Robert Mustacchi

But effectively, if you take Let's just use the 4 gigabyte 32-bit address space as a simple example for a second. Every process has a 4 gigabyte address space, or a 64-bit process has 64 bits with a bunch of holes. But the top gig in that 4 gig address space is always the kernel. And it's the same in every process.

But effectively, if you take Let's just use the 4 gigabyte 32-bit address space as a simple example for a second. Every process has a 4 gigabyte address space, or a 64-bit process has 64 bits with a bunch of holes. But the top gig in that 4 gig address space is always the kernel. And it's the same in every process.

But when you make a system call, you can start executing kernel text, and you don't have to go try and basically change the MMU context, change the page tables, because that's generally expensive and potentially causes cache invalidations and is the root of a lot of CPU performance challenges.

But when you make a system call, you can start executing kernel text, and you don't have to go try and basically change the MMU context, change the page tables, because that's generally expensive and potentially causes cache invalidations and is the root of a lot of CPU performance challenges.

Yeah, exactly. And ARM, through various incarnations these days, especially in the 64-bit ARMv8a profile, looks very much like x86 does in that regard. But eventually, there's a bit in there, or a few bits that say, should this page be a kernel page or a user page?

Yeah, exactly. And ARM, through various incarnations these days, especially in the 64-bit ARMv8a profile, looks very much like x86 does in that regard. But eventually, there's a bit in there, or a few bits that say, should this page be a kernel page or a user page?

And effectively, what that's meant to say is that if you're a user process, even though those kernel pages and those kernel VAs exist, if you try to read them, you'll get a page fault. And then the kernel will come and drop a signal on you to basically say, you've been reading something that you can't. Unfortunately, through the power of speculation, what basically happened is that

And effectively, what that's meant to say is that if you're a user process, even though those kernel pages and those kernel VAs exist, if you try to read them, you'll get a page fault. And then the kernel will come and drop a signal on you to basically say, you've been reading something that you can't. Unfortunately, through the power of speculation, what basically happened is that

That check happened, but after all the side effects of doing the read were pretty much done. So everything other than, you know, it doesn't show up in your register, but it's impacted, but it was loaded into all the caches and everything else, such that you could still see it. So basically, you could read any arbitrary piece of kernel memory you want.

That check happened, but after all the side effects of doing the read were pretty much done. So everything other than, you know, it doesn't show up in your register, but it's impacted, but it was loaded into all the caches and everything else, such that you could still see it. So basically, you could read any arbitrary piece of kernel memory you want.

So whether that was, you know, someone's packets, security keys, you know, someone else's file system cache data. It was, yeah.

So whether that was, you know, someone's packets, security keys, you know, someone else's file system cache data. It was, yeah.

Yeah, there have been a bunch of a build up in the literature of different L3 cache attacks, like prime and pump and other things, where you start using L3 cache as shared resources, but people didn't expect you could go through the page tables. Or my favorite one really is EagerFPU, which is just a fun one of just like, oh, you really can speculate through everything.

Yeah, there have been a bunch of a build up in the literature of different L3 cache attacks, like prime and pump and other things, where you start using L3 cache as shared resources, but people didn't expect you could go through the page tables. Or my favorite one really is EagerFPU, which is just a fun one of just like, oh, you really can speculate through everything.

Yeah. But yeah, I'd say that's been one of the small advantages of working for smaller companies that you get to explore a lot more of this stuff than you necessarily do at kind of some of the larger places because there's just... We're a less cemented team, so often there's not a big kernel org sitting by. Even if you look at Apple, they have a lot of different groups there.

Yeah. But yeah, I'd say that's been one of the small advantages of working for smaller companies that you get to explore a lot more of this stuff than you necessarily do at kind of some of the larger places because there's just... We're a less cemented team, so often there's not a big kernel org sitting by. Even if you look at Apple, they have a lot of different groups there.

A bug comes up, you're going to pass it off to that group, and you're not going to chase it down or look at it or have to figure it out, which is sometimes with a blessing and a curse. It's great to have a lot of different colleagues, but sometimes it means there's less opportunities for you to learn or kind of move around in that regard.

A bug comes up, you're going to pass it off to that group, and you're not going to chase it down or look at it or have to figure it out, which is sometimes with a blessing and a curse. It's great to have a lot of different colleagues, but sometimes it means there's less opportunities for you to learn or kind of move around in that regard.

I think it's when we're able to execute it most directly. I mean, so I think there's a, you remember Keith and I had, like Keith was driving, together we had kind of this dog patch pitch. Yes. Must have been 2015, 2014. Yes. Maybe 2016 at the latest. Can't be that much later. No, not 2016.

I think it's when we're able to execute it most directly. I mean, so I think there's a, you remember Keith and I had, like Keith was driving, together we had kind of this dog patch pitch. Yes. Must have been 2015, 2014. Yes. Maybe 2016 at the latest. Can't be that much later. No, not 2016.