securityspectre

Spectre example


In the spectre paper, there is an example which exploits an out of bound array access (Section 1.2). The code is

if (x < array1_size)
  y = array2[ array1[x] * 256 ];

The process is to train the correct path with some valid x values. Then an invalid value of x is given and the same time assume arra1_size is uncached. Since the branch predictor thinks the condition is true, it will speculatively fetches array2's offset.

Now, here is the question. In the speculative execution, it has to fetch array1[x] where x is malicious and it is out of bound. So, array1[x] is actually invalid! Then what is the attack?! no valid data is fetched!

Can anyone explain that for me? What is misunderstood here?


Solution

  • So, array1[x] is actually invalid! Then what is the attack?! no valid data is fetched!

    That is the main point of the attack. The index (i.e. x) might be so big, so we are able to access the data we should not be able to access.

    For example, if our code is in JavaScript sandbox or Java Virtual Machine, we will be able to access data outside the sandbox/virtual machine.

    Even more, the speculative execution might access kernel pages, i.e. pages we have no privilege to access to. That is Meltdown.

    Here is my Spectre-Based Meltdown proof of concept in just 99 lines you might find easier to understand:

    https://github.com/berestovskyy/spectre-meltdown