I've got a Mac and I run Windows 10 in a Parallels VM. It's true that Parallels has a number of technical advances on the XP mode for Windows 7. However much of this paragraph would still apply
Since the virtual machine is running its own operating system, you can't easily share information across the virtual machine boundary. For example, suppose somebody double-clicks a.XYZ file, and the program responsible for.XYZ files is set to run in a virtual machine.
* Start the virtual machine. * Log an appropriate user on. Hopefully, the user has an account in the virtual machine image, too. And of course the user will have to type their password in again. * Once the system has logged the user on, transfer the file that the user double-clicked into the virtual machine's hard drive image somehow. It's possible that there are multiple files involved, all of which need to be transferred, and the identities of these bonus files might not be obvious. (Your word processor might need your spelling exceptions list, for example.) * Run the target program with the path to the copied file as its command line argument. * The program appears on the virtual machine operating system's taskbar, not on the main operating system's taskbar. Alt+Tab turns into a big mess. * When the user exits the target program, the resulting file needs to be copied back to the main operating system. Good luck dealing with conflicts if somebody changed the file in the main operating system in the meanwhile.
The hassle with copying files around can be remedied by treating the main operating system's hard drive as a remote network drive in the virtual machine operating system. But that helps only the local hard drive scenario. If the user double-clicks a.XYZ file from a network server, you'll have to re-map that server in the virtual machine. In all cases, you'll have to worry about the case that the drive letter and path may have changed as a result of the mapping.
And that's just the first problem. Users will expect to be able to treat that program in the virtual machine as if it were running on the main operating system. Drag-and-drop and copy/paste need to work across the virtual machine boundary. Perhaps they get information via e-mail (and their e-mail program is running in the main operating system) and they want to paste it into the program running in the virtual machine. International keyboard settings wouldn't be synchronized; changing between the English and German keyboards by tapping Ctrl+Shift in the main operating system would have no effect on the virtual machine keyboard.
Isolating the program in a virtual machine means that it doesn't get an accurate view of the world. If the program creates a taskbar notification icon, that icon will appear in the virtual machine's taskbar, not on the main taskbar. If the program tries to use DDE to communicate with Internet Explorer, it won't succeed because Internet Explorer is running in the main virtual machine. And woe unto a program that tries to FindWindow and then SendMessage to a window running in the other operating system.
If the program uses OLE to host an embedded Excel spreadsheet, you will have to install Excel in the virtual machine operating system, and when you activate the object, Excel will run in the virtual machine rather than running in the main operating system. Which can be quite confusing if a copy of Excel is also running in the main operating system, since Excel is a single-instance program. Yet somehow you got two instances running that can't talk to each other. And running a virus checker in a virtual machine won't help keep your main operating system safe.
As has already been noted, the virtual machine approach also doesn't do anything to solve the plug-in problem. You can't run Internet Explorer in the main operating system and an Internet Explorer plug-in in a virtual machine. And since there are so many ways that programs on the desktop can in
Welcome to the humanities and social sciences where tiny samples and 1 sigma results are OK as are massive error bars. And then the media cherry pick which results to report and which to ignore based on whether they fit the journalists' political prejudices and generate dramatic headlines. And the 'scientists' all try to produce results that will get media attention because that means more grant money.
Since they run out of book material the show has got cheesier and cheesier, particularly in the most recent season. But like everyone else I'll probably still watch it to the end.
And yeah, it makes a tonne of cash. But being lucrative and being good are not the same thing.
Interesting question. My point is that in the long run the left will disappear because their beliefs make them reproduce less efficiently, which means that as irritating as they are they are not going to survive.
Problem is of course they won't necessarily stop winning elections because they also believe in letting in unskilled third worlders who will end up dependent on benefits and voting left, even if they despise the left's social values as much as I do. Probably more so.
Then again I don't live in the US, so all this is really an abstract argument for me.
It is ten thousand years into the reign of God Emperor Baron Trump. Humanity has spread out into the galaxy and an era of unprecedented peace and prosperity has dawned. The only issue is that contact has been lost by a few outlying colonies and there are rumours they have been attacked by a hostile extra galactic force.
On that note there's a funny song called "The Palestinians Are Not The Same Thing As The Rebel Alliance, Jackass" by Atom and his Package. Now sadly unavailable on the Internet for some reason.
Ironically the left seems to be sterilizing itself by making single life, abortion, homosexuality and transgenderism fashionable and raising a family unfashionable.
And that's his opening offer. I'm sure all those Remoaner banks like Goldman Sachs will get financial passporting in the end. If not, that's just tough. But they are traitors and kind of deserve it.
Star Wars is the story about a farm boy getting radicalised by an ageing follower of an obscure religion and eventually taking part in a 9/11 style terrorist attack that destroys a military base.
When we first meet Luke Skywalker, he's an orphaned farm boy with barely any friends, living with his Aunt and Uncle, and wanting to join the Galactic Academy like all the other guys his age. You see, Luke didn't become a space terrorist overnight, but he did exhibit signs that would make him a prime candidate for terrorist recruiters. The process of radicalization, as described by Anthony Stahelski in the Journal of Homeland Security, notes terrorists tend to:
* Come from families where the father is absent (check) * Have difficulty forming relationships outside the home (check) * Be attracted to groups offering acceptance and comradeship (checkmate)
Luke is just the kind of isolated disaffected young man that terror recruiters seek out.
Obi Wan - a religious fanatic with a history of looking for young boys to recruit and teach an extreme interpretation of the Force - is practically salivating when he stumbles upon Luke, knowing he's found a prime candidate for radicalization. Stahelski notes terror groups place a focus on depluralization, stripping away the recruit's membership from all groups and isolating them to increase their susceptibility to terrorist messaging. Within moments of meeting Luke, Obi-Wan tells Luke he must abandon his family and join him, going so far as telling a shocking lie that the Empire killed Luke's father, hoping to inspire Luke to a life of jihad.
Shocked and confused by this onslaught of terrorist brainwashing, Luke hurries home only to find the charred corpses of his aunt and uncle. The Empire's accidental harming of Luke's Aunt Beru and Uncle Owen can be directly compared to the casualties of President Obama's drone campaign, whose body count terrorists capitalize upon for recruitment. This is precisely what Obi-Wan does, preying upon Luke's emotional state to take him under his spell and towards a life of extremism.
Obi-Wan whisks Luke off to Mos Eisley using a Jedi mind trick to bypass security, knowing full well he likely appears on numerous terror no fly lists. After contracting a local drug smuggler for transportation, Obi-Wan and his newest Skywalker recruit are off. They are soon captured, however, and attempt an escape which culminates in a battle between Obi-Wan and Vader. During the fight, Obi-Wan notices Luke watching, and seeing an opportunity to fully inspire Luke to radicalize, says a Jedi prayer while committing suicide. Can you think of any other groups who try to inspire terrorism by yelling a prayer before a suicide attack?
Once Luke escapes and regroups with a terror sleeper cell, he joins them on an attack mission. As he nears his target, hearing Obi-Wan's words in his mind, Luke closes his eyes, says a prayer and bombs a space station, killing everyone aboard. Young Skywalker has proven himself a quick study in the ways of armed religious extremism.
The process doing the probing gets the GP faults. It's relying on the fact that even though the accesses fault they still affect the cache. So you could clean up that in the GP fault handler before you return to the process, do a context switch or execute any untrusted code.
Actually you could do this in software. Which makes me wonder why no one has thought of it, because it seems a bit obvious. Maybe it's flawed in someway.
Fixing Meltdown is relatively easy (compared to Spectre), although it probably can't be done with a microcode update. As well as setting a fault-if/when-this-reaches-retirement bit on the uop, a TLB lookup could gate the page-address bits (to all ones) with the privilege-check. e.g. a load in user-space from any kernel page could micro-architecturally execute as a load from the very top physical page. (And systems with less than the max amount of RAM wouldn't have any physical RAM at that physical address.)
Or a failed privilege check could maybe still allow the load to happen microarchitecturally, but mask the result to all-zero in the load port. (Remember, the Meltdown problem isn't that an unprivileged load can bring kernel data into cache, it's that the secret data load result can be used to make another load with a data-dependent address. Continuing speculative execution with a zero result for any under-privileged load that hits in the TLB wouldn't allow any data-dependent microarchitectural effects).
