Kensan is a user on You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.


This talk contains an interesting idea: emulating Instruction Set Architectures on function-level granularity using NX/execute-disable to trap calls crossing ISA boundaries. The application is using QEMU in UEFI on Aarch64 to run x86_64 Option ROMs. This allows 64-bit ARM code to call x86_64 code, which is emulated, that in turn can call back into Aarch64 code etc.

Further info:

Kensan boosted

@Kensan Nobody, literally nobody, cited us as brilliant precursors :D

Kensan boosted

software release, hype Show more

This SGX paper from May 2017 titled “Leaky Cauldron” describes how TLBs are shared between Hyperthreads (section 4.1): “Further we found that when HyperThreading is turned on for a processor, we can clear up the TLBs without issuing TLB shootdown”.

It also contains a systematic analysis of The susceptibility of Intel SGX to memory side-channels.

Paper about Intel CPU flaw is out:
“LazyFP: Leaking FPU Register State using Microarchitectural Side-Channels”

Kensan boosted

So I pulled the plug and switched from UPC Cablecom to a small-ish local ISP (Init7) that has been very active with IPv6 and has a clear stance on net neutrality. Despite the (theoretical) bandwidth being much smaller, 200 vs. 27 Mbit, I am very satisfied.

Kensan boosted

@Kensan @cynicalsecurity @phessler @mlarkin also the dead ends. One of the best talks I've seen was about someone failing at modding a childhood computer, not realising that they could've done most of the work in software till it was pointed out at the end of the talk.

Kensan boosted

@Kensan @cynicalsecurity @phessler @mlarkin I think talks about how and why are often so much more meaningful than "I broke a widget" talks.

Oh look, Theo de Raadt seems to confirm my feeling regarding Intel Hyperthreading that I tooted about yesterday:

See also this discussion/rant (with @mulander @cynicalsecurity @csirac2) about Hyperthreading from January:

Considering the many interesting talks at conferences I hear about I have to get my ass to one of them at some point in the future.

More details about the Intel CPU issue. Affected OSes:
- Linux (mostly pre 4.4.y, y < 138)
- FreeBSD
- Windows
- KVM when run on affected Linux kernel versions
- All Xen versions and generally all hypervisors that employ lazy FPU switching

Affected CPUs:
- Verified on the Intel Core microarchitecture from Sandy Bridge to Skylake
- State of other processors unclear

There are also attack details, at least for one of three variants they discovered.

Pondering some more on the “Speculating Intel” talk: I have a feeling there are more issues to be found wrt. hyperthreading. A lot more state is shared between Hyperthreads than physical CPUs which, as we have learned, already share more state than intended...

Wait what? One should hold oneself to an embargo of a vendor even if One has not signed the NDA to get access to the embargoed information? Please tell me I am not the only person thinking this is ridiculous.

“...should have considered himself part of the embargo in spirit if not in letter.”


Well that escalated quickly: Q&A session of Theo de Raadt’s talk “Speculating About Intel” turns rather intense. Imho, Embargos are problematic and we do need to talk about them and/or find a better way to resolve such issues.

Also, with Muen we basically flush and switch “everything” we can when scheduling a different subject. Obviously we take a performance hit (in addition to using Virtualization as the isolation mechanism) but it’s ok for our workloads.

Kensan boosted

Apparently there are rumors that FPU state is affected by Spectre as well (h/t @mlarkin on the birdsite):

“post-Spectre rumors suggest that the %cr0 TS flag might not block speculation, permitting leaking of information about FPU state (AES keys?) across protection boundaries.”

Kensan boosted

Ouch, XSA-201 (Don’t panic, it’s from 2016) sounds like a nasty ARM issue: „ARM guests may induce host asynchronous abort“

Apparently there was some beef between Xen and KVM since the advisory also has a „Note regarding lack of embargo“ section which says: The issue was discussed publicly (and has been fixed already in KVM in public trees). ¯\_(ツ)_/¯

Check out the latest Genode release: it brings update of the Genode Foundations book and much improved Sculpt TC - for The Curious (alternative naming that did not catch on: Trixie-Park Compilation):

Full release notes can be found here: