Spectre Gta 5

[Alethia Tiell]

Someonewas silly enough to upload aworking spectre (CVE-2017-5753) exploitfor Linux (there is also aWindows one with symbols that I didn't look at.)on VirusTotal last month, so here is my quick Sunday afternoon lazy analysis.

The binary has its -h option stripped, likely behind a #define to avoiddetection, but some of its parameters are obvious, like specifyingwhat file to leak, or the kernel base address. The authors didn't check (or care)that the logging function hasn't been entirely optimized out, leaving a bunchof strings helping in the reversing process.

In the case of /etc/shadow, the default option, the content of thefile is shoved in memory by running the following command in thebackground: return system("echo \"whatever\n\" su - 2> /dev/null").In my lab, on a vulnerable Fedora, the exploit is successfully dumping /etc/shadow in a couple of minutes.Interestingly, there are checks to detect SMAPand abort if it's present. I didn't manage to understand why the exploit wasfailing in its presence.

The covert channel is presumably a userspace pointer which is accessedspeculatively in kernel context, causing a cacheline fill, and recovered laterby timing the reload. SMAP prevents supervisor code from accessing user memoryoperands outside of explicitly permitted areas. This is enough to prevent thecacheline fill (of a userspace pointer) and break the covert channel. A moresophisticated attack could use a supervisor pointer, e.g. the directmapmapping, or or one of a multitude of other covert channels to transmit the samedata, which is a higher barrier, but definitely not impossible.

The crux of the exploit is at 0x4092f0, using cpuid as a serializinginstruction, rdtsc for timing, and mfence/lfence as barrier, asdocumented in the original paper. It's also using some tricks to minimize the amount ofreadings, like type-specific functions, for example a kernel address has aspecific format.Thanks to spender for confirming that the gadget used is likely get_user() in the FIOASYNC ioctl,which was fixed in 2018

It is based on a woodblock print by Kuniyoshi and the original name of the print is Princess Takiyasha summons a skeleton spectre to frighten Mitsukuni. I've never seen an original print of this that was in good shape and I thought it was a shame because it is a very nice print so I decided to make my own version (with a few changes here and there). I hope you enjoy.

Thanks for the kinds words. At the bottom there is the option to either "Drag files here to attach, or choose files...." and I just clicked on the "choose files" and then added the images that I wanted to add.

I do have a website but it isn't very good and to be honest, I would be embarrassed to post a link to it. I hope to redesign it soon and when I do, I'll post a link to it. I have posted another piece of Japanese themed art before, if you search here in the "Share your work" for The Siren, you'll find it. I will post some more Japanese themed work hopefully sometime soon.

Thanks for the kind comments and the funny word play too! This piece is based off of a print that was originally a triptych but the pieces don't all fit together exactly as they should. I had to create some elements from scratch that fit in with the original piece so that aspect of it was very challenging.

Funny, often when I try to start something in Photo I realize I can do this in Designer and switch back... :-) silly me of course but Designer can do everything I need it to. I even bought the Photo workbook but haven't really embraced Photo yet, Designer won't let me.

I'm pretty much the same as you. Most of what I need to do, I can do in Designer. I like Photo, it is very powerful but for what I've been doing recently Designer can handle it. Plus I normally work with vectors more than raster images so Designer works out best for me. I do like Photo's Red Eye Removal tool though

:-) Yeah same here. I tend to use photo for colour correction and pixel based tweaks and adjustments... much of which can be done in designer. I come from a long history with illustrator so the vector side is home for me.

Update 20 April 2018 With Visual Studio 2017 version 15.7 Preview 4 we have added a new warning, C5045, that shows what patterns in your code would have caused a mitigation to be inserted. See this post for more details.

Update 4 April 2018 With Visual Studio 2017 version 15.7 Preview 3 we have two new features to announce with regards to our Spectre mitigations. First, the /Qspectre switch is now supported regardless of the selected optimization level. Second, we have provided Spectre-mitigated implementations of the Microsoft Visual C++ libraries. See below for details.

