For those wondering how Meltdown and…

LAwLz

For those wondering how Meltdown and Spectre works, here is a very simplified explanation (to my understanding of it at least, which might be wrong):

Let's say we have two arrays of data.

A = X[13]

B = Y[A]

As you can see, in order to know what B is, it needs to fetch data from A.

On modern processors, B can be loaded before it has checked if A is safe to access. This is where the "speculation" of the processor comes in because it does not actually know if calculating B is acceptable or not. It might discover some issue and need to throw all that work away, or it might have saved some time by doing calculations earlier than it otherwise would have.

What will happen is that A is loaded, then Y[A] is calculated and stored as B.

What happens when the processor discovers that A is protected memory, such as kernel memory?

The processor will just roll things back and pretend like it never accessed Y[A], but the problem is that B was loaded into the cache. By doing some clever tricks (such as measuring latencies), it is possible to determine if the bit used for the prediction in A (which is protected memory) was a 1 or a 0.

Put this into a loop and you can read the entire A, one bit at a time.

The other exploits uses similar techniques but instead of using things like speculative loads between security rings (A and B in this example were in different security rings), it instead uses the speculation of things like branch prediction.

The general idea of all three exploits are the same. Create a scenario where the prediction/speculation of processors leaves clues of what data was accessed before it realized the predictions/speculations were invalid.

Some methods of finding "clues" are easier to execute, and the clues are more obvious, but the concepts are the same.

What's a bit worrying is that three different methods of "finding clues" were published, but this is essentially a brand new category of attacks. There might be hundreds of ways of abusing this concept, and verifying that a design is safe against these types of attacks is extremely difficult.

January 5, 2018

WkdPaul, TheSLSAMG, Dissitesuxba11s and 3 others
2
4

WkdPaul

Computerphile just made a video explaining it (just in case some people might prefer the explanation in video format!) ;
January 5, 2018
LAwLz

1
corruptedkeep

So many thanks for taking the time to explain this to us. I was looking for information about this this, but what I found was very little specific. Maybe you should make a post about it so everyone con find it easily. Thank you

January 5, 2018
LAwLz

@Zauer since I am neither a programmer (at least not skilled to fully understand this page) nor a CPU engineer I though I'd just post this here and not as a separate thread. I would rather not post a thread and then realize I got some crucial parts wrong. Although, watching that Computerphile video made me feel a lot more comfortable in my understanding of it.

It might be better to just post the video from Computerphile as a thread.

Thanks for the video @wkdpaul.
January 5, 2018
WkdPaul and corruptedkeep

2

Sign In

My Activity Streams