ECM 1413 Spectre and Meltdown Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

Speculative execution

A

An optimization technique in which a processor (CPU) performs a series of tasks before it is prompted to, in order to have the information ready if it is required at any point.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Spectre Setup

A
  • array1 is in memory; there is also private data of a different process
  • array1[x], where x is large, is private information
  • In speculative execution context, array1[x] won’t cause a hardware fault
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Spectre

A

One of the two original transient execution CPU vulnerabilities (the other being Meltdown), which involve microarchitectural timing side-channel attacks.

These affect modern microprocessors that perform branch prediction and other forms of speculation.

On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An Attack
With speculative execution:

A
  • Reading array1_size results in a cache miss
  • While waiting for array1_size, reading array1[x] results in a cache hit
  • Reading array2[array1[x] * CACHE_LINE_SIZE] results in a cache miss
  • Once array1_size arrives, register changes made during speculative execution are rewinded
  • However, array2[array1[x] * CACHE_LINE_SIZE] is left in the cache
  • Repeating with multiple x, elements of array2 will be placed in the cache
  • By multiplying with CACHE_LINE_SIZE, we make sure that there is a one-to-one correspondence between array1[x] and the cache lines
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Timing attack

A

a sophisticated way to circumvent security mechanisms and discover vulnerabilities by studying how long it takes the system to respond to different inputs. In a timing attack, the attacker gains information that is indirectly leaked by the application.

  • Faster access time indicates data loaded into the cache during speculative execution
  • Revealing the value of array1[x] indirectly through the cache timing side-channel.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Spectre variant 1 vulnerability

A

(known as Bounds Check Bypass (BCB))
* An unfortunate combination of
* Branch prediction
* Speculative execution
* Cache exploit of temporal locality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Spectre and Meltdown
* Similarities:

A
  • Exploit built-in vulnerabilities, not bugs
  • Require attacker to be using the system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Spectre and Meltdown
* Differences:

A
  • Spectre reads memory from other processes
  • Meltdown can also read kernel memory from user space
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is Meltdown

A

Breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly