tag:blogger.com,1999:blog-1015214236289077798.post1434415329112950494..comments2024-03-24T17:13:53.855-07:00Comments on TenFourFox Development: Actual field testing of Spectre on various Power Macs (spoiler alert: G3 and 7400 survive!)ClassicHasClasshttp://www.blogger.com/profile/17331846076856918359noreply@blogger.comBlogger27125tag:blogger.com,1999:blog-1015214236289077798.post-33248689549808057182018-02-15T13:09:40.745-08:002018-02-15T13:09:40.745-08:00For what it's worth, it looks like IBM has dec...For what it's worth, it looks like IBM has decided that POWER4 and all newer POWER-branded CPUs are vulnerable to both Spectre variants and to Meltdown: https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/<br /><br />And, I mean, you've demonstrated that PPC970 (a POWER4 variant) and POWER6 are vulnerable to Spectre, but thought this would be informative.Anonymoushttps://www.blogger.com/profile/14079513952888145252noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-52180601279743351632018-01-23T14:34:01.404-08:002018-01-23T14:34:01.404-08:00Wouldn't you need a different exploit on PPC t...Wouldn't you need a different exploit on PPC then X86 and ARM? I would be surprised if many modern hackers would bother with such a thing. Maybe to try and exploit people using PPC game console browsers, question is how many people run browsers on they consoles and are they even effected? Jamie Marchanthttps://www.blogger.com/profile/14681662698555565377noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-28756258478668975442018-01-18T13:40:18.547-08:002018-01-18T13:40:18.547-08:00(It also needed modification to inline assembly in...(It also needed modification to inline assembly instead of using the PPC intrinsics.)ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-64482067622843522962018-01-18T13:39:37.000-08:002018-01-18T13:39:37.000-08:00gcc, on AIX.gcc, on AIX.ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-50757856793734257442018-01-18T09:04:02.924-08:002018-01-18T09:04:02.924-08:00How did you compile this on your p520? What envir...How did you compile this on your p520? What environment? Linux on Power or AIX?Anonymoushttps://www.blogger.com/profile/05703297807055009393noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-80694583251168305052018-01-13T08:10:49.610-08:002018-01-13T08:10:49.610-08:00The latest version from github manages to recover ...The latest version from github manages to recover lots of bytes on the DLSD at optimization level 0 (and also at level g) - but I could not find out what compiler feature makes the difference.Tobiashttps://www.blogger.com/profile/02240455108133761542noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-10517837295516282672018-01-12T14:01:22.363-08:002018-01-12T14:01:22.363-08:00Well, it's the 970FX v3.1 in my iMac G5 iSight...Well, it's the 970FX v3.1 in my iMac G5 iSight. In optimization levels 1 to 3 with each run cycle the execution speed may vary greatly and the number of reported successes can vary between all unclear and all success.<br /><br />Some more observations:<br />Compiling with gcc 4.9, 5 and 6 at O0 and with mdynamic-no-pic and mpowerpc64 (that's 64 bit instructions enabled but using 32 bit ABI) enabled makes the recovery fail reliably on the G5.<br />Built for ppc64 (passing m64) at any optimization level higher than 0 makes the recovery fail most of the time. But there's one notable exception! Using Apple's '-fast' switch makes it succeed reliably. Even when enabling all the flags mentioned to be included in '-fast' doesn't produce the same results.Tobiashttps://www.blogger.com/profile/02240455108133761542noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-88199580447631619092018-01-12T14:00:18.287-08:002018-01-12T14:00:18.287-08:00This comment has been removed by the author.Tobiashttps://www.blogger.com/profile/02240455108133761542noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-2625356096138589682018-01-10T09:15:52.659-08:002018-01-10T09:15:52.659-08:00Testing on my 1.67GHz 12" powerbook with 10.4...Testing on my 1.67GHz 12" powerbook with 10.4.11 and gcc 4.0.1<br /><br />-arch ppc7450 -O0 partial success<br />-arch ppc7450 -O3 worse but it gets a few letters<br /><br />high/reduced/automatic doesn't have much effect. I have a lot of stuff open and with things running in the background (like TFF with a bunch of tabs) it doesn't seem to work as well.