I.e. you do the virtual to physical translation using the TLB but you make invalid addresses map to an address with all ones. Since you have to do the V to P translation anyway, that seems like a good option.
I'm guessing Intel will do something in the next generation batch of chips out - basically hack the current generation with the fix. With a bit of luck Meltdown has put the ph3ar of the h@xx0rz into them and they'll do that at top priority.
It still means it's not a good time to buy a new PC though - anything you buy now will need KPTI or the equivalent enabled. It's claimed that on chips with PCID support KPTI isn't too bad, but that is dependent on what you're doing with the machine.
There's nothing to stop you having more than one stack. MIPS chips don't have a hardware stack at all - you just have a bunch of registers and you do operations on them. The ABI defines one register as a stack but it could easily define another. Or it could define several.
Still even on MIPS having two stacks is a breaking ABI change.
On Intel they've added new register and new instructions. And it seems like once you enable CET you can't run non CET code. I.e. it's a like the switch from x86 mode to x64 where you can't run old code - everything needs to be recompiled. In the CET paper they have a bitmap to mark 4K code pages as either CET or 'legacy code'
3.6.1 Legacy Code Page Bitmap Format
The legacy code page bitmap is a flat bitmap whose linear address is pointed to by the EB_LEG_BITMAP_BASE. Each bit in the bitmap represents a 4K page in linear memory. If the bit is 1 it indicates that the corresponding code page is a legacy code page; else it is a CET-enabled code page. The processor uses the linear address of the instruction to which legacy transfer was attempted to lookup the bitmap. Bits of the linear address used as index in the bitmap are as follows.
They have to have that because you can't in general execute legacy code once CET is enabled because legacy code might innocently break the CET rules it doesn't know about. E.g. all indirect branches have to end at an ENDBRANCH instruction
Additionally, Patel explains that a new instruction was added to ISA, namely the ENDBRANCH instruction, which would mark legal target for an indirect branch or jump. âoeThus if ENDBRANCH is not target of indirect branch or jump, the CPU generates an exception indicating unintended or malicious operation. This specific instruction has been implemented as NOP on current Intel processors for backwards compatibility (similar to several MPX instructions) and pre-enabling of software,â he notes.
Actually if you're going to do that you could enforce code signing for usermode too - the OS could verify the signature when it loaded the executable and would page code into memory it subsequently marked read only.
Kernel mode code has always been signed in 64 bit windows - they knew the switch from x86 to x64 was a breaking change so they decided to enforce that too.
Windows S will only run Win32 code if it is signed by Microsoft and they use that to stop any third party applications. Maybe they could have a more open system which still enforces code signing.
It'd suck for WIn32 developers because they'd need to pay for a certificate like you do for kernel mode code.
Spectre works by getting speculatively executed code access kernel mode memory. So they'd need to do protection checks before the speculative code did the access.
1. In the first line, a âoeprobe arrayâ is allocated. This is memory in our process which is used as a side channel to retrieve data from the kernel. How this is done will become apparent soon. 2. Following the allocation, the attacker makes sure that none of the memory in the probe array is cached. There are various ways of accomplishing this, the simplest of which includes CPU-specific instructions to clear a memory location from cache. 3. The attacker then proceeds to read a byte from the kernelâ(TM)s address space. Remember from our previous discussion about virtual memory and page tables that all modern kernels typically map the entire kernel virtual address space into the user process. Operating systems rely on the fact that each page table entry has permission settings, and that user mode programs are not allowed to access kernel memory. Any such access will result in a page fault. That is indeed what will eventually happen at step 3. 4. However, modern processors also perform speculative execution and will execute ahead of the faulting instruction. Thus, steps 3â"5 may execute in the CPUâ(TM)s pipeline before the fault is raised. In this step, the byte of kernel memory (which ranges from 0â"255) is multiplied by the page size of the system, which is typically 4096. 5. In this step, the multiplied byte of kernel memory is then used to read from the probe array into a dummy value. The multiplication of the byte by 4096 is to avoid a CPU feature called the âoeprefetcherâ from reading more data than we want into into the cache. 6. By this step, the CPU has realized its mistake and rolled back to step 3. However, the results of the speculated instructions are still visible in cache. The attacker uses operating system functionality to trap the faulting instruction and continue execution (e.g., handling SIGFAULT). 7. In step 7, the attacker iterates through and sees how long it takes to read each of the 256 possible bytes in the probe array that could have been indexed by the kernel memory. The CPU will have loaded one of the locations into cache and this location will load substantially faster than all the other locations (which need to be read from main memory). This location is the value of the byte in kernel memory.
