Side-channel attacks (Meltdown, Spectre)

Udo Steinberg udo at ...121...
Fri Jan 5 21:25:07 CET 2018 

On Sat, 6 Jan 2018 04:20:25 +0100 Stefan Kalkowski (SK) wrote:

> On Fri, Jan 05, 2018 at 08:24:19PM +0100, Alexander Boettcher wrote:
> > 
> > On 05.01.2018 17:36, Udo Steinberg wrote:  
> > > Norman Feske (NF) wrote:
> > >   
> > > NF> In contrast to monolithic kernels, a microkernel like base-hw, NOVA,
> > > NF> or seL4 does not deal with any user-level content like cryptographic
> > > NF> secrets, or the content of files. There is hardly any credential to
> > > NF> leak to begin with. User content stays outside the microkernel.  
> > > 
> > > While it is true that a microkernel stores significantly fewer secrets than
> > > a monolithic kernel, like Linux, most microkernels actually have a full
> > > mapping of the entire physical memory in the kernel portion of each address
> > > space, which allows an attacker to peek anywhere into physical memory.  
> > 
> > before starting to dig/read through all our supported kernels (I'm not
> > all familiar with the internals) - can you please elaborate a bit about
> > which microkernels, according to your knowledge, have all physical
> > memory mapped in the kernel ?
> > 
> > The currently supported microkernels for Genode are Pistachio, OKL4,
> > L4/Fiasco, Fiasco.OC, Nova, seL4 and our own hw kernel.  
> 
> I can warrant that the hw kernel, which is actually Genode's core
> component combined with a bit of architectural dependent
> data-structures (e.g. page-tables) and routines, does not contain
> physical memory mappings used by user-level components.

Hi,

I am not following the recent development of all those kernels, so I
think it's best to directly consult the individual developers/teams for
statements (like the one from Stefan above).

For my part, I can tell you that the NOVA microhypervisor (at least the
official version) does not map physical RAM into the kernel virtual address
space, other than the RAM in which microhypervisor itself resides. NOVA maps
certain devices (like APIC, IOMMU), but those can't be speculatively
accessed anyway. I cannot comment on modified NOVA versions.

Some commercial kernels and L4/Fiasco certainly used to map as much physical
memory as can fit into the kernel address space. Not sure if Fiasco.OC
retains that behavior. Check for Physmem in class Mem_layout.

Also any kernel that performs certain things like long IPC via a lazily
flushed IPC window may have transient mappings of memory belonging
to other user processes.

Cheers,
Udo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.genode.org/pipermail/users/attachments/20180105/728c0641/attachment.sig>

More information about the users mailing list