11/6/2022 0 Comments Spectre meaning![]() ![]() The load after the branch can execute before the CPU verifies that the branch actually did fall through. In this case, they will observe that the branch always falls through. Modern CPUs are able to execute the bounds check branch ( jae) and the subsequent load ( mov (%rdx,%rcx,4), %ecx) in parallel. Mov (%rdx,%rcx,4), %ecx Load intArray->vector. This loadsĬmp 0x18(%rsi), %ecx %ecx has the index. The compiler will have to emit a bounds check when it translates this high-level JavaScript operation into a lower-level form: if (((unsigned) index) >= ((unsigned) intArray->length))Ĭompiling this on x86 CPUs results in the following instructions: mov 0x10(%rsi), %rdx %rsi has intArray. In this example, let’s assume that intArray is known to our JavaScript engine to be a reference to a Int32Array instance, but that we have not proved that index is in bounds of intArray.length. Most discussions about Spectre have involved bounds checks, so this section considers that case as well. To understand how Spectre works, it’s useful to think about how security-sensitive programming language operations (like any property access in JavaScript) get executed in JavaScriptCore on a modern processor. Hence, Spectre is not just an attack on JavaScriptCore itself but also everything that is callable from JavaScript. Spectre breaks this property of JavaScriptCore because untrusted JavaScript or WebAssembly now has a theoretical path to reading all of the host process’s address space.ĭOM APIs and system APIs called by DOM APIs also use branches to enforce their security properties, and those are callable from JavaScript. SPECTRE MEANING CODEIt should be possible to load untrusted JavaScript or WebAssembly code into your process without the risk of your process’s memory being leaked to the JavaScript code except in cases where you explicitly export data to JavaScript via our C or Objective-C binding API. JavaScriptCore is meant to be a secure language virtual machine. For example, if some type contains an integer at offset 8 while another type contains a pointer at offset 8, then an attacker could use Spectre to bypass the type check that is supposed to ensure that you can’t use the integer to craft an arbitrary pointer. This could allow an attacker to read arbitrary memory. Almost all bounds checks can be bypassed to read arbitrarily out-of-bounds. The most impacted subsystem is JavaScriptCore (WebKit’s JavaScript engine). Spectre means that branches are no longer sufficient for enforcing the security properties of read operations in WebKit. Safari 11.0.2 for El Capitan and Sierra. SPECTRE MEANING FULL VERSIONYou can check if your Safari and WebKit are patched by verifying the full version number in About Safari.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |