ECM 1413 Spectre and Meltdown Flashcards
Speculative execution
An optimization technique in which a processor (CPU) performs a series of tasks before it is prompted to, in order to have the information ready if it is required at any point.
Spectre Setup
- array1 is in memory; there is also private data of a different process
- array1[x], where x is large, is private information
- In speculative execution context, array1[x] won’t cause a hardware fault
What is Spectre
One of the two original transient execution CPU vulnerabilities (the other being Meltdown), which involve microarchitectural timing side-channel attacks.
These affect modern microprocessors that perform branch prediction and other forms of speculation.
On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers.
An Attack
With speculative execution:
- Reading array1_size results in a cache miss
- While waiting for array1_size, reading array1[x] results in a cache hit
- Reading array2[array1[x] * CACHE_LINE_SIZE] results in a cache miss
- Once array1_size arrives, register changes made during speculative execution are rewinded
- However, array2[array1[x] * CACHE_LINE_SIZE] is left in the cache
- Repeating with multiple x, elements of array2 will be placed in the cache
- By multiplying with CACHE_LINE_SIZE, we make sure that there is a one-to-one correspondence between array1[x] and the cache lines
Timing attack
a sophisticated way to circumvent security mechanisms and discover vulnerabilities by studying how long it takes the system to respond to different inputs. In a timing attack, the attacker gains information that is indirectly leaked by the application.
- Faster access time indicates data loaded into the cache during speculative execution
- Revealing the value of array1[x] indirectly through the cache timing side-channel.
Spectre variant 1 vulnerability
(known as Bounds Check Bypass (BCB))
* An unfortunate combination of
* Branch prediction
* Speculative execution
* Cache exploit of temporal locality
Spectre and Meltdown
* Similarities:
- Exploit built-in vulnerabilities, not bugs
- Require attacker to be using the system
Spectre and Meltdown
* Differences:
- Spectre reads memory from other processes
- Meltdown can also read kernel memory from user space
What is Meltdown
Breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system