Using the above technique, and the fact that it is standard practice for modern operating systems to map all of physical memory into the kernel virtual address space, an attacker can read the computerâ(TM)s entire physical memory.
Now, you might be wondering: âoeYou said that page tables have permission bits. How can it be that user mode code was able to speculatively access kernel memory?â The reason is this is a bug in Intel processors. In my opinion, there is no good reason, performance or otherwise, for this to be possible. Recall that all virtual memory access must occur through the TLB. It is easily possible during speculative execution to check that a cached mapping has permissions compatible with the current running privilege level. Intel hardware simply does not do this. Other processor vendors do perform a permission check and block speculative execution. Thus, as far as we know, Meltdown is an Intel only vulnerability.
Edit: It appears that at least one ARM processor is also susceptible to Meltdown as indicated here and here.
Seems like there are two options. One is to do privilege checks before speculative code is executed. Another would be roll back the state of the cache on a protection fault.
The later one appeals actually. In a GP fault handler you could just invalidate the cache line to foil step 7. And you don't need to slow down the common case where speculative
If you read Raymond Chen's Old New Thing blog he explains how the compatibility stuff is mostly in shims that get loaded only when an application needs them. So the notion that worrying about compatibility held back Microsoft is dubious.
Despite that Microsoft did abandon back compatibility around XP SP3 and Vista which both broke insecure code. And then they tried to convince people to stop writing Win32 code and start writing code for their newest API which changed every year. Joel ranted about this memorably
Unfortunately the effect was that people stopped writing Win32 code and started writing code for IOS and Android. And people started doing everything they could to avoid OS versions because they broke all their third party apps and pushed them obnoxiously to use Metro ones. Which no one was writing.
Ie abandoning back compatibility gained them nothing and will probably kill the Windows as a platform in the long run.
If we both agree that neither C#/Xamarin nor "portable C/C++ library and platform specific UI wrappers in Java/Objective C" are good ways to make cross platform applications doesn't that mean that Apple is right to try to develop and alternate way to do it? I.e. there's a gap in the market for a good cross platform mobile environment.
The EU offered Ukraine a chance to join the EU customs union to basically poke the Russians.
Customs unions are not free trade - quite the reverse as countries in one have to level a common external tariff and cannot sign free trade agreements with countries outside the customs union.
In a sane world Ukraine would have one free trade agreement with the EU, another with Russia, the UK, US and so on and no one would attempt to expand customs unions which are by their nature exclusionary.
Of course it's not a sane world. The Russians offered Ukraine a chance to join the Russian customs union. The EU offered them a chance to join the EU one. And inside Ukraine there was split between the pro Western parts and the pro Russian ones that led to governments falling and Russian backed separatists starting a civil war.
Russia was wrong to invade but the EU were wrong to troll Russia and then abandon Ukraine to Russian invasion.
A big part of the reason BREXIT is a good thing is because the UK will leave the EU customs union and replace it with a free trade agreement with the EU. And is then free to sign a free trade agreement with the US, Commonwealth countries, India, China etc.
Slashdot Mirror
I've got a Mac and I run Windows 10 in a Parallels VM. It's true that Parallels has a number of technical advances on the XP mode for Windows 7. However much of this paragraph would still apply
Since the virtual machine is running its own operating system, you can't easily share information across the virtual machine boundary. For example, suppose somebody double-clicks a .XYZ file, and the program responsible for .XYZ files is set to run in a virtual machine.
* Start the virtual machine.
* Log an appropriate user on. Hopefully, the user has an account in the virtual machine image, too. And of course the user will have to type their password in again.
* Once the system has logged the user on, transfer the file that the user double-clicked into the virtual machine's hard drive image somehow. It's possible that there are multiple files involved, all of which need to be transferred, and the identities of these bonus files might not be obvious. (Your word processor might need your spelling exceptions list, for example.)
