Spectre & Meltdown - Computerphile

Best Analogy I've seen is as follows:
"Imagine that you (i.e. a malicious process) want to know whether someone (i.e. a victim process) has checked out a particular library book. The library (i.e. the CPU) refuses to give you access to their records and does not keep a slip inside the front cover. You can only see the record of which books you have checked out.
What you do is follow the person of interest into the library whenever they return a book. You then ask the librarian for a copy of the books you want to know whether the person has checked out. If the librarian looks down and says "You are in luck, I have a copy right here!" then you know the person had checked out that book. If the librarian has to go look in the stacks and comes back 5 minutes later with the book, you know that the person didn't check out that book (this time).
The way to make the library secure against this kind of attack is to require that all books be reshelved before they can be lent out again, unless the current borrower is requesting an extension.
There are many other ways to use the behavior of the librarian and the time it takes to retrieve a book to figure out which books a person is reading."
Not mine, don't know original source.

Thanks for getting a video out on this so quickly and pretending not to panic for the camera.
Can we see the cut shots where Dr Bagley is shouting "WE'RE ALL DOOMED" and Brady is talking him down from the window ledge.

The real scandal is that Intel was notified about this over 6 months ago and their CEO dumped millions in stock before announcing this exploit.

Summary of the exploit: "Cache me outside... how bout dat?"

replace cpu? with what, a rock?

This is the best analogy I could come up with for how Spectre works:
Imagine you want to know the genre of book a particular person has checked out of the library. However, the library has strict privacy policies, and refuses to give you access to their records, only your own.
What you do is reserve a book from every genre that the library carries, and then ask the librarian for the book you reserved of the same genre as the victim's book. The librarian, to save time, immediately begins fulfilling this request, even bringing said book up to the front desk, before finally realizing that the request itself breaches library privacy, and so refuses to return the book to you. Seems like you're out of luck, you don't know the genre of your reserved book behind the desk, so you haven't learned the genre of the victim's book.
However, you now begin to request from the librarian every book you reserved one by one. Since these reserved books are properly a part of your records, the librarian happily obliges. For each book you note the librarian takes time to retrieve the book from inside the library, until one suspicious book is requested, which the librarian immediately hands you from behind the desk. That one suspicious book of course is the book requested from earlier, so with it identified and in your possession, you have successfully learned the genre of your victim's book.
Now imagine repeating this process multiple times on the same victim using other qualities besides genre: like author, publisher, and so on. Each quality you learn about your victim's book allows you narrow down to the particular book your victim has checked out. Eventually, you will know for certain the identity of your victim's book, all by exploiting your hard working and naive librarian.

It looks like AMD hardware is only vulnerable to one of the three variants: the bounds check bypass. Some reports argue that this could be fixed by allowing the OS and the application code to disable speculative execution in certain circumstances. As I understand it the boundary check bypass only allows to exfiltrate data from the same process with the branch target injection being able to reach another process and the meltdown making vulnerable even the kernel. Intel and ARM hardware are afflicted by all three.

I knew you’d post a video about it quickly! This is why I’m a happy subscriber

What infuriates me is that the majority of the headlines are about the slowdown, and not about the vulnerability itself -.-

So this is extremely low-level and thus hard for my high-level programmer brain to fully grasp, but let me see if I got this straight: if the bounds of a loop are stored in memory, the CPU will try to optimize by running the code in the loop first while waiting for the bounds to be retrieved; if the bounds turn out to be such that the loop shouldn't have been run, the result of the code is discarded. But when a value is taken from memory and used as an array index, those values are cached to speed up future reads, and the cache is not cleared during that "memory undo" process.
So if you try to access a memory location you shouldn't be able to inside a loop that "technically" terminates before that point, the access will still happen. And if you use that value as the index of an array you do have access to, it will be cached. At that point, the indexes of your valid array which are cached represent the values of the bytes you tried to access (the iterations of the loop beyond the slow-to-retrieve maximum bounds), so by timing how long it takes to retrieve those array entries, you can determine the values of the unauthorized bytes by interpreting the indexes of the fastest-loading array entries.
Is that correct?

