Hi folks. I think that the spectre variant 2 situation is a lot worse for: - Speculative CPU - Weak memory protection
Then I don't need a JIT for gadgets. Architectures that fall into this: - default i386 netbsd, because it is missing NX bit (PAE is optional) - MIPS for us, because we don't use kseg2 and then it doesn't go through MMU. No NX bit: - Make a file, the contents of it is a spectre gadget - Put it in buffer cache - Poison branch predictor, which will speculatively execute the contents of this file No SMEP: - Locally create a spectre gadget and make it executable - Poison branch predictor to jump to my user-memory gadget - Enter kernel (Maybe helped by Meltdown fixes, if they are early enough) Now I am not sure how MMUs work, but I think that even if - Kernel has its own ASID - But... we haven't switched to it yet before performing a branch Then at the early branches I could speculate-execute some user code.