* Run the target program with the path to the copied file as its command line argument.
* The program appears on the virtual machine operating system's taskbar, not on the main operating system's taskbar. Alt+Tab turns into a big mess.
* When the user exits the target program, the resulting file needs to be copied back to the main operating system. Good luck dealing with conflicts if somebody changed the file in the main operating system in the meanwhile.
The hassle with copying files around can be remedied by treating the main operating system's hard drive as a remote network drive in the virtual machine operating system. But that helps only the local hard drive scenario. If the user double-clicks a .XYZ file from a network server, you'll have to re-map that server in the virtual machine. In all cases, you'll have to worry about the case that the drive letter and path may have changed as a result of the mapping.
And that's just the first problem. Users will expect to be able to treat that program in the virtual machine as if it were running on the main operating system. Drag-and-drop and copy/paste need to work across the virtual machine boundary. Perhaps they get information via e-mail (and their e-mail program is running in the main operating system) and they want to paste it into the program running in the virtual machine. International keyboard settings wouldn't be synchronized; changing between the English and German keyboards by tapping Ctrl+Shift in the main operating system would have no effect on the virtual machine keyboard.
Isolating the program in a virtual machine means that it doesn't get an accurate view of the world. If the program creates a taskbar notification icon, that icon will appear in the virtual machine's taskbar, not on the main taskbar. If the program tries to use DDE to communicate with Internet Explorer, it won't succeed because Internet Explorer is running in the main virtual machine. And woe unto a program that tries to FindWindow and then SendMessage to a window running in the other operating system.
If the program uses OLE to host an embedded Excel spreadsheet, you will have to install Excel in the virtual machine operating system, and when you activate the object, Excel will run in the virtual machine rather than running in the main operating system. Which can be quite confusing if a copy of Excel is also running in the main operating system, since Excel is a single-instance program. Yet somehow you got two instances running that can't talk to each other. And running a virus checker in a virtual machine won't help keep your main operating system safe.
As has already been noted, the virtual machine approach also doesn't do anything to solve the plug-in problem. You can't run Internet Explorer in the main operating system and an Internet Explorer plug-in in a virtual machine. And since there are so many ways that programs on the desktop can in
Welcome to the humanities and social sciences where tiny samples and 1 sigma results are OK as are massive error bars. And then the media cherry pick which results to report and which to ignore based on whether they fit the journalists' political prejudices and generate dramatic headlines. And the 'scientists' all try to produce results that will get media attention because that means more grant money.
At least we still have physics as a real science.
Since they run out of book material the show has got cheesier and cheesier, particularly in the most recent season. But like everyone else I'll probably still watch it to the end.
And yeah, it makes a tonne of cash. But being lucrative and being good are not the same thing.
Interesting question. My point is that in the long run the left will disappear because their beliefs make them reproduce less efficiently, which means that as irritating as they are they are not going to survive.
Problem is of course they won't necessarily stop winning elections because they also believe in letting in unskilled third worlders who will end up dependent on benefits and voting left, even if they despise the left's social values as much as I do. Probably more so.
Then again I don't live in the US, so all this is really an abstract argument for me.
Isn't that basically what Richard Spencer says about constitutional rights?
"It's an ethnostate you virgin, who fucking cares about 'muh constitutional rights'?"
Special agent Jack Bauer will probably want to ask him is frequently asked questions of "WHO ARE YOU WORKING FOR!?" and "WHERE ARE THE WMDS!?"
It is ten thousand years into the reign of God Emperor Baron Trump. Humanity has spread out into the galaxy and an era of unprecedented peace and prosperity has dawned. The only issue is that contact has been lost by a few outlying colonies and there are rumours they have been attacked by a hostile extra galactic force.
Here's how Hillary can still win....
On that note there's a funny song called "The Palestinians Are Not The Same Thing As The Rebel Alliance, Jackass" by Atom and his Package. Now sadly unavailable on the Internet for some reason.
Ironically the left seems to be sterilizing itself by making single life, abortion, homosexuality and transgenderism fashionable and raising a family unfashionable.
And if you try to force pushing regulation through a backdoor, they'll moan a bit but they'll like it anyway.
