Hacking Spectre bug affecting the Switch?

[chippy]

so the news of bugs in CPU's coming out atm have some serious issues

meltdown wont affect the switch but Spectre affects ARM processors so the switch could be affected.

"The paper describes using speculation around, for example, array bounds checks and branches instructions to leak information, with proof-of-concept attacks being successful on AMD, ARM, and Intel systems. Spectre attacks can be used both to leak information from the kernel to user programs, but also from virtualization hypervisors to guest systems."

more can be read here
https://arstechnica.com/gadgets/201...odern-processor-has-unfixable-security-flaws/

 

[zoogie]

If someone made a switch version of that cute little spectre ghost I'd be so happy

I wonder if that little ghost intends to flog us with that little switch in its hand ;p

edit:


I have way too much time on my hands as you can see XD

 

[Kioku]

If someone made a switch version of that cute little spectre ghost I'd be so happy

View attachment 110255

I wonder if that little ghost intends to flog us with that little switch in its hand ;p

Flog?! Oh...

 

[recgame77]

what do you want to dump ? the cookies from your hotspot ? This have no impact in this case

 

[ccrider]

No for ARM.

 

[chippy]

I am asking about "Spectre" NOT Meltdown.
they are 2 different cpu issues that have come out in the news in the past few days.

meltdown affects intel cpus only
Spectre affects ARM, AMD and Intel CPU's

 

[Astoria]

Yes. Spectre affects pretty much everything.

However, it's very hard to exploit. And there are easier ways for kernelhax in Switch.

 

[Selver]

... meltdown wont affect the switch but Spectre affects ARM processors so the switch could be affected.

TLDR: YES to both Spectre and a slight variation of Meltdown.

Summarization so far:

• Spectre includes two vulnerabilities, which ARM describes as Variant 1 and Variant 2.
• Meltdown is officially one vulnerability which ARM describes as Variant 3, and they ARM describes a slight variation they call Variant 3A.
  
• The Cortex A57 is susceptible to Variants 1, 2 (Spectre), and to 3A (Meltdown variant for system registers)
• The Cortex A57 is NOT susceptible to Variant 3 (Meltdown proper).
• ARM themselves released proof-of-concept code for each variant.

Impact:

• Meltdown provides an arbitrary read primitive of any memory that is mapped in the page tables, even if permissions would prevent it's use (e.g., different ASID/PCID, being marked as only accessible via kernel-mode/EL1, etc.)
• The Meltdown Variant 3A allows reading of EL1 (kernel-mode) system registers from EL0 (user-mode) processes. This can be used to break KASLR, but switch isn't using KASLR. It's unclear what other system registers are of particular interest in the switch at the moment
• Spectre provides an arbitrary read primitive similar to Meltdown, but uses predictive out-of-bounds array loads and EL0 (usermode) seeding of branch prediction to use existing EL1 (kernel) code to do the dirty work (avoiding need for Meltdown's speculative load of data that is not accessible, as EL1 can legally speculatively access EL1 pages...)
• ARM Trusted Firmware appears to further be vulnerable to Variant 2, but no vulnerable code patterns have yet been disclosed for Variant 1, limiting the application of Spectre against TrustZone on Switch at this time.
• It's not currently clear if/how Meltdown (Variants 3 and 3A) would be applied to EL3 (TrustZone).

 

[chippy]

thanks for the info Selver I didn't think Meltdown (or variants) affected anything other then intel cpu's so that's interesting to learn.
more stuff I can look into to satisfy my curiosity

 

[deSSy2724]

Based on some tests/reports, games on PC are not affected.....

 

[_______]

Based on some tests/reports, games on PC are not affected.....

It's not about the games. If you have execute privilege, you could have make it work as long as the chip was affected.

Google said that they haven't found a commercial application that could trigger this, but you can write your own. (Still we need userland execute privilege, which we normally don't have on consoles by default.)

 

[xabier]

No for ARM.

Apple doesnt think so, their ARM products are affected

 

[Kaidou]

If they want my switch that bad, they can have it.

 

[ccrider]

Apple doesnt think so, their ARM products are affected

Share full story. Include detail.

You post for make trolling.

 

[chippy]

Share full story. Include detail.

well a simple google search came back with a few hits but links in the post would have been helpful
http://www.abc.net.au/news/2018-01-...devices-vulnerable-to-spectre-attacks/9306764
https://www.macworld.com/article/3245778/apple-phone/apple-meltdown-spectre-cpu-flaws-statement.html

 

[Selver]

Previously, I wrote:

... It's unclear what other system registers are of particular interest in the switch at the moment ...

Here's some system registers that MIGHT be of interest, if you want to understand the configuration of the system:

• SP_EL1t, SP_EL1h, SP_EL3t and SP_EL3h - The stack pointer for the given exception level
• The various exception handling registers - as pointers for additional investigation
• SCTLR_EL3 - bit 'I' to investigate if global instruction cache is enabled, bit 'C' for global data and unified caches
• TCR_EL1 , TCR_EL3, and TTBR1_EL1 - to investigate the translation control setup
• RVBAR_EL3 - for discovering the address execution will restart at after reset
• The various security registers - unlikely to be interesting alone

However, even though Meltdown is conceptually easier to understand, it appears that Variant 3A may be of limited use on the Switch.

Spectre, although conceptually mind-bending, appears more likely to provide insight into the inner workings of the system. However, the technical expertise required to understand and implement it reduces the number of developers who could do so to small number... Read and understand first the Meltdown exploit, and only then consider Spectre. I wouldn't claim to fully understand it... One of those variants appears to allow an attacker to cause speculative execution to select an attacker's selected gadget as the speculated jump point ... thus speculatively executing random (existing) code gadgets ... which cache side-channels then expose the value used in those speculative executions ... brain melt down... .

 

[xabier]

-snip-

My post is very clear, apple ARM products are vulnerable. You might want to go under a bridge and research about trolls or improve your reading skills.