Finally someone with knowledge of computer engineering addresses the issue and also points that Meltdown affects Intel specifically.

Literally checked this channel for this last night! You guys are awesome! Keep up the great work!

Fantastic job explaining these exploits! Probably the cleanest and to-the-point description I've seen on TH-cam so far. You know you're doing good when your viewers can use you as a security news source. 😉

"Replace CPU hardware" *Straight face*
Laughed out loud

That was fast, I thought it would take you a week or so to discuss it.

Great video. Can always count on Computerphile to provide a detailed yet concise explanation which is easy to understand

Interesting to note that all Raspberry Pi versions are invulnerable because their ARM chips either don't implement speculative branch evaluation (just branch prediction) or they don't implement it in a way that leaves traces in the cache.

It would be awsome if you could make more in depth videos, not only on this topic, maybe including the code explanation

"Meltdown" (aka "Variant 3") is an Intel issue. Yes, Intel very much wants to confuse the matter, but make no mistake, that's their fuckup. (**see comments)

Somehow Scott Manley, the guy who plays Kerbal Space Program, had a much clearer and more detailed explanation that the Computerphile channel.

Wait! Are you saying my 486DX is unaffected by this? PHEW! And there I was, thinking I would need to upgrade my CPU.

Excellent video. Very informative and interesting. I just knew Computerphile would cover this.

Great explanation, thanks!

James Bond asks his mate "Mr CPU" to go wait for him at a bar. The Criminal Mastermind named "Meltdown" goes into the bar and says "I have a drink for Mr Bond here, anyone want it?" All in the bar take a while, looking around and asking "are you James Bond?", but Mr CPU instantly answers "No, he is not here", then James bond walks in...

6:55 is when any details Beyond a typical layperson news article start

After the end of Moore's Law, it turns out there's no such thing as a free lunch.

Always look forward to watching Computerfile's break down of the newest and greatest security vunribility. Another great video guys!
PS: from what I have gathered, it's a vunribility where all the correct things have to be under the exact right circumstances for it to occur. I have yet to see any real real-world examples or instances where this attack has or can be used besides some whitepaper's example code. In other words, I'm not phased by this nor do I care about the risks it brings.

It's not easy to explain such a thing without going into details too deeply, yet staying meaningful. I think made a great job, as always, here in computerphile. (The cache access time could have been a bit more emphasized, though.) But PLEASE, PLEASE USE A TRIPOD! It would be such a quality leap for these videos!

What I find surprising about this is that it took this long to discover this flaw. I don’t know much programming, though I do know some, and even less about implementations details and hacks like this. But even I know that CPUs have implemented speculative execution for a long time now. The methods described here seem to me pretty amazingly simple. It surprises me that no one thought of trying to exploit this before now!

This glosses over the most interesting part. :) The covert channel is timing how long it takes to read something, which is affected by what is in cache. Speculative execution can change what is cached and so allows the covert channel to exist, in combination with branch prediction making the wrong prediction. The branch prediction can be trained in a few ways, one of which involves the realization that the branching decision is remembered not by instruction location but by only some low bits of the branching instruction.
The neat part is that the speculative execution can include a second lookup based on the first value fetched. Multiplication by the cache line size (the size of the chunk of memory that will be read when it is loaded in to cache), and then using that as a second lookup offset, fetches a unique cache line for each original value. This is the trick that allows the original data to be read (by then timing the reads of each possible offset).

Finally, a tech channel for serious IT people! This is my new goto source for serious vulnerbilities and game-changing tech.

Best computer science channel on TH-cam! 🤓👍

Thanks for the explanation.

Best under fiveteen minutes video on that topic i have seen do far

"Replace CPU-" *quickly pauses, heart sinks, sense of impending doom looms over me* Please god no...

All your systems are belong to us.