Tolerably witty.
Barnier has already said the UK will get a 'Canada style' trade deal. I.e. no trade tariffs, but no financial passporting.
https://www.theguardian.com/po...
And that's his opening offer. I'm sure all those Remoaner banks like Goldman Sachs will get financial passporting in the end. If not, that's just tough. But they are traitors and kind of deserve it.
ANPR has been going on in the UK for ages
https://en.wikipedia.org/wiki/...
His cousin David Benioff is also running the Game of Thrones TV adaptation into the ground.
Can you actually make money shilling for bad movies and evil politics? Because I do that for fun anyway. Where do I send the invoices?
Star Wars is the story about a farm boy getting radicalised by an ageing follower of an obscure religion and eventually taking part in a 9/11 style terrorist attack that destroys a military base.
https://decider.com/2015/12/11...
When we first meet Luke Skywalker, he's an orphaned farm boy with barely any friends, living with his Aunt and Uncle, and wanting to join the Galactic Academy like all the other guys his age. You see, Luke didn't become a space terrorist overnight, but he did exhibit signs that would make him a prime candidate for terrorist recruiters. The process of radicalization, as described by Anthony Stahelski in the Journal of Homeland Security, notes terrorists tend to:
* Come from families where the father is absent (check)
* Have difficulty forming relationships outside the home (check)
* Be attracted to groups offering acceptance and comradeship (checkmate)
Luke is just the kind of isolated disaffected young man that terror recruiters seek out.
Obi Wan - a religious fanatic with a history of looking for young boys to recruit and teach an extreme interpretation of the Force - is practically salivating when he stumbles upon Luke, knowing he's found a prime candidate for radicalization. Stahelski notes terror groups place a focus on depluralization, stripping away the recruit's membership from all groups and isolating them to increase their susceptibility to terrorist messaging. Within moments of meeting Luke, Obi-Wan tells Luke he must abandon his family and join him, going so far as telling a shocking lie that the Empire killed Luke's father, hoping to inspire Luke to a life of jihad.
Shocked and confused by this onslaught of terrorist brainwashing, Luke hurries home only to find the charred corpses of his aunt and uncle. The Empire's accidental harming of Luke's Aunt Beru and Uncle Owen can be directly compared to the casualties of President Obama's drone campaign, whose body count terrorists capitalize upon for recruitment. This is precisely what Obi-Wan does, preying upon Luke's emotional state to take him under his spell and towards a life of extremism.
Obi-Wan whisks Luke off to Mos Eisley using a Jedi mind trick to bypass security, knowing full well he likely appears on numerous terror no fly lists. After contracting a local drug smuggler for transportation, Obi-Wan and his newest Skywalker recruit are off. They are soon captured, however, and attempt an escape which culminates in a battle between Obi-Wan and Vader. During the fight, Obi-Wan notices Luke watching, and seeing an opportunity to fully inspire Luke to radicalize, says a Jedi prayer while committing suicide. Can you think of any other groups who try to inspire terrorism by yelling a prayer before a suicide attack?
Once Luke escapes and regroups with a terror sleeper cell, he joins them on an attack mission. As he nears his target, hearing Obi-Wan's words in his mind, Luke closes his eyes, says a prayer and bombs a space station, killing everyone aboard. Young Skywalker has proven himself a quick study in the ways of armed religious extremism.
"BSD users are fat, have fleas and spend all their time posting on kuro5hin" as the troll goes
The process doing the probing gets the GP faults. It's relying on the fact that even though the accesses fault they still affect the cache. So you could clean up that in the GP fault handler before you return to the process, do a context switch or execute any untrusted code.
Actually you could do this in software. Which makes me wonder why no one has thought of it, because it seems a bit obvious. Maybe it's flawed in someway.
A bit of Googling turns up this
https://security.stackexchange...
Fixing Meltdown is relatively easy (compared to Spectre), although it probably can't be done with a microcode update. As well as setting a fault-if/when-this-reaches-retirement bit on the uop, a TLB lookup could gate the page-address bits (to all ones) with the privilege-check. e.g. a load in user-space from any kernel page could micro-architecturally execute as a load from the very top physical page. (And systems with less than the max amount of RAM wouldn't have any physical RAM at that physical address.)
