this post was submitted on 22 Mar 2024
0 points (NaN% liked)
Technology
58009 readers
3105 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Wow, what a dishearteningly predictable attack.
I have studied computer architecture and hardware security at the graduate level—though I am far from an expert. That said, any student in the classroom could have laid out the theoretical weaknesses in a "data memory-dependent prefetcher".
My gut says (based on my own experience having a conversation like this) the engineers knew there was a "information leak" but management did not take it seriously. It's hard to convince someone without a cryptographic background why you need to {redesign/add a workaround/use a lower performance design} because of "leaks". If you can't demonstrate an attack they will assume the issue isn't exploitable.
So the attack is (very basically, if I understand correctly)
Setup:
Attack:
Is this somewhat correct? Those speculative execution vulnerabilities always make my brain hurt a little
Absolutely. Theory doesn't always equal reality. The security guys submitting CVE's to pad their resumes should absolutely be required to submit a working exploit. If they can't then they're just making needless noise
There are definitely bullshit cves out there but I don't think that's a good general rule. Especially in this context where it's literally unpatchable at the root of the problem.