I seen this coming from the moment I began experimenting with parallel programming techniques. Having developed a lot of creative uses of Semaphores to get around the pitfalls of out of order execution, I will be incredibly happy when we start to see processors that don't pretend to know better than the programmer what order their instructions should be executed. I should never have to suspect memory barriers I drop into my code aren't actually doing anything but you would be surprised just how often modern processors completely ignore their presence.

Very timely. Good job. :)

Very good explanation, thanks guys!

Very informative and technical. Just what the doctor ordered. 10/10

soo.. would it be possible to get ahold of the test code shown in the video? i'd like to compile and see for myself.

Good high-level explanation, I encourage people interested to read the papers published and do some research about branch prediction. For starters, Tomasulo's algorithm was one of the first OOO execution designs that many processors are still based off of. It's old, so it's easier to comprehend then today's massively complicated schemes, but will still give you a taste of what happens at the h/w level.

Yeah just let me crack open my iMac and replace the CPU that should be pretty easy

I'm glad someone finally addressed this.

Wow, very fast content reaction to current "Computerphile" topics. Great!
By the way: does CERT list hardware which is considered "secure" in terms of Spectre and Meltdown?

Great explanation many thanks

Thank you!

Would you be able to get information from another virtual server if they both lived on the same host?

I was hoping you would make a video on this!

The worst part about all of this is it took independent researchers to find this just by chance.
Various security agencies have well-funded branches that find bugs like this regularly around the clock all day every day of the year from full hardware exploits to firmware exploits to OS exploits.
Hardware ones are less frequent, but still happen especially against embedded devices that don't change regularly. Some older devices are still connected to the internet as well, which is much worse. That includes some hardware that literally controls the backbone of the internet in some regions, some is still ancient and still used simply because it is reliable and If It Works Don't Fix It. (same reason we are still stuck with IPv4!)
It's also a hard job to deal with in space hardware because it's feature-progression is considerably slower than main-line hardware. Biggest reason being the new hotness in CPU hardware generally leads to literal hotness in that they run hotter. Much much hotter. (especially branch prediction, which is the parent architectural fault involved in both of these bugs)
This is very bad for space because it is stupidly hard to cool things there due to the lack of medium to move the heat in to because space is inert. Only way to get heat away is radiative, which is extremely slow. So you end up needing these complex cryo-cooling systems in CPU-heavy satellites, which limits their maximum operation time quite considerably and increases complexity. (and potential for failure)
So this can lead to issues with space hardware if any bugs are found in them as well.
All it could take is one hardware exploit to kill the GPS framework and bring modern globalized society to a standstill. (and the smartphone generation)
Given how much money gets pumped in to exploitation branches of security agencies, they likely already know a few that could cripple society-wide services.
Sometimes if they are really severe, they even announce them. However relationships in the security industry are broken over the whole blanket-spying stuff done by Five Eyes and the like. Many people are taking advantage of it by leaving security agencies and forming their own companies to make some cash. NSA lost loads of people.

Reminds me of that Computerphile video about the exploit of cache memory byway of specific SQL queries.

I like how; while under development, the patch that was applied by Linux devs was given the name "Forcefully Unmap Complete Kernel With Interrupt Trampolines", it was changed for the actual release of the patch because of the same reason as why I like the name... spell out the first letter of each word xD

Great video!

Cool, this is from the university of Nottingham, same place that makes those awesome Periodic Videos about chemistry and elements!

And to make it clear, the Meltdown bug, which has the highest likelihood of speed degradation, does not effect AMD CPUs.

A big thumbs up! BTW, could you please add subtitle functionality in the videos?

Could we get the source code for that program that exploits itself? I’m really interested to see how it works myself.

Raspberry Pi's blog did an awesome job explaining this. (Mainly because they actually showed (pseudo-)code)

Great video! As I understand Meltdown affects Intel CPUs specifically and is currently being patched in all OSes. Question: will the patch itself affect the speed of other CPUs, or are they written to come into effect only on Intel systems? Are we better off with AMD for brand new systems until updated hardware comes out?