Or a failed privilege check could maybe still allow the load to happen microarchitecturally, but mask the result to all-zero in the load port. (Remember, the Meltdown problem isn't that an unprivileged load can bring kernel data into cache, it's that the secret data load result can be used to make another load with a data-dependent address. Continuing speculative execution with a zero result for any under-privileged load that hits in the TLB wouldn't allow any data-dependent microarchitectural effects).
I.e. you do the virtual to physical translation using the TLB but you make invalid addresses map to an address with all ones. Since you have to do the V to P translation anyway, that seems like a good option.
I'm guessing Intel will do something in the next generation batch of chips out - basically hack the current generation with the fix. With a bit of luck Meltdown has put the ph3ar of the h@xx0rz into them and they'll do that at top priority.
It still means it's not a good time to buy a new PC though - anything you buy now will need KPTI or the equivalent enabled. It's claimed that on chips with PCID support KPTI isn't too bad, but that is dependent on what you're doing with the machine.
Uh, yeah. I do.
You could design a musical birthday card which uses a user replaceable lithium button cell which would still be legal.
[Stands and Roman salutes as Deutschland Über Alles arranged for monophonic square wave plays in the background]
There's nothing to stop you having more than one stack. MIPS chips don't have a hardware stack at all - you just have a bunch of registers and you do operations on them. The ABI defines one register as a stack but it could easily define another. Or it could define several.
Still even on MIPS having two stacks is a breaking ABI change.
On Intel they've added new register and new instructions. And it seems like once you enable CET you can't run non CET code. I.e. it's a like the switch from x86 mode to x64 where you can't run old code - everything needs to be recompiled. In the CET paper they have a bitmap to mark 4K code pages as either CET or 'legacy code'
3.6.1 Legacy Code Page Bitmap Format
The legacy code page bitmap is a flat bitmap whose linear address is pointed to by the EB_LEG_BITMAP_BASE.
Each bit in the bitmap represents a 4K page in linear memory. If the bit is 1 it indicates that
the corresponding code page is a legacy code page; else it is a CET-enabled code page.
The processor uses the linear address of the instruction to which legacy transfer was attempted to lookup the bitmap. Bits of the linear address used as index in the bitmap are as follows.
They have to have that because you can't in general execute legacy code once CET is enabled because legacy code might innocently break the CET rules it doesn't know about. E.g. all indirect branches have to end at an ENDBRANCH instruction
http://www.securityweek.com/in...
Additionally, Patel explains that a new instruction was added to ISA, namely the ENDBRANCH instruction, which would mark legal target for an indirect branch or jump. âoeThus if ENDBRANCH is not target of indirect branch or jump, the CPU generates an exception indicating unintended or malicious operation. This specific instruction has been implemented as NOP on current Intel processors for backwards compatibility (similar to several MPX instructions) and pre-enabling of software,â he notes.
Actually if you're going to do that you could enforce code signing for usermode too - the OS could verify the signature when it loaded the executable and would page code into memory it subsequently marked read only.
Kernel mode code has always been signed in 64 bit windows - they knew the switch from x86 to x64 was a breaking change so they decided to enforce that too.
Windows S will only run Win32 code if it is signed by Microsoft and they use that to stop any third party applications. Maybe they could have a more open system which still enforces code signing.
It'd suck for WIn32 developers because they'd need to pay for a certificate like you do for kernel mode code.
Spectre works by getting speculatively executed code access kernel mode memory. So they'd need to do protection checks before the speculative code did the access.
https://medium.com/@mattklein1...
1. In the first line, a âoeprobe arrayâ is allocated. This is memory in our process which is used as a side channel to retrieve data from the kernel. How this is done will become apparent soon.
2. Following the allocation, the attacker makes sure that none of the memory in the probe array is cached. There are various ways of accomplishing this, the simplest of which includes CPU-specific instructions to clear a memory location from cache.
3. The attacker then proceeds to read a byte from the kernelâ(TM)s address space. Remember from our previous discussion about virtual memory and page tables that all modern kernels typically map the entire kernel virtual address space into the user process. Operating systems rely on the fact that each page table entry has permission settings, and that user mode programs are not allowed to access kernel memory. Any such access will result in a page fault. That is indeed what will eventually happen at step 3.
