Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CompInt > Spectre/Meltdown > Flashcards

Spectre/Meltdown Flashcards

1
Q

What is Spectre?

A

A computer exploit/attack used to access blocks of memory you are unauthorised to access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How does Spectre work?

if (x < array1_size) {
y = array2[array1[x] * CACHE_LINE_SIZE];
}

A

array1_size is uncached; Therefore, the request results in a cache miss, so the result must be read from memory.

A mistrained branch predictor pipeline will predict x < array1_size to be true before the result has returned from memory. Therefore, it will execute the code inside the brackets.

While waiting, array1[x] is a cache hit, so the data is read directly without checking validity. However, if we simply set y to array1[x], when the branch is found to be incorrect, all the data would be squashed, deleting it from y.

Instead, we make y an uncached array, and place it into the array at some point. The data will be squashed, but that index specifically will now be cached. All that is left is to perform a side-channel attack, reading every index until one is found that takes significantly shorter time to fetch than the others.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What would happen if array2 was cached in Spectre?

if (x < array1_size) {
y = array2[array1[x] * CACHE_LINE_SIZE];
}

A

When performing the side-channel attack, all of the indexes would take equal time to fetch, so it would be impossible to infer the nature of the data we had taken.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Meltdown?

A

Named as such because it “melts” boundaries between kernel and user memory normally enforced by hardware, it is an computer exploit/attack that exploits out-of-order sequencing and virtual memory paging.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does Meltdown work?

raise_exception();
y = array2[array1[x] * PAGE_SIZE]

A

We start by raising an exception of some kind; because of out-of-order sequencing, while the computer is waiting for the nature of the exception to be brought forward, it begins the next instruction.

array1[x] is in memory, therefore the validity is not checked. array2[array1[x] * PAGE_SIZE], however, is not in memory and results in a read miss, and so it has to be loaded from disk.

The instruction y = … is the discarded when the exception is finally caught. However, similar to Spectre, that part of the array is left in memory, so a side-channel attack can be used to figure out where the data is.

(This is an example of Meltdown, variant 3)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

CompInt (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions