All modern high-performance processors perform what is known as “out of order” execution. It’s a critical part of modern processors. Speculative execution is what happens when a CPU executes code before it knows if that code will be useful or not. While you can read our primer on speculative execution here, the concept is easy to understand. PACMAN relies on a different mechanism than Spectre or Meltdown, but it’s exactly the same type of trick. Thus, the two operations will not trigger architecture-visible events, avoiding the issue where invalid guesses result in crashes.
DC SPECTRE VERIFICATION
A PACMAN gadget consists of two operations: 1) a pointer verification operation that speculatively verifies the correctness of a guessed PAC, and 2) a transmission operation that speculatively transmits the verification result via a micro-architectural side channel… Note that we execute both operations on a mis-speculated path. Our attack works relying on PACMAN gadgets. The key insight of our PACMAN attack is to use speculative execution to stealthily leak PAC verification results via microarchitectural side channels. What does work is exfiltrating data through side channels and taking advantage of speculative execution. Brute-forcing pointer authentication is not a practical means of extracting useful information. Eventually, the constant crashing is going to get suspicious. Restarting said program will generate new PACs, forcing the attacker to start the process over. While it may be possible to brute force some of the smallest pointer authentication schemes, using an incorrect pointer authentication code will crash the program. Pointer authentication protects pointers by encrypting them.
0 kommentar(er)
