Spectre and Meltdown Flashcards
What causes Spectre and Meltdown?
Unexpected interaction of caching and pipelining
What 2 ways does a processor do work faster?
Caching
Pipelining
What is cache?
Smaller, faster memory closer to the processor that stores instructions
What is pipelining?
A processor predicts branches based on past history and squashes instruction if wrong.
What is speculative execution?
Branch predictor guesses the result of a ‘if’ statement based on past history. Lines of code under this are executed before the condition is evaluated. If the condition is not met, any changes made by the processor are discarded.
What is the problem with speculative execution?
If the condition is not met, all processes need to be rolled back. All microprocesses do this however they do not undo the side effects i.e. memory saved into cache.
How can speculative execution be exploited? (Spectre attack)
If you have aggressive speculative execution, you can access memory that you shouldn’t be able to as it is down a speculative path, causing changed to the underlying memory subsystem that you could measure with a watch, working out the value of the forbidden memory.
Why is it called spectre?
Because the root cause is speculative execution.
What is virtual memory paging?
Technique that divides process memory maps into same sizes pages and loads some of them into same sized frames.
In the case of cache, you have words,
In the case of virtual memory you have blocks.
Why is it called Meltdown?
It melts down security boundaries normally enforced by hardware.
What causes meltdown?
With speculative execution, if an exception is to be raised, any lines after the exception will still be evaluated before they are discarded, meaning memory is still accessed and modified. The process will be rolled back but the consequences won’t be fixed.
Timing access to the pages reveals the locations that were accessed speculatively.
What’s another meltdown example?
Multithreaded machines where you can see what another thread is doing.
