Week 9: Spectre and Meltdown!

Meltdown|Spectre: The physical vulnerability that emits OS level data

First and Foremost, we have to give this up to Google's Project Zero for finding and publicly posting this massive flaw. There is no doubt in my mind that they were also affected by the huge vulnerabilities, but even this massive Tech Giant felt that it was critical that the world new about Meltdown and Spectre. Not only were they identifying this, but there were telling the world exactly where to start looking because this is a whole new vector or perspective of vulnerabilities. Much like the first gold rush in the US, once one nugget was found ... it caused so many others to start looking for more!

Here is there post from January 3rd, 2018: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

So recently, I learned a good deal more about Spectre and Meltdown and I found it pretty fascinating. The overall process reminded me of a dumpster diving. At one point in time, folks didn't really concern themselves with what they threw away. They would throw away unopened credit card offers, bank statement that they finished reviewing, or even throw-away old cards/checks without disfiguring them beforehand.

Here is a video that gives a 30,000 ft view. Meltdown and Spectre practically run through the collective memory garbage of a system and compile vast amounts of data, sometimes including usernames/passwords/account information/etc. In the same analogy from above, this is like going to the dump and looking for every piece of paper that resembles a document. Then categorizing each one into categories and seeing if there is any good information to pilfer. This is just a central location where everyone's garbage goes to and being lazy or adopting the quickest method to discard the garbage leads to sensitive information being obtained by others. That is the same principle of Meltdown and Spectre -- just they are stealing information from a systems shared memory.

On a bit more technical level, I found this site absolutely useful:  https://www.csoonline.com/article/3247868/vulnerabilities/spectre-and-meltdown-explained-what-they-are-how-they-work-whats-at-risk.html

The overall gist here is that these side-channel techniques are able to access data that they don't have permissions to because the data is saved in several locations that are accessed faster/easier than the CPU is able to do a permissions check on.

There are two compute mechanisms at play here. The first is the CPUs ability to front load operations and data while it is waiting for another longer process to complete and tell it what to do.

For instance, when working on building a house we are waiting on supplies to be delivered before completing the framework on the doors in the master bedroom. These supplies can either come in as aluminum or wood. Regardless of which they come in as, we can still go through and measure out what the cuts would be (thicker cuts for wood and thinner for metal). When the materials arrive we would throw away the measures for the materials we aren't using right? But why did we go through this process? Well waiting for supplies to check measurements would take longer because we have to wait for the supply deliver. Figuring out the measurements for both scenarios beforehand is way faster and we can just discard the wrong measurements. Critically, before the supplies ever arrive at the jobsite, any person can come over and ask for both sets of measurements.

In these side-channeled memory attacks, when a process is running larger math problems, speculative execution is cramming in several scenarios of data calls that may or may not be used. And the data sets that aren't used are then offloaded improperly. Even while the process is waiting for the larger math problem to complete, a smaller/faster process may sweep in and ask about both data sets and aggregate enough information before the discard before the processor ever determines if the process has access to that data.