Attacking Multicore CPUs

Ant writes "The Register reports that the world of current multi-core central processing units (CPUs) just entered is facing a serious threat. A security researcher at Cambridge disclosed a new class of vulnerabilities that takes advantage of concurrency to bypass security protections such as anti-virus software The attack is based on the assumption that the software that interacts with the kernel can be used without interference. The researcher, Robert Watson, showed that a carefully written exploit can attack in the window when this happens, and literally change the "words" that they are exchanging. Even if some of these dark aspects of concurrency were already known, Watson proved that real attacks can be developed, and showed that developers have to fix their code. Fast..."

Re:Fast?

[Foolhardy]

If that's all it is, Windows NT (and its later incarnations like XP and Vista) aren't vulnerable because kernel components facing user mode are always expected to make copies of user arguments before they're validated and used. Since the NT kernel is preemptable this would be a problem even on single CPU machines because the thread handling the syscall could be interrupted by the scheduler to execute another thread while the first was validating the arguments. Only data that is treated opaquely (e.g. a buffer to write to a file) can be accessed directly safely. This has been known and accounted for since NT was originally designed. Of course, that doesn't rule out the possibility of 3rd party developers not following the rules.

From Common Driver Reliability Issues: User-Mode Addresses in Kernel-Mode Code

Be prepared for changes to the contents of user-mode memory at any time; another user-mode thread in the same process might change it. Drivers must not use user-mode buffers as temporary storage, or expect the results of double fetches to yield the same results the second time.