際際滷

際際滷Share a Scribd company logo

Spectre and meltdown

A
Aditya Kamat

Spectre and Meltdown exploit vulnerabilities in modern processors that can leak sensitive data from kernel memory. Spectre uses speculative execution and branch prediction to trick processors into accessing unauthorized data, while Meltdown leverages out-of-order execution to read kernel memory before permission checks. Mitigations include compiler changes, firmware patches, and separating kernel data from processes to prevent attacks. The document provides background on memory caching, speculative execution, and the technical details of Spectre and Meltdown vulnerabilities and countermeasures.

1 of 31
Download to read offline
Spectre and Meltdown ~ Aditya Kamat
What will be covered? Memory Cache Speculative Execution Branch predictor Meltdown Spectre Mitigations FAQs
Memory & Cache L1, L2, L3 levels Cache hit and miss.
Memory & Cache
Covert channels
Out-of-Order Execution Outside Inside
Speculative Execution Coffee shop analogy for easy understanding. Why? Instructions which require reading from memory take longer. CPU idle time is a waste of resources, speculative execution is the solution.
Branch predictors Use fancy algorithms to predict which condition might be met. Speculatively execute the branch that is predicted. What happens when the prediction turns out to be true? And what happens when the prediction is wrong? P.S: Branch predictors are often over 99% accurate at guessing.
Spectre and meltdown
User Space vs Kernel Space Kernel space & user space are segregations of the virtual memory. Each process is given virtual memory which is divided into kernel & user space. The user space region contains data, code, stack, heap of the process. The kernel-space contains things such as the page table for the process, kernel data structures and kernel code, etc. To run kernel space code, control must shift to kernel mode(using 0x80 software interrupt for system calls) & kernel stack is basically shared among all processes currently executing in kernel space.
User Space vs Kernel Space
Spectre: Variant 1(CVE-2017-5753) Bounds check bypass. The instructions after a conditional branch are speculatively executed as the result of a misprediction.
Spectre and meltdown
Spectre and meltdown
Spectre and meltdown
Spectre and meltdown
Spectre and meltdown
Spectre: Variant 2(CVE-2017-5715) Branch target injection The CPU executes instructions at a location determined by a mispredicted branch target.
Spectre (Variant-2)
Spectre (Variant-2)
Meltdown: Variant 3(CVE-2017-5754) Rogue data cache load, memory access permission check performed after kernel memory is read. It leverages out-of-order execution capabilities in modern CPUs. Vulnerable CPUs allow memory reads in out-of-order instruction execution, and also contain a race condition between the raising of exceptions and the out-of-order instruction execution.
Spectre and meltdown
Spectre and meltdown
Spectre and meltdown
Spectre and meltdown
Spectre and meltdown
Countermeasures Spectre (Variant 1): Compiler patches. Use barriers (LFENCE instruction) to prevent speculation for x86 - Sequential instructions. Static analysis to identify locations where attackers can control speculation. Spectre (Variant 2): Separate BTBs(Branch Target Buffers) for each process in the Branch predictor unit. Prevent BTBs across SMT(Simultaneous MultiThreading) threads.
Countermeasures Meltdown:
FAQs Can I detect if someone has exploited Meltdown or Spectre against me? Can my antivirus detect or block this attack? Is there a workaround/fix? Why is it called Meltdown? Why is it called Spectre? Can I see Meltdown in action? Check this
References A 3 minute video explaining speculative execution. Link Meltdown paper. Link Spectre paper. Link Redhat documentation. Link Meltdown and spectre official website. Link IIT-M course by Chester Robeiro: Link Report by CMU: Link Miscellaneous: Link1, Link2, Link3, Link4
Thank you

More Related Content

Spectre and meltdown

  • 1. Spectre and Meltdown ~ Aditya Kamat
  • 2. What will be covered? Memory Cache Speculative Execution Branch predictor Meltdown Spectre Mitigations FAQs
  • 3. Memory & Cache L1, L2, L3 levels Cache hit and miss.
  • 7. Speculative Execution Coffee shop analogy for easy understanding. Why? Instructions which require reading from memory take longer. CPU idle time is a waste of resources, speculative execution is the solution.
  • 8. Branch predictors Use fancy algorithms to predict which condition might be met. Speculatively execute the branch that is predicted. What happens when the prediction turns out to be true? And what happens when the prediction is wrong? P.S: Branch predictors are often over 99% accurate at guessing.
  • 10. User Space vs Kernel Space Kernel space & user space are segregations of the virtual memory. Each process is given virtual memory which is divided into kernel & user space. The user space region contains data, code, stack, heap of the process. The kernel-space contains things such as the page table for the process, kernel data structures and kernel code, etc. To run kernel space code, control must shift to kernel mode(using 0x80 software interrupt for system calls) & kernel stack is basically shared among all processes currently executing in kernel space.
  • 11. User Space vs Kernel Space
  • 12. Spectre: Variant 1(CVE-2017-5753) Bounds check bypass. The instructions after a conditional branch are speculatively executed as the result of a misprediction.
  • 18. Spectre: Variant 2(CVE-2017-5715) Branch target injection The CPU executes instructions at a location determined by a mispredicted branch target.
  • 21. Meltdown: Variant 3(CVE-2017-5754) Rogue data cache load, memory access permission check performed after kernel memory is read. It leverages out-of-order execution capabilities in modern CPUs. Vulnerable CPUs allow memory reads in out-of-order instruction execution, and also contain a race condition between the raising of exceptions and the out-of-order instruction execution.
  • 27. Countermeasures Spectre (Variant 1): Compiler patches. Use barriers (LFENCE instruction) to prevent speculation for x86 - Sequential instructions. Static analysis to identify locations where attackers can control speculation. Spectre (Variant 2): Separate BTBs(Branch Target Buffers) for each process in the Branch predictor unit. Prevent BTBs across SMT(Simultaneous MultiThreading) threads.
  • 29. FAQs Can I detect if someone has exploited Meltdown or Spectre against me? Can my antivirus detect or block this attack? Is there a workaround/fix? Why is it called Meltdown? Why is it called Spectre? Can I see Meltdown in action? Check this
  • 30. References A 3 minute video explaining speculative execution. Link Meltdown paper. Link Spectre paper. Link Redhat documentation. Link Meltdown and spectre official website. Link IIT-M course by Chester Robeiro: Link Report by CMU: Link Miscellaneous: Link1, Link2, Link3, Link4