If you are a developer whose code operates on data that crosses a trust boundary then you should consider downloading an updated version of the MSVC compiler, recompiling your code with the /Qspectre switch enabled, and redeploying your code to your customers as soon as possible. Examples of code that operates on data that crosses a trust boundary include code that loads untrusted input that can affect execution such as remote procedure calls, parsing untrusted input for files, and other local inter-process communication (IPC) interfaces. Standard sandboxing techniques may not be sufficient: you should investigate your sandboxing carefully before deciding that your code does not cross a trust boundary.

The C5045 diagnostic, added in Visual Studio 2017 version 15.7 Preview 4, shows where the compiler would insert a mitigation if the /Qspectre switch were enabled. Please see this post for more details.

In current versions of the MSVC compiler, the /Qspectre switch only works on optimized code. You should make sure to compile your code with any of the optimization switches (e.g., /O2 or /O1 but NOT /Od) to have the mitigation applied. Similarly, inspect any code that uses #pragma optimize([stg], off). Work is ongoing now to make the /Qspectre mitigation work on unoptimized code.

All versions of Visual Studio 2017 version 15.5 and all Previews of Visual Studio version 15.6 already include an undocumented switch, /d2guardspecload, that is currently equivalent to /Qspectre. You can use /d2guardspecload to apply the same mitigations to your code. Please update to using /Qspectre as soon as you get a compiler that supports the switch as the /Qspectre switch will be maintained with new mitigations going forward.

The /Qspectre switch will be available in MSVC toolsets included in all future releases of Visual Studio (including Previews). We will also release updates to some existing versions of Visual Studio to include support for /Qspectre. Releases of Visual Studio and Previews are announced on the Visual Studio Blog; update notifications are included in the Notification Hub. Visual Studio updates that include support for /Qspectre will be announced on the Visual C++ Team Blog and the @visualc Twitter feed.

Our tests show the performance impact of /Qspectre to be negligible. We have built all of Windows with /Qspectre enabled and did not notice any performance regressions of concern. Performance gains from speculative execution are lost where the mitigation is applied but the mitigation was needed in a relatively small number of instances across the large codebases that we recompiled. Codebases vary greatly so we advise all developers to evaluate the impact of /Qspectre in the context of their applications and workloads.

If you know that a particular block of your code is performance-critical (say, in a tight loop) and does not need the mitigation applied, you can selectively disable the mitigation with __declspec(spectre(nomitigation)). Note that the __declspec is not available in compilers that only support the /d2guardspecload switch.

In the above example, the code performs an array-bounds check to ensure that untrusted_index is less than the length of array1. This is needed to ensure that the program does not read beyond the bounds of the array. While this appears to be sound as written, it does not take into account microarchitectural behaviors of the CPU involving speculative execution. In short, it is possible that the CPU may mispredict the conditional branch when untrusted_index is greater than or equal to length. This can cause the CPU to speculatively execute the body of the if statement. As a consequence of this, the CPU may perform a speculative out-of-bounds read of array1 and then use the value loaded from array1 as an index into array2. This can create observable side effects in the CPU cache that reveal information about the value that has been read out-of-bounds. While the CPU will eventually recognize that it mispredicted the conditional branch and discard the speculatively executed state, it does not discard the residual side effects in the cache which will remain. This is why variant 1 exposes a speculative execution side-channel.

Software changes are required to mitigate variant 1 on all currently affected CPUs. This can be accomplished by employing instructions that act as a speculation barrier. For Intel and similar processors (including AMD) the recommended instruction is LFENCE. ARM recommends a conditional move (ARM) or conditional selection instruction (AArch64) on some architectures and the use of a new instruction known as CSDB on others. These instructions ensure that speculative execution down an unsafe path cannot proceed beyond the barrier. However, applying this guidance correctly requires developers to determine the appropriate places to make use of these instructions such as by identifying instances of variant 1.

In order to help developers mitigate this new issue, the MSVC compiler has been updated with support for the /Qspectre switch which will automatically insert one of these speculation barriers when the compiler detects instances of variant 1. In this case the compiler detects that a range-checked integer is used as an index to load a value that is used to compute the address of a subsequent load. If you compile the example above with and without /Qspectre, you will see the following code generation difference on x86:

3a8082e126