Every now and then we hear and read about
“critical security” issue’s in the software
that we use in our day to day lives.
These security holes are caused by tiny bugs
in the code and can lead to devastating results:
people can hack into your computer, steal
your information or even hold it hostage.
Luckily though we can fix these issue with
a software update.
But on the first of June, 2017 researcher
working for Google’s Project Zero found
two major security flaws in modern processors.
You know, the brains of your computer, phone,
tablet, TV and what not.
The flaws allows any program to read sensitive
information from memory.
Yikes!
The bugs are called Meltdown and Spectre and
because they’re so sensitive, Google decided
to keep it a secret until vendors had come
up with workarounds that would protect us.
So let’s take a look at how these bugs work,
but before we can do that, let’s quickly
go over some basic concepts.
As you know a CPU is the brain of all of our
devices.
A processor is responsible for executing all
the instructions that our operating system
and our programs give it.
How fast a processor is, depends on its clock
speed.
The higher this is, the more work your processor
can do per second.
So for a while, chip makers were in a fight
to keep increasing the clock speed.
They however reached a ceiling when they hit
the 3-4GHz range.
Increasing it further was impossible, so instead
chipmakers had to get creative and they came
up something called “speculative” execution.
Basically it means that the processor will
guess what the outcome of an instruction will
be and execute all the subsequent steps in
the background.
More on that later!
The last thing we need to understand is memory.
Our devices have two types of memory: the
main system memory, also called RAM and the
cache memory in the processor.
The CPU needs to constantly read and write
data from the main memory.
However the main memory is way slower then
the CPU.
So chipmakers added a small cache on the processor
itself to store the data that it’s working
with.
Everytime the processor needs something from
the main memory, it copies it, stores it in
its cache and reads it from there.
Okay, so now that we know these basics we
can start explaining the Meltdown bug!
Our operating systems stores sensitive information
in the main memory of our devices.
Think about your WiFi key for instance.
They store this data in protected memory and
CPU’s make sure that no one has access to
this part of the memory, except the operating
system itself.
So far so good, except that they don’t enforce
this rule when they are speculating!
And that leaves the door open for exploits!
Let’s assume that you visit a website that
wants to steal your WiFi password, which for
now is safely stored in protected memory.
First the attacking website has to make sure
that your CPU’s cache doesn’t contain
your actually WiFi password.
To do that it reads and writes some random
data to the main memory.
Remember: when you access the main memory,
the processor keeps a copy of the data in
it’s own cache for faster retrieval.
It also loads an image from the internet that
will be used later on.
Now that your CPU’s cache is filled with
random data, the website tries to read the
first letter of your WiFi password from the
protected memory with code that might look
like this.
If your password starts with the letter S,
the site reads the first pixel of the image
into memory.
But wait a minute!
The CPU will prevent the website from accessing
the protected memory!
But because the CPU speculates, it might have
executed this code in the background and didn’t
tell us about it.
If your WiFi password indeed starts with the
letter S, the CPU will execute our “readPixel”
command while it’s speculating.
And when the CPU reads this pixel from the
main memory, it puts a copy of it in it’s
cache.
All the website has to do now is run a second
program that times how long it takes to read
that pixel.
If it happens super fast we know that the
pixel was in the CPU’s cache and this could
have only happened when the CPU was speculating
and only if our password starts with the letter
S. If it’s not so fast, the data comes from
the main memory and then we know the password
doesn’t start with an S.
It’s clear how this technique can be extended
to not only read the first character, but
to read your full password from protected
memory.
In fact, with Meltdown it’s possible to
read sensitive data at speeds of up to half
a megabyte per second!
(503 KB/s)
Almost all Intel processors and a handful
of ARM processors are susceptible to this
bug.
Only AMD chips are resilient because they
don’t speculate when protected memory is
being accessed.
However, this is only the tip of the ice berg.
Let’s move on to Spectre, a weakness that
is very similar to Meltdown but affects all
modern CPU’s, not just the ones from Intel!
While Meltdown only allows programs to read
protected memory, Spectre allows malicious
programs to read the memory from any other
program running on your system!
To give a concrete example: a website could
use Spectre to read the contents of another
browser tab - one where you might be logged
in to your bank account.
This becomes an even bigger problem in professional
situations.
Public clouds like AWS, Google Cloud and Microsoft
Azure are rushing to implement safeguards
against Spectre and Meltdown.
If left unpatched it would allow one customer’s
virtual machine to steal data from another
customers VM.
Spectre is more difficult to patch compared
to Meltdown and that’s also why they named
it “Spectre”.
A ghost that will haunt us for quite some
time…
Now that we know how the exploits work, what
can we do about them?
Patching processors isn’t possible because
we can’t change hardware that has already
shipped.
Instead we have to mitigate it with software
updates.
There are already patches available for Windows,
MacOS and Linux, so make sure that you have
the latest versions installed.
Mobile devices also need to be patched.
Updates for iOS are already available and
also Google has patches available for Android,
however they depend on the manufactures to
make the updates available to users.
Do definitely check with your vendor!
And finally: make sure that the rest of your
software is up-to-date as well.
Browser’s like Firefox and Chrome are also
offering patches to mitigate the risk of websites
stealing sensitive information.
So that was it for this video BUT don’t
worry, there are plenty of other videos on
my channel that you can check out.
And as always: thank you very much for watching!