<br /><br />I also tested on a 7448 cube and it got repeatable perfect success off a clean boot, but again with a bunch of stuff going its success rate falls.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-42046242306422995052018-01-09T16:24:00.450-08:002018-01-09T16:24:00.450-08:00This new hyper-agressive Altvec in TFF is becoming...This new hyper-agressive Altvec in TFF is becoming a real problem. Have had to hard-reset my system 3 times in 2 days because it will out of nowwhere just sap-up all the CPU it can get and do nothing. Can't get to desktop and sometimes can't even force-quit. I suspect you might need to implement multiple models (Performance vs Stability). Or perhaps a routine that checks whenever the app goes over a certain amount of CPU usage and provide an option to continue or disable the offending javascripts. The worst part is the more power it has access to (like when both CPUs are enabled, the faster it becomes unresponsive).artphotodudehttps://www.blogger.com/profile/14625170205541427471noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-63711880696311702152018-01-09T11:29:33.446-08:002018-01-09T11:29:33.446-08:00I should have thought to check the PVRs on them, b...I should have thought to check the PVRs on them, but I'll do that when I'm back from my trip. I do have an Apple Network Server with a 604e ...ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-61089563825338753302018-01-09T11:27:15.407-08:002018-01-09T11:27:15.407-08:00The G5's timing is definitely all over the pla...The G5's timing is definitely all over the place. It's clearly exploitable, but I really did have the best luck with the 7450.ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-76504331886616077252018-01-09T10:59:37.744-08:002018-01-09T10:59:37.744-08:00And he got back to me: Tiger makes no difference. ...And he got back to me: Tiger makes no difference. So it's something unique about the DLSD's hardware.ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-19212682611528428122018-01-09T08:51:08.463-08:002018-01-09T08:51:08.463-08:00I ran these on 10.5.8 with Xcode 3 using gcc4.2. ...I ran these on 10.5.8 with Xcode 3 using gcc4.2. CACHE_HIT_THRESHOLD can be raised up to 5 with this gcc build. <br /><br />On Slow, -O0 seems to be the only one to produce correct and success with all the arches above. The other optimizations all list unclear and at least some correct characters. <br /><br />On Fast, I get no successes. With ppc7400 -O0 and ppc970 -O0 are unclear, but all are right. The rest were all unclear and only had some correct letters in each.<br /><br />gcc-mp-6(6.4.0_0), none had success and only -O1 and -O3 produced anything resembling the string. I went with the default arch with this as it complained about any arch.<br /><br />I did not run multiple runs to see for variations. Obviously compiler optimizations have a big effect on this.<br /><br />All tests above are with CACHE_HIT_THRESHOLD=5.jeisomhttps://www.blogger.com/profile/18045697056369220839noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-76280328489173296952018-01-09T08:42:22.991-08:002018-01-09T08:42:22.991-08:00This was on a Quad btw.This was on a Quad btw.jeisomhttps://www.blogger.com/profile/18045697056369220839noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-52349057635659463692018-01-09T08:41:36.798-08:002018-01-09T08:41:36.798-08:00I ran these on 10.5.8 with Xcode 3 using gcc4.2. ...I ran these on 10.5.8 with Xcode 3 using gcc4.2. CACHE_HIT_THRESHOLD can be raised up to 5 with this gcc build. <br /><br />On Slow, -O0 seems to be the only one to produce correct and success with all the arches above. The other optimizations all list unclear and at least some correct characters. <br /><br />On Fast, I get no successes. With ppc7400 -O0 and ppc970 -O0 are unclear, but all are right. The rest were all unclear and only had some correct letters in each.<br /><br />gcc-mp-6(6.4.0_0), none had success and only -O1 and -O3 produced anything resembling the string. I went with the default arch with this as it complained about any arch.<br /><br />I did not run multiple runs to see for variations. Obviously compiler optimizations have a big effect on this.