processors, due to which speculatively executed instructions can bypass memory protection. Combining these issues, Meltdown accesses kernel memory from user space. This access causes a trap, but before the trap is issued, the code that follows the access leaks the contents of the accessed memory through a cache channel.
可见Meltdown依赖于intel的CPU设计漏洞,即在OOO时,会忽略对memory的权限检查。
而spectre则依赖于如下的现象:
The Branch Target Buffer (BTB) keeps a mapping from addresses of recently executed branch instructions to destination addresses [26]. Processors can uses the BTB to predict future code addresses even before decoding the branch instructions。
For conditional branches, recording the target address is not sufficient for predicting the outcome of the branch. To predict whether a conditional branch is taken or not, the processor maintains a record of recent branches outcomes.
即branch predictor会记录历史痕迹,并以此作为下次prediction的依据。且这些历史痕迹是CPU的作用域,而不是进程的作用域。所以attacker进程在在自己的地址空间内充分欺骗branch predictor后(比如jmp至特定的地址);再触发victim进程执行类似的操作(jmp至特定的地址),虽然在retire阶段会回滚此类操作,但是访问memory的痕迹已经遗留在cache中了。后期通过side-channel可以读取数据。
在attacker进程地址空间中,此特定地址的内容对 attacker 而言无意义;但是在victim进程地址空间中,此地址的内容可以是指令,此指令一般是读取memory,从而可用于泄露数据至cache中。
所以meltdown主要作用于intel CPU;而对于spectre,由于modem cpu普遍采用branch prediction技术提高performance,所以作用范围更广。
相关文章推荐
- tmake and qmake 的区别
- HashMap与HashTable区别(Differences between HashMap and Hashtable)
- left join on and与left join on where的区别
- SwingUtilities.invokeLater()和SwingUtilities.invokeAndWait()的区别(有什么区别)
- share-everything and share-nothing原理区别
- spring mongodb Criteria中"and"与"andOperator"方法的区别及"$and"如何工作
- JavaAndAndroid程序学习之——关闭程序和AlertDialog中的button区别
- easonjim Code, code and more code. Linux脚本开头#!/bin/bash和#!/bin/sh是什么意思以及区别 一、意思 #!/bin/sh是指此脚本使用/b
- python set(集合) & 与 and 、 | 与 or之间的区别
- Delphi中destroy, free, freeAndNil, release用法和区别
- Scenario and Attack Graphs
- Visual Studio中“生成”与“重新生成”的区别(The difference between "build" and "rebuild")
- 关于COMMIT WORK 和COMMIT WORK AND WAIT的区别及ROLLBACK WORK
- poll and epoll的区别-linux C线程间通信:阻塞-唤醒-创建文件,重启后大小是0
- php中OR与|| AND与&&的区别
- 静态库and动态库区别(Linux)
- Delphi中destroy, free, freeAndNil, release用法和区别
- cookie, sessionStorage and localStorage 之间的区别 与定义和应用;
- (function(){}})(); and (function(){}());的区别?
- Interface and Abstract Class 区别