As bad as this exploit is, i'm not too worried. As far as the regular folks are concerned, I find it far more likely that they are going to have random other software related exploits whether it be trojan's, keyloggers, phising scams. Plenty of other things for them to fall for, rather than getting a more complicated program on their computer which does this slow data extraction which may or may not be useful, given that the implementer has to know what they are looking for before they can even make use of data.
This issue should likely be quite simple to fix for Javascript/code from the web, as the code is compiled by the browser, you could just alter the JS compilation/VM process to break any cache coherence thus resulting in speculative execution not working for higher level code.

The title needs to be better. Before I knew what spectre & meltdown were I had no desire to watch this video. Then I watched The WAN Show and now I want to.

The science behind the exploits is very interesting.

Question: Since most computers from atleast the early 90s - present have this flaw with the new security issue, would it be possible (if having an old development unit for a videogame system or something (say N64) or a dev cartridge) would it be theoretically possible with the right tools (and the Meltdown/Spectre flaws) to obtain source code/ documentation on videogames in which the source code was thought to be locked down under the aformentioned cartridge/cpu ?

Expected a deeper explanation, considering this is computerphile

From the "Cloud Perspective", the dom0 (hypervisor), could squash these instruction set requests from domX to prevent flaws... just a thought.

Nice analysis

Love the shirt

Cool, that's actually pretty easy to understand.

this really helped, thanks

Nice explanation thx PS Not related to this video but was a bit disappointed you didn't cover the root bug on mac os a month or so ago :) Where you could go to settings and use root as a user name on the password prompt

2:14 as i understand it the original google engineer had POC working in javascript the first day and was listing his https tabs open in firefox... best estimates are it can get out about 1k bits per second

too lazy to do my own research on this topic, since I know computerphile will do a better job. Finally it is here, and im not disappointed

4:48 Dr Bagley is creating an 'off by one' error. In most languages that array would contain 17 items, not 16. Thanks for the buffer overflow, dr Heartbleed.

how much back does this go? is the whole intel icore line affected from first generation onward?

Super fast :) Most media is not ready yet to explain it well.

Anyone have a link to the code Steve is walking through?

Steve Bagley Thumbs up for mentioning the BSDs. Their developers haven't been a part of the embargoed information, even though they run a pretty significant part of the Internet's backends...

Also, where is the stock-pile they pull from w/ the old printer paper, haha?! Love it.

So new cpu will fix it? what about other components? Does it mean that all parts will be warrantable in the future?

Excelent explanation

TH-cam thought I was going to watch this video, but I looked at how long it was and decided not to. Instead, I watched a Numberphile video really carefully, and now I know everything that's said in this video. I don't think that's supposed to happen.

I cant think of anything I wouldnt rather do instead of computer security. What a nightmare ... constantly a new battle you will inevitably lose

Timely

Can we get the Dr. Steve's code? It would be very nice to have this example :)

I enjoy videos where 200 nanoseconds is 'a reasonably long time'

where was that test code available from?

Do you have a link to the program somewhere?

Nice Amiga 1000 there in the background! :)

Thank you! Have been wondering how this actually worked, media have been pretty universally poor in how they're covering this (as usual).
Then again it's pretty difficult to explain to the layman apparently, I'm not far from that but I think I just about get it.
Does the 'patch' simply hinder speculative evaluation?

Love the juxtaposition of Hawaiian shirt and grey sky. Very informative as always.

and the timing can be measured fast accurately enough to find out whether or not something is in cache? Or is the attack done multiple times and then the timing averaged?

Thanks for this interresting and easy-to-understand explanation of the exploit. However, one thing remains unclear to me: This is a bug in the hardware, so how can it be patched in the OS?

I've been reading very mixed opinions on the likely effect on Intel CPU performance. I'd love to hear a detailed and unbiased explanation of this. Also, does this mean consumers should avoid buying new computers until the next generation of redesigned CPUs?

Does anyone know what text editor he's using?

Awesome!! vid!

where do you get those codes?

where is that code you ran on your computer?

What text editor is he using?

What VSCode skin is that? Looks really nice.

I guarantee that the CIA knew how to do this for years and sat on it for their own interest.