1

I haven't been programming in a couple of years but with all the fuss about Meltdown and Spectre I've install VS2017 and compiled the Spectre example from this pdf: https://spectreattack.com/spectre.pdf

However I have no idea how the addresses that the Spectre example takes on the command line works?

I modified the code to output the pointer address of the secret string and compiled with cl in the Native Tools Shell and it outputs something like:

00007FF6CF2210F0

Entering this address on the command line to the example it outputs the secret string correctly.

But if I make a simple program with a similar string and output that address and then feed it to the Spectre example, in another shell, I don't get the correct string.

I've been reading about virtual vs physical addresses and pages and offsets, but I'm quite lost.

So the question is:

How would you in C code calculate the physical address of a pointer?

Dacobi
  • 417
  • 4
  • 14

1 Answers1

1

How would you in C code calculate the physical address of a pointer?

I take you to be asking about calculating the physical address represented by a pointer value, as opposed to the physical address at which the pointer value is stored. The latter just boils down to the former anyway.

But as far as the C language itself is concerned, you don't do this. C does not recognize the distinction between physical and virtual memory in the first place, nor does it have any need to do so. That distinction is an OS-level concern with hardware support. Thus, any technique that accomplishes what you describe relies on details of the C implementation and execution environment.

That Spectre manages to break the process isolation provided (in part) by virtual memory is probably the most frightening thing about it.

John Bollinger
  • 160,171
  • 8
  • 81
  • 157
  • But then what does the example code expect from this line? `code` sscanf(argv[1], "%p", (void**)(&malicious_x)); malicious_x -= (size_t)array1; Is it simply designed to read its own allocated memory? – Dacobi Jan 10 '18 at 14:59
  • And what is that supposed to demonstrate, @user3866319? – John Bollinger Jan 10 '18 at 15:00
  • What do you mean by demonstrate? – Dacobi Jan 10 '18 at 15:03
  • @user3866319, when I first responded to your comment, it was just a line of code. Now that you have put a question around the code, the answer is that I don't expect anything in particular from it, because it appears likely to have undefined behavior. I'd need more context to be sure. – John Bollinger Jan 10 '18 at 15:06
  • The default behavior of the example is to read a predefined string. But if you add argv's (address) (length) it will read from there. Which is where my understanding of memory address space broke down in the first place. – Dacobi Jan 10 '18 at 15:09
  • @user3866319, your code reads text input from the string designated by `argv[1]` and attempts to convert it to a pointer value, to be stored in variable `malicious_x`. It then performs a pointer difference operation and updates `malicious_x` with the result. Upon reflection, this code's behavior is undefined for one clear reason (the stored value of `malicious_x` is accessed via a pointer to a different object type). Its behavior is likely undefined (as far as C is concerned) for at least two other, independent reasons, as well. – John Bollinger Jan 10 '18 at 15:16
  • @user3866319, more generally, pointer arithmetic produces defined results only when it does not cross object boundaries (roughly speaking). Moreover, on a typical C implementation on a virtual memory system, pointer values correspond to *virtual* addresses anyway, not physical ones, so I'm failing to see the relevance. – John Bollinger Jan 10 '18 at 15:20
  • The code works fine if you enter a pointer value within the process memory. what i didn't understand at first was how a pointer to another process would be formatted. But if I understand correctly you're saying that that's impossible? – Dacobi Jan 10 '18 at 15:21
  • @user3866319, "works fine" is not at all the same thing as "has defined behavior". And using a `%p` with `scanf` to convert a pointer value that was not produced by the same process [explicitly has undefined behavior](http://port70.net/~nsz/c/c11/n1570.html#7.21.6.2p12). But in any case, on a virtual memory system, all addresses in a process refer to that process's *own* virtual memory space. – John Bollinger Jan 10 '18 at 15:25
  • That's basically what I was trying to say. A value in the process's memory will produce the correct result in regards to the example. But as you say, a value from another process is undefined. – Dacobi Jan 10 '18 at 15:35