Meltdown and Spectre are the two latest exploits throwing the tech world for a loop. They have a lot in common with each other; both depend on buil...
For further actions, you may consider blocking this person and/or reporting abuse
I know I should be terrified by the implications of a low-level exploit like this, but I'm mostly just impressed by how clever humans are. I mean, it's amazing to me that someone came up with this, even if the only valid uses for it are nefarious.
I had a lot of fun reading it.
Me too, and even though the metaphor ran thin at some point, it delivered a good base to begin abstracting from there. 10/10 would recommend.
Though now I feel like I want some fries :/
Man, I must say that as a fresh CS student, this really helped me understand this problem. I was curious about it, but almost all examples used the tech language which I have no full knowledge of (yet).
Thank you sir!
This is a nice description of how the attack works. Good work!
I guess it should be noted that this is a defect in Intel's chip design; it's not the way CPU's are supposd to work. AMD indicated they don't do speculative execution without permission checks. And I'm guessing no future Intel chip will either.
Perhaps this gives somebody the idea that chips should get faster again instead of cleverer. There's prone to be more faults in all these magical chip mechanisms. :(
Thanks, Ed! (Is "Ed" good? I'm embarrassed to admit I can't figure out how to parse your name.)
It sounds like you understand this stuff pretty well. Any chance you can answer a couple questions for me?
1) is all this speculative execution and permission checking stuff literally hardwired? Or is it software on the CPU that could theoretically be updated without replacing the whole chip?
2) the patches are OS- and browser-based (which is a little unfair, but I digress). How do they prevent the exploit?
While your analogie is fine to introduce the Meltdown concept, is miss an important part. The distinction between User and Kernel space and virtual memory.
On modern OSes, when you try to access a memory address, this address is a virtual address and has to be translated to a physical address first. The map to convert between virtual to physical address is stored in a dedicated piece of hardware (the TLB which is part of the processor). Each process has its own map.
Every time the active process change on the CPU, the kernel has to flush the TLB to load the new process mapping. Today, as an optimization, all majors OSes choose to copy the kernel mapping into each process at launch so when a process call a kernel function, the kernel don't have to flush the TLB and load its own mapping.
The CPU is design to know which part of the mapping is the kernel memory and which part is the process memory. So when trying to access kernel memory from the process, it denies the access.
As seen with Meltdown, this check is performed to late as the access is denied after the memory was loaded.
The patch adopted by OSes to mitigate the issue is to separate the Kernel memory map from the process map. So when a process try to access kernel memory, the speculative execution failed to map it to physical address (as the kernel map is not present anymore) and return a exception instead of loading the actual kernel memory.
This patch has a performance cost as it force to revert an useful optimization. Fortunately, from some time now, CPUs provide functions to optimize usage of the TLB and avoid flush and reload of the mapping when a process change (by allowing to store more than one process map and tagging them with Context Identifier), so the performance cost should be small enough to be invisible for most users.
I'm not sure I know much more than that tidbit about AMD. :D
I believe the Linux patch is something called Kernel Page Table Isolation, which isolates the kernel memory even more. In the fast food analogy I think that'd be like moving the kitchen to a different building, the customers can't see anything even if poking around
I'm presuming the affected code on Intel is hardware as they indicated they can't release a microcode patch for it. That would seem to imply that a lot of it is hardware, but there is updatable code also at play.
A saw an LLVM patch that could also help mitigate some of the issues, but the details weren't entirely clear: I don't know if this means something in user-land could help, or they are compiling kernel bits with this patch.
The exact details of all this are still a bit cloudy; full info release hasn't been made yet I believe.
Excellent write up. My question is how easy is this to exploit? Is this going to be easy for hacker groups to take advantage of this or is this really going to require people with advanced skills to exploit (something a very small minority would be able to do)?
Exploiting this from scratch seems quite complicated. Exploiting it via some abstraction made available on the web seems like it could be pretty straightforward, unfortunately.
The bit about timing reminds me of a timing attack (and possibly qualifies as one as a result!)
Yeah, that's right! It's a complicated cache timing attack.
Thank you!
You just rocked this article!!!
This was the first explanation of this that made sense. Well said!
Great explanation there. And really good fast-food example
This was a good post explaining meltdown. I loved it.
I enjoyed reading it :D
Cheers
Damn. This was an enjoyable read. If you were a teacher you'll never have a dull student
Also is this exploit a one size fits all? What I mean is say someone develops a program to exploit this.. Will it need to be designed for each processor or will it literally hit the big three (Intel, ARM, AMD)?
As I understand it, only Intel is affected by Meltdown, but Spectre potentially affects all processors built since the 90s.
thats a lot to read for a five year old . But worth reading
This was amazing thank you!
Great article Isaac, was wondering what is all hike about. Thanks for explanation. I re-shared this article on Moonly
Thank you! Amazing article, I loved the fast-food metaphor.
Hi Isaac, thanks a lot for the description. The Fast food Metaphor helped a lot to understand Meltdown much better.