4. However, modern processors also perform speculative execution and will execute ahead of the faulting instruction. Thus, steps 3â"5 may execute in the CPUâ(TM)s pipeline before the fault is raised. In this step, the byte of kernel memory (which ranges from 0â"255) is multiplied by the page size of the system, which is typically 4096.
5. In this step, the multiplied byte of kernel memory is then used to read from the probe array into a dummy value. The multiplication of the byte by 4096 is to avoid a CPU feature called the âoeprefetcherâ from reading more data than we want into into the cache.
6. By this step, the CPU has realized its mistake and rolled back to step 3. However, the results of the speculated instructions are still visible in cache. The attacker uses operating system functionality to trap the faulting instruction and continue execution (e.g., handling SIGFAULT).
7. In step 7, the attacker iterates through and sees how long it takes to read each of the 256 possible bytes in the probe array that could have been indexed by the kernel memory. The CPU will have loaded one of the locations into cache and this location will load substantially faster than all the other locations (which need to be read from main memory). This location is the value of the byte in kernel memory.
Using the above technique, and the fact that it is standard practice for modern operating systems to map all of physical memory into the kernel virtual address space, an attacker can read the computerâ(TM)s entire physical memory.
Now, you might be wondering: âoeYou said that page tables have permission bits. How can it be that user mode code was able to speculatively access kernel memory?â The reason is this is a bug in Intel processors. In my opinion, there is no good reason, performance or otherwise, for this to be possible. Recall that all virtual memory access must occur through the TLB. It is easily possible during speculative execution to check that a cached mapping has permissions compatible with the current running privilege level. Intel hardware simply does not do this. Other processor vendors do perform a permission check and block speculative execution. Thus, as far as we know, Meltdown is an Intel only vulnerability.
Edit: It appears that at least one ARM processor is also susceptible to Meltdown as indicated here and here.
Seems like there are two options. One is to do privilege checks before speculative code is executed. Another would be roll back the state of the cache on a protection fault.
The later one appeals actually. In a GP fault handler you could just invalidate the cache line to foil step 7. And you don't need to slow down the common case where speculative
If you read Raymond Chen's Old New Thing blog he explains how the compatibility stuff is mostly in shims that get loaded only when an application needs them. So the notion that worrying about compatibility held back Microsoft is dubious.
Despite that Microsoft did abandon back compatibility around XP SP3 and Vista which both broke insecure code. And then they tried to convince people to stop writing Win32 code and start writing code for their newest API which changed every year. Joel ranted about this memorably
https://www.joelonsoftware.com...
Unfortunately the effect was that people stopped writing Win32 code and started writing code for IOS and Android. And people started doing everything they could to avoid OS versions because they broke all their third party apps and pushed them obnoxiously to use Metro ones. Which no one was writing.
Ie abandoning back compatibility gained them nothing and will probably kill the Windows as a platform in the long run.
If we both agree that neither C#/Xamarin nor "portable C/C++ library and platform specific UI wrappers in Java/Objective C" are good ways to make cross platform applications doesn't that mean that Apple is right to try to develop and alternate way to do it? I.e. there's a gap in the market for a good cross platform mobile environment.
The EU offered Ukraine a chance to join the EU customs union to basically poke the Russians.
Customs unions are not free trade - quite the reverse as countries in one have to level a common external tariff and cannot sign free trade agreements with countries outside the customs union.
In a sane world Ukraine would have one free trade agreement with the EU, another with Russia, the UK, US and so on and no one would attempt to expand customs unions which are by their nature exclusionary.
Of course it's not a sane world. The Russians offered Ukraine a chance to join the Russian customs union. The EU offered them a chance to join the EU one. And inside Ukraine there was split between the pro Western parts and the pro Russian ones that led to governments falling and Russian backed separatists starting a civil war.
Russia was wrong to invade but the EU were wrong to troll Russia and then abandon Ukraine to Russian invasion.
A big part of the reason BREXIT is a good thing is because the UK will leave the EU customs union and replace it with a free trade agreement with the EU. And is then free to sign a free trade agreement with the US, Commonwealth countries, India, China etc.
ARRRGH! MOTHERLAND!