<br /><br />All tests above are with CACHE_HIT_THRESHOLD=5.jeisomhttps://www.blogger.com/profile/18045697056369220839noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-5783030346423244982018-01-08T11:41:52.274-08:002018-01-08T11:41:52.274-08:00Meant difference as in responsiveness/performance*...Meant difference as in responsiveness/performance*Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-46134027627712248522018-01-08T11:39:11.903-08:002018-01-08T11:39:11.903-08:00My late 2005 12" iBook and fw800 powermac G4 ...My late 2005 12" iBook and fw800 powermac G4 would both fetch every character without any errors. Doing it defeated completely the test on both hosts. Spending 2 hours on both like this did not give any (noticeable) difference. But it breaks waking from sleep on my iBook :(.<br /><br />On the long run, no doubt it would end up having performance hits, although it wouldn't compare to the loss of the 970 and the importance of its dynamic branch prediciton hardware.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-87688125974206918522018-01-08T11:35:56.582-08:002018-01-08T11:35:56.582-08:00My late 2005 12" iBook and fw800 powermac G4 ...My late 2005 12" iBook and fw800 powermac G4 would both fetch every character without any errors. Doing it defeated completely the test on both hosts. Spending 2 hours on both like this did not give any (noticeable) difference. But it breaks waking from sleep on my iBook :(.<br /><br />On the long run, no doubt it would end up having performance hits, although it wouldn't compare to the loss of the 970 and the importance of its dynamic branch prediciton hardware.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-88763352354223021022018-01-08T10:08:03.368-08:002018-01-08T10:08:03.368-08:00very interesting information :)
LightBulbFun from...very interesting information :)<br /><br />LightBulbFun from Mac Rumors here (the Guy who did the 604 10.4.11 kernel :) )<br /><br />The DLSD results are indeed very interesting, since All DLSDs I have seen use the Rev 1.5 7447B now I wonder, I have seen a few other macs (like Last gen iBooks) with Rev 1.5 7447Bs I wonder how those would fair? it would tell us if its the DLSDs Power management or the Rev 1.5 7447B at play. also what Rev 7447B is in your 12 inch PowerBook 1.5Ghz?<br /><br />all in all very interesting (I also wonder how a 60x CPU would fair or some of the other G3 variants like the 750CX(e) 750FX 750GX etc and also the G4 7448 :) )LightBulbFunhttps://www.blogger.com/profile/02084296009188573072noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-68690755973212826482018-01-08T06:33:37.078-08:002018-01-08T06:33:37.078-08:00The DLSD's power management is indeed a thing ...The DLSD's power management is indeed a thing of weirdness. I'd like to find out exactly how it inhibits the attack. Someone on Nekochan is testing this on a 10.4.11 DLSD and maybe we can get to the bottom of it.ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-24456730800997124612018-01-08T06:32:08.596-08:002018-01-08T06:32:08.596-08:00Poor Reggie.
It's an interesting solution and...Poor Reggie.<br /><br />It's an interesting solution and should work, though it would have big performance impacts especially on the G5.ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-25083167003778072052018-01-08T06:29:49.081-08:002018-01-08T06:29:49.081-08:00I didn't really observe much difference on min...I didn't really observe much difference on mine. How many run cycles did it take to change behaviour on yours? Which G5 model?ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-21958428287885085802018-01-08T05:57:26.577-08:002018-01-08T05:57:26.577-08:00Fascinating research...and at last, a single reaso...Fascinating research...and at last, a single reason to celebrate the frequency scaling on my DLSD - because in all other respects it annoys me.Wayne Sadlerhttps://www.blogger.com/profile/09585178965774752570noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-77256854236762712392018-01-08T04:01:09.076-08:002018-01-08T04:01:09.076-08:00My 15" DLSD PowerBook G4 is reported to have ...My 15" DLSD PowerBook G4 is reported to have a 7447A and results are the same as for your 17" DLSD PowerBook G4 that has a 7447B.<br />So it seemingly doesn't matter whether it's a 7447A or a 7447B.<br />On the 970FX (512 kB L2 cache) where the exploit is largely successful, it does also make a notable difference how many times you run the same binary consecutively - on the DLSD PowerBook G4 this doesn't seem to change anything.Tobiashttps://www.blogger.com/profile/02240455108133761542noreply@blogger.com