DEV Community

This is how Meltdown works

Isaac Lyman on January 05, 2018

Meltdown and Spectre are the two latest exploits throwing the tech world for a loop. They have a lot in common with each other; both depend on buil...
Collapse
 
isaacdlyman profile image
Isaac Lyman

I know I should be terrified by the implications of a low-level exploit like this, but I'm mostly just impressed by how clever humans are. I mean, it's amazing to me that someone came up with this, even if the only valid uses for it are nefarious.

Collapse
 
ben profile image
Ben Halpern

In retrospect, maybe this would have been easier to explain without the fast-food metaphor...but hey, I had fun.

I had a lot of fun reading it.

Collapse
 
allecto profile image
Paula Hasstenteufel • Edited

Me too, and even though the metaphor ran thin at some point, it delivered a good base to begin abstracting from there. 10/10 would recommend.

Though now I feel like I want some fries :/

Collapse
 
soccathescrub profile image
Tobias • Edited

Man, I must say that as a fresh CS student, this really helped me understand this problem. I was curious about it, but almost all examples used the tech language which I have no full knowledge of (yet).
Thank you sir!

Collapse
 
mortoray profile image
edA‑qa mort‑ora‑y

This is a nice description of how the attack works. Good work!

I guess it should be noted that this is a defect in Intel's chip design; it's not the way CPU's are supposd to work. AMD indicated they don't do speculative execution without permission checks. And I'm guessing no future Intel chip will either.

Perhaps this gives somebody the idea that chips should get faster again instead of cleverer. There's prone to be more faults in all these magical chip mechanisms. :(

Collapse
 
isaacdlyman profile image
Isaac Lyman

Thanks, Ed! (Is "Ed" good? I'm embarrassed to admit I can't figure out how to parse your name.)

It sounds like you understand this stuff pretty well. Any chance you can answer a couple questions for me?
1) is all this speculative execution and permission checking stuff literally hardwired? Or is it software on the CPU that could theoretically be updated without replacing the whole chip?
2) the patches are OS- and browser-based (which is a little unfair, but I digress). How do they prevent the exploit?

Collapse
 
jeandaniel profile image
Jean-Daniel

While your analogie is fine to introduce the Meltdown concept, is miss an important part. The distinction between User and Kernel space and virtual memory.

On modern OSes, when you try to access a memory address, this address is a virtual address and has to be translated to a physical address first. The map to convert between virtual to physical address is stored in a dedicated piece of hardware (the TLB which is part of the processor). Each process has its own map.

Every time the active process change on the CPU, the kernel has to flush the TLB to load the new process mapping. Today, as an optimization, all majors OSes choose to copy the kernel mapping into each process at launch so when a process call a kernel function, the kernel don't have to flush the TLB and load its own mapping.
The CPU is design to know which part of the mapping is the kernel memory and which part is the process memory. So when trying to access kernel memory from the process, it denies the access.
As seen with Meltdown, this check is performed to late as the access is denied after the memory was loaded.

The patch adopted by OSes to mitigate the issue is to separate the Kernel memory map from the process map. So when a process try to access kernel memory, the speculative execution failed to map it to physical address (as the kernel map is not present anymore) and return a exception instead of loading the actual kernel memory.

This patch has a performance cost as it force to revert an useful optimization. Fortunately, from some time now, CPUs provide functions to optimize usage of the TLB and avoid flush and reload of the mapping when a process change (by allowing to store more than one process map and tagging them with Context Identifier), so the performance cost should be small enough to be invisible for most users.

Collapse
 
mortoray profile image
edA‑qa mort‑ora‑y

I'm not sure I know much more than that tidbit about AMD. :D

I believe the Linux patch is something called Kernel Page Table Isolation, which isolates the kernel memory even more. In the fast food analogy I think that'd be like moving the kitchen to a different building, the customers can't see anything even if poking around

I'm presuming the affected code on Intel is hardware as they indicated they can't release a microcode patch for it. That would seem to imply that a lot of it is hardware, but there is updatable code also at play.

A saw an LLVM patch that could also help mitigate some of the issues, but the details weren't entirely clear: I don't know if this means something in user-land could help, or they are compiling kernel bits with this patch.

The exact details of all this are still a bit cloudy; full info release hasn't been made yet I believe.

Collapse
 
evo4g63t profile image
Skyler

Excellent write up. My question is how easy is this to exploit? Is this going to be easy for hacker groups to take advantage of this or is this really going to require people with advanced skills to exploit (something a very small minority would be able to do)?

Collapse
 
ben profile image
Ben Halpern

Exploiting this from scratch seems quite complicated. Exploiting it via some abstraction made available on the web seems like it could be pretty straightforward, unfortunately.

Collapse
 
alephnaught2tog profile image
Max Cerrina

The bit about timing reminds me of a timing attack (and possibly qualifies as one as a result!)

Collapse
 
isaacdlyman profile image
Isaac Lyman

Yeah, that's right! It's a complicated cache timing attack.

Collapse
 
rhymes profile image
rhymes

Thank you!

Collapse
 
blackbird profile image
Omkar Ajnadkar

You just rocked this article!!!

Collapse
 
dougblackjr profile image
Doug Black

This was the first explanation of this that made sense. Well said!

Collapse
 
cym_rataturken profile image
Sergio Margalé

Great explanation there. And really good fast-food example

Collapse
 
coderangshuman profile image
Angshuman Halder

This was a good post explaining meltdown. I loved it.

Collapse
 
heyarviind profile image
Arvind

I enjoyed reading it :D

Cheers

Collapse
 
twales profile image
Anthony Aiyenigba

Damn. This was an enjoyable read. If you were a teacher you'll never have a dull student

Collapse
 
evo4g63t profile image
Skyler

Also is this exploit a one size fits all? What I mean is say someone develops a program to exploit this.. Will it need to be designed for each processor or will it literally hit the big three (Intel, ARM, AMD)?

Collapse
 
isaacdlyman profile image
Isaac Lyman

As I understand it, only Intel is affected by Meltdown, but Spectre potentially affects all processors built since the 90s.

Collapse
 
aswathm78 profile image
Aswath KNM

thats a lot to read for a five year old . But worth reading

Collapse
 
ctrlshiftbryan profile image
ctrlshiftbryan

This was amazing thank you!

Collapse
 
shtefcs profile image
Stefan Smiljkovic

Great article Isaac, was wondering what is all hike about. Thanks for explanation. I re-shared this article on Moonly

Collapse
 
igorcapc profile image
Igor

Thank you! Amazing article, I loved the fast-food metaphor.

Collapse
 
mmk622 profile image
mmk622

Hi Isaac, thanks a lot for the description. The Fast food Metaphor helped a lot to understand Meltdown much better.