Hi everyone, Joseph (paper author) here. You can find Fractal on Github: https://github.com/jprx/fractal
The full paper, slides from my S&P talk, and all our experiment data can be found at the Fractal project website here: https://fractal-os.com
We've been building Fractal internally for a very long time (first commit was almost exactly 2 years ago), so it's exciting to finally share it with the world. Let me know what you think!
I didn’t quite understand the scope of impact of the issues highlighted in the article.
> The CPU still fetches the target into the instruction cache before the protection kicks in.
> In Phantom, ordinary instructions, including a no-op, can be misinterpreted by the CPU as branches, triggering speculative behavior the program never asked for.
Is the idea you combine these two to execute a BTB style attack? Is there a world in which speculative cache fetching is still fine if it’s non exploitable or is it always a risk and the performance cost of fixing the hardware negligible?
> The Fractal team showed that the conditional branch predictor has no privilege isolation at all
This one seems more serious. Now that it’s confirmed, does it provide a map for how to exploit it in a real system or is this non-exploitable in practice because of OS design choices around migration?
Can it run Doom?
Haven't gotten around to it yet haha
Studying how a processor running an operating system actually behaves by peeking right through the privilege barrier is the ultimate wall hack. Who needs noclip when we have Fractal?
[dead]
At the risk of sounding extremely dumb, I have a question for you: if the hardware is susceptible to something that you can't actually reproduce with the software everyone runs on it, who should care, and why? Is it even really fair to call it a vulnerability at that point? Is the idea that this is supposed to help identify a different mechanism of exploiting the vulnerabilities with the shipped OS too?
To give an analogy, it almost feels like removing the protection circuitry from a Li-Ion battery and then testing if it can catch fire, and observing that it does. Should it really worry users?
Great analogy. Li-ion batteries have several layers of defense against exploding, one of which are vents that, if all else fails, let the hydrogen gas safely escape rather than building up. It's perfectly fair for independent testers to say "we haven't found any flaws in the protection circuitry yet, but we should bypass it to see if the vents work as designed".
I'm not disputing that it's fair to investigate that. What I'm asking is if it's fair to then call it a vulnerability without establishing that the thing is, in fact, vulnerable as a result.
I would say it's like calling the battery a fire hazard if the vents don't work, but actually that's not analogous because the necessity for vents doesn't merely arise from the need to protect against bad design of the protection circuitry. They're needed for safety even if your circuitry design is flawless. So the analogy is actually kind of poor in that regard.
This is why a distinction is often drawn between vulnerabilities and exploits — many more things can be weaknesses in a system that can only be exploited in combination with other vulnerabilities.
An obvious example is web browsers, where a vulnerability can easily be uninteresting because it lives in a sandboxed process… until you find a sandbox escape, then it is critical.
As long as you suspect there may be other vulnerabilities in the other layers, it is worthwhile investigating and fixing them, because defence in depth only works until someone manages to put together a full chain.
Not the author, but as someone who frequently has to answer this question, I'll chip in:
A mistake is a mistake, whether you have a way to reproduce it right now or not. It's pretty much a given that whatever means you have right now to reproduce the problem will evolve and broaden the scope. Also, if you haven't found a way to reproduce the problem, it doesn't mean it doesn't exist: it takes a lot more effort to prove that it's impossible to reproduce than to simply not being able to reproduce the problem.
As long as we're using analogies, let's use a car one. If your car gets into a car crash, you want it to be safe and not explode, yeah? Would you rather drive around, and see if it happens to explode if you happen to get into a crash, or would you rather setup a test arena, crash as many copies of your car, as many times as possible, to see if it ever also explodes. And then, once you've shown it can explode when the left back window is halfway down and the passenger door is halfway open, then from there it's easier to figure out how those set of circumstances might actually happen in the real world.
It's research, which often involves a ton of work for zero pay off. It's usually thankless and unrewarding, on the off chance that there is some exploit to be had.
The real benchmark is whether it can run Doom while measuring why Doom runs.
chapeau for this project - and thanks for sharing it with the world!
have you considered forking existing OS and implementing changes that you needed instead?
it's hard for me to justify the tremendous effort of implementing the OS from scratch, instead of adding the functionality that you need to for example linux or xv6.
> (it) exposes primitives that let a single experiment switch privilege levels at runtime while executing the same instructions in the same address space.
i think that it can be achieved by following linux modifications:
- make all executable pages executable both in user and kernel mode
- define a new syscall number, let's call it 'fractal'
- upon 'svc' trap (syscall), if it's a fractal syscall, just branch to instruction after the 'svc' (still in kernel mode! no 'eret', as opposed to no-fractal syscalls)
and.. that's it?
From the article:
> [...] they usually run their experiments on top of an operating system that was never built for the job. They open up macOS or Linux, patch the kernel by hand, and hope the modifications hold. The approach is unstable, hard to reproduce, and on Apple’s platforms, slated for deprecation.
I'd also like to hear more about why that's a problem, not because I disagree, but because I don't know jack about this and it's fascinating. However, I could imagine at least a couple of advantages to this approach.
* It's not a general purpose OS. It doesn't have to support 10,000,000 different accessories, just enough to get the kernel booted so researchers can interact with the hardware.
* You don't have to deal with general purpose constraints here. Who needs something like a fair scheduler when the goal is to give researchers direct access to the hardware for minutes at a time?
* If broad hardware support and universal use case support aren't goals, you can write something vastly simpler that basically loads a program and turns it loose on the underlying bare metal. I imagine that'd make repeatability vastly easier, with no "oops, an Ethernet packet came in so I need to service that mid-test" interrupt{,ion}s.
Those would seem like good reasons to make a minimal kernel that doesn't get between the researchers and their work.
It’s not actually possible to have the kernel execute user pages like this on most modern systems