On Fri, Jan 05, 2018 at 09:24:31PM +0100, Willy Tarreau wrote:
On Fri, Jan 05, 2018 at 07:58:04PM +0000, Alan Cox wrote:
and the techniques to deal with rdtsc disabling are well known and used in other existing attacks.
Yes i've tested one of them for the spectre poc, but it really did not work well, leading to about 1 among 10 bytes only to be valid. In fact either you run the counter thread on the other sibling of the same core and it significantly perturbates the local activity, or you run it on another core, and the time it takes to retrieve the time requires some L1+L2 traversal. I'm not saying it doesn't work at all, I'm saying that the accuracy is highly degraded and that can turn something 100% reproducible into something requiring a long time to run, making the attack more noticeable (and possibly letting observed data degrade during the period).
So I worked on an improved RDTSC emulation (attached) and it works reasonably well on the spectre poc found online. Its accuracy is almost as good as rdtsc on my i7-6700k on two threads running on the same core, and 8-10 times worse on two distinct cores, but still leads to ~50% success rate on the PoC. So my conclusion now is that it's indeed pointless to invest time trying to make RDTSC less accessible/accurate.
Willy