Git Product home page Git Product logo

speculate's Introduction

An experiment in generating meltdown friendly specex branches in Java

This does not show Meltdown at work in the JDK, only that some test runs of the Java 1.8.0_162-ea-b03 (server JRE) running on MacOS 10.11.6 generated a sequence of operations which would appear to match what is needed.

  1. Other JREs may generate different code.
  2. The way the hotspot compiler works, it has to decide when to compile down. You need a lot of iterations to do this; the number changed whenever I modified the inner method.
  3. You still need the next step of the exploit, measuring the cache lookup times of array #2, using that to infer which entry was read. I have no idea how to begin doing that in Java.
  4. JNI libraries let you do this much more efficiently because you get full control of the assembly language and can call cache flushing operations, use rdtsc to measure cache lookup in cycles, etc.

if you can get a JNI library executed in a Java code, your chance of getting a meltdown exploit in on an unmodified computer is 100%. On

DLL for macos from https://github.com/evolvedmicrobe/benchmarks/blob/master/hsdis-amd64.dylib https://mechanical-sympathy.blogspot.co.uk/2013/06/printing-generated-assembly-code-from.html https://meltdownattack.com/meltdown.pdf

set -gx LD_LIBRARY_PATH lib/
export LD_LIBRARY_PATH=~lib/


'-XX:CompileCommand=print,*org.apache.labs.Main.run'

Generating the Assembly

-XComp compiles everything, which includes all the bits of the JVM invoked. Better to use -XX:CompileThreshold=100

Notes

It's truly awful how pretty much every article and blog post on the topic of JIT compilation is broken.

Why? Oracle killed every java.sun link.

Gone: the OpenJDK source downloads needed to build the hsdis_amd64.dylib DLL.

Gone: Everything releated to On Stack Replacement, as referenced by A close look at Java’s JIT (2012).

Low level information on how the JRE compiles code to native machine code is now lost, and now we are all struggling to work out what's going on, because articles written six years go have had all their citations unlinked. (there's some coverage on github), better hope they and StackOverflow never go away.

References

speculate's People

Contributors

steveloughran avatar

Watchers

AlexY avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.