View Single Post
Old 01-9-2018, 10:57 PM   #3
Carry your failures proud
FFR Veteran
Soundwave-'s Avatar
Join Date: Sep 2015
Age: 23
Posts: 644
Default Re: Spectre and Meltdown

Whenever you jump around in code, a ton of data used to optimize execution has to be trashed, so processors have a system devoted to speculating whether or not jumps will occur, and executing code based on this speculation. If the processor is right, a ton of time is saved. If it's not, it's not too expensive to just back up and go along the correct path.

Spectre attacks work by training the processor to assume a jump that would normally occur (like say, jumping away from code that tries to access protected memory) instead does not occur. Then an attacker accesses protected memory and loads a known part of memory based on the value of the protected memory. Since the processor has been trained to assume that the memory access will not trip protections, it'll execute the attackers code speculatively. However, eventually the processor will catch the protected memory access, roll back the speculatively executed code, and as far as the attacker knows, their code was never executed.

It sounds foolproof.

And people thought it was, for 23 years.

But there's a problem. The rollback doesn't roll back everything. It rolls back everything except for the memory cache (and the branch predictor, and probably some other trade secrets). See, accessing memory is slow, and so processors cache accessed memory, as the same parts of memory are often accessed in succession. But overwriting the memory cache is also slow, and so it's not done during a rollback. Doing so would defeat the advantages of speculative execution.

Accessing memory is measurably faster if the memory has been cached.

And therein lies the problem. Going back to our scenario, when the processor speculatively executes the attackers code, it loads a part of memory based on some protected memory values. When the execution is rolled back, the cache state remains the same, so if the protected memory value was such that a target part of memory was loaded, when the attacker goes to access that target memory, access will be measurably faster than if the protected memory value was not such that the speculative execution would load the target memory. And thus, information about protected memory is deducible.

Deducing information about protected memory in this manner is a Spectre attack. It for the most part only affects programs attacking each other.

Why? Because when something is really important, like operating system important, a protection ring is used. This is a hardware feature built into the processor that separates code into different privilege levels, and allows memory to be divided between these levels. Execution can only move between these levels in very specific ways dictated by the operating system. Accesses outside of memory assigned to the ring of the currently executing code are shot down even faster than they would be otherwise. The result is that kernel memory is protected from even the malicious Spectre attacks.

In theory.

In practice, Intel (and Intel specifically, as far as we know currently) screwed this one up as well. Speculative execution can bypass even ring checks on Intel hardware, allowing Spectre attacks to crossover ring boundaries. When this happens, the attack is named Meltdown.

Are you vulnerable to these attacks? Yes, at least some forms of Spectre. Meltdown has been contained. Does it present an actual security concern for most people...? Probably not. It's very very common for people to operate on a privileged account. If you do this you're far more likely to accidentally install a malicious rootkit than to get hit by a Spectre attack. Additionally, Spectre attacks are easy enough to prove feasibility for, but in terms of actual attacks, like stealing passwords... it becomes exceedingly difficult. There's just two things to be careful with regarding this: Spectre attacks are unlikely to be detected by anti-virus and anti-malware presently, and Spectre attacks can be carried out through most scripting environments, most notably your browser.

Just keep an eye out, use common sense, and wait for engineers to rethink 2 decades of processor technology.
Originally Posted by [11:38 PM] Hakulyte
only person who can legit tilt me is like YoshL
Originally Posted by スンファンさん
Soundwave- is offline   Reply With Quote