On Wed, Jan 17, 2018 at 09:38:27PM -0500, Mouse wrote:
> But, on the other hand, I can easily imagine a CPU designer looking at
> it and saying "What's the big deal if this code can read that location?
> It can get it anytime it wants with a simple load instruction anyway.",
> something I have trouble disagreeing with.
Consider something like BPF -- code executed in the kernel with an
enforced security model to prevent "undesirable" acceses. It will create
logic like:
void *p = ...;
if (!is_accesible(p))
raise_error();
load(p);
Now imagine that the expression for p is intentionally pointing into
userland and depends on the speculative execution of something else.
Loading the pointer speculatively results in a visible side effect that
defeats in part the access check. In short, it can effectively invert
access control checks for verified code.
Joerg
