THANKS FOR WATCHING ❤ Try CodeCrafters today with 40% off! 👉 app.codecrafters.io/join?via=daniel-boctor JOIN THE DISCORD! 👉 discord.gg/WYqqp7DXbm **UPDATE** A few commenters have been asking if spectre was ever used in any real attacks. To my knowledge, the answer is no. Using spectre to pull something off in the real world is incredibly complex and difficult. Kaspersky has a great article outlining the theoretical impacts the bugs could have: www.kaspersky.com/blog/spectre-meltdown-in-practice/43525/ **UPDATE v2** At 12:07, I said that the operating system would notice when trying to access out of bounds data. A few commenters have pointed out that it's the MMU (hardware level) that would raise a fault in response to access violations, not the OS. The OS gets notified afterwards. My apologies for the mistake. Thanks to those who pointed it out! **UPDATE v3** A few people were interested in the audio side channel for fingerprint reconstruction. I'm no expert, but I'll link the source in case any of y'all wanted to take a further look. here's an article that discusses it: www.tomshardware.com/tech-industry/cyber-security/your-fingerprints-can-be-recreated-from-the-sounds-made-when-you-swipe-on-a-touchscreen-researchers-new-side-channel-attack-can-reproduce-partial-fingerprints-to-enable-attacks and here's the underlying paper: www.ndss-symposium.org/wp-content/uploads/2024-618-paper.pdf 👇 Let me know what topics you would like to see next! 👇 Thank you for all of the support, I love all of you
The Doctor Boctor has done it again. :) Thank you for this great video showing the concepts of these vulnerabilities in an easily understandable format.
2:30 "process" is mispronunced. maybe human maybe not human generated voice using human live sampling, not sure, either way, the pronunciation is wrong, whether intentional or unintentional
@@jasonkhanlar9520, it's his real voice, and his accent is common to certain parts of the US and Canada. Separately, I was going to comment that I enjoyed the pace and format of his narration: 1. It's to the point. 2. Quickly gives the relevant information. 3. Clearly said and easy to understand. Despite the northern accent, he gets high marks from me for efficiency.
Same. First couple of minutes I really was thinking Frank must've been a PC savant that came up with that exploit at home. While managing Domino's Pizza store.🤦
When you explained the attack at 15:10, I realised why you have mentioned the pizza story at the beginning and understood the attack method right a way. It was perfect 👌
Exactly. Also, order taxis, drivers, cancel drivers free time, electricity usage (remember what kind of lights you use makes different waveforms in the nearby network) umm no need to track me, 3-letter Sir, I'm just a newborn from halfway across the world, no the GOOD PART... :)
@@gamagama69you can find average wait times on google. After the Russian Wagner group leader died (or maybe some other recent Russian war event, I might not be remembering correctly), anyone who could use google maps for finding restaurants could see that wait times had spiked throughout the Washington DC area. Thanks to google, the DC pizza index is public globally.
Ive been having conversations with people recently about how vulnerable airliners are to electronic attack/hacking and people are generally under the assumption it would literally be impossible to hack an airplane and bring it down. I tried to explain to them attacks or rouge engineers sneaking something into the tool chain they use to build the software. Ive spent more then a few years learning how to program and how computers work, they tell me I watch too many movies and they try to give me some wild half assed technical reason as to why they are right. Im for sure going to use this video as a reference in the future.
@@iraniansuperhacker4382 Wrong and lots of bad information in your post. Its not that software can't be hacked, but most source codes have CRC checks to verify against non-approved changes. Most flight level software has multiple level of checks against malicious code. Its not written by one rogue programmer. There are teams of people and verifications on software code. Can code written incorrectly and compromised? Of course. However, you have no clue to the level of verification is needed in software on critical systems. It's not what you think.
In the 70s, security forces in the UK used a milk bottle metric to predict riots - a dip in returns of empty milk bottles in certain places meant there was going to be serious trouble in the next two-three days.
@@Zorro9129 Also, the lack of people going about daily chores and staying home/out of sight instead would indicate tensions and concerns amongst the populace. If you've ever hung around a bad neighborhood before, you know when the druggies and other locals suddenly disappear from the streets, you should be disappearing too. You get the same effect in the widlerness too. If the normal noises of the environment suddenly stop, something is wrong.
Why you should always consider to generate some garbage on the side channels...... even if that means bying free pizza for your facility management at night.
They now make sure to order small batches of pizza from several different venders. And they buy pizza regularly, not just on big days. So even when the amount of pizza spikes, it just seems like a normal order to each pizza place.
The timing of this video could not have been better. The GoFetch exploit on M1 and M2 silicon was just discovered as a side channel attack, and your explanation helped understand it a lot better. Thanks.
Yeah I was reading about GoFetch the other day and went "wait, isn't that just Spectre all over again"? If you're designing a CPU, shouldn't "could this lead to the resurgence of the worst microarchitecture-based security flaw ever" be a question that gets occasionally asked?
Your average RISC instruction takes around four clock cycles. If your clock is 1GHz, one cycle is 1ns. That means you can perform 50 instructions in the time it takes to access one byte on an 8-bit bus.
@@charliekahn4205 Actually that's not quite correct. Each individual instruction requires four cycles, but after one cycle of one instruction, a new instruction starts its own first cycle. Most of the time there are 4 instructions all in progress at the same time. Each one starts and finishes one cycle after the previous. So in 200ns the CPU can start 200 instructions, and finish 197 of them. (The last 3 are in different stages of "not finished yet", but they all finish in the next 3 cycles.)
@@kevinjohnston8399 Actually that's not quite correct. Modern CPUs are superscalar and can start multiple instructions at once, even in a different order than they are in the running program (which is called "out-of-order" execution).
While I understand and appreciate the seemingly impossible nature of finding an exploit like this, it doesn't require a 'gigabrain'. It's just a matter of having the right knowledge with the right set of skills (which can be learned). A good, and common, example of where this type of thinking is regularly used is with SDETs. SDETs use their knowledge of the system combined with the experience and know-how of performing technical analysis in order to identify potential flaws and test for them.
@@GiveThemHorns Still, the hackers were gigabrains. I mean even designing a keyboard logger is hard to do. As an amateur coder I tried in C# to design a keyboard logger than was a TSR program and could not (of course C# has a keyboard library but not persistent after you stop using the program). But these low level language hackers could do it and also make the program tiny to avoid detection, as well as having a randomly changing signature to avoid anti-virus. Gigachads indeed.
Agreed. I took a cloud security course in undergrad and I remember learning about these attacks (though I've forgotten most of it) and reset attacks on TPMs and all I could think was "These people are crazy...just how?" I wish I had the knack for such things.
For some it's a hobby. I learned to break systems when I was a teenager by exploiting games. You just have to think outside the box. I learned to exploit before I starting coding. It makes more sense as a coder how you can't think of every possible edge case over time.
Most current methods are very similar to those used back in the 80s and 90s. Take SQL injection for example. One of the oldest and still most common forms of attack. Still works.
@@Zaraaashiigal youtube is becoming like those commercials where a person - for example - would just dump a bowl of popcorn and then someone would dump a bowl of chips and a voice says "HAVING PROBLEMS WITH BOWLS??" and then the ad begins for a 'new bowl' that has arms attached that go on your thighs when you sit down, so that the bowl doesn't spill as easily.... YT is becoming the "before" (where people just dump bowls stupidly) as the title of the videos here, and then when you click on the video and watch it, it becomes the "after" (where the solution of the new bowl type is shown) - all just clickbait to get people to watch... like the "YOU are doing ______ wrong!" trope lol
I heard about it, but it was not from the companies if i remember right, but the nsa and the cia would know about this exploit and not inform because they could use it to gather information on people of their interest.
Why is there a expense claim for 200 pizzas labeled "security measure"? To prevent a side channel attack Sir. So this has nothing to do with several complaints about a "obnoxious party" from the locals? Absolutely not, Sir.
Perhaps the You Tube algorithm also helped by noticing the intersection of topics with a trending thing. This could have been mad obscure, otherwise. At any rate, due to vulnerabilities like this, various speculative executions, due to not wanting to go hog wild due to errors incurred during them if they are wrong, can tap out data that should never have been visible to you. Truly serious security in the face of this sounds like it means never letting anything that could be hostile run on your secure computer at any level. Not even websites. As burglar alarms and burglar proof doors get better, data burglars get more clever.
Underrated comment lol. In all honesty it was a coincidence. These videos take a very long time to make - I actually started working on this about a month ago. I'm just as surprised as you guys are 🤯
@@SeekingTheLoveThatGodMeans7648 honostly i dont think we shoild have the internet linked to anything vital like our ships, food production and security. Should be as separated from the web as we can manage and the controls should always be on site only.
@@DanielBoctorsure bro, can you stay in town one more day? Boeing lawyers have a few more questions Oh and good news! They booked you a nice hotel with an incredible parking lot 🎉
This reminds me of modern warfare 2 (original one on 360). If you spam click matchmaking and back out right before it gets to 100% about 10 times then quickly load into a private lobby, it will load a bunch of randoms into your private game. That game was so full of bugs but the most fun COD ever.
There are some CPUs that have speculative execution and branch prediction but don't access memory that is not accessible by the thread. Instead, they note the exception when the address isn't in the active page table and, if the branch isn't taken, raises the exception. These include many power pc flavors.
Its NOT just the OS that detects you're out of bounds. There's hardware called an MMU that sets an exception or interrupt for an access fault. The OS just initializes this when it sets up an adress space. In smaller micrcontroller systems, you MIGHT have a rudimentary MPU, but not a full MMU
Right, a well designed MMU should not allows leaking of data into the cache on out-of-bounds memory calls. The problem is likely with the CPU's speculative processing then backtracking on failure without clearing the cache.
@@BillAnt yup, you're correct. I was vomiting up an angry comment when he just said something about the OS emitting a segfault. I just really get wound up when people minimize the hardware.
@@BillAntif ir would catch the illegal access during speculative execution and simply stop the speculative execution in that case, the indexing with the restricted data would not be executed even speculatively, and thus there would not be any cache change In accessible memory that you might run your timing attack on.
I believe the confusion might've arosen from the fact that the UNIX-like kernels emit the SEGFAULT signal to a process that caused it (which is in fact irrelevant to memory protection as contrary to what Daniel said, the process can still run and access data after receiving that signal), but as you said, the actual segmentation fault comes directly from the MMU as an interrupt.
In Brazil happened that same in the '60s, when suddenly a bakery in a rural area received a huge order of hundreds of breads, they "followed the bread" and discovered the camping of a guerrilla army.
An important thing to note is that there was *probably* no cases of Spectre leaking data in the wild. It was a new class of possible exploits so experts freaked out because nobody know what could come of it , however(by shear luck) nobody ever found a usable attack using Spectre. The fastest leak found was 60 bits/hour, and it would take a theoretical unrelated exploit to find what memory address had the data you wanted to steal.
In an optimal setup with a small cache and RAM pool, it could be used to retrieve otherwise inaccessible/secret encryption keys. Technically it'd be easier to just bung whatever app you're trying to steal keys from into a compromised virtual machine engine (FOSS hypervisors like KVM are easy to exfiltrate data from) or exploit DMA devices (like the ethernet controllers on most motherboards) to dump system memory in pages until you find the desired keys. [Edit: Typos]
@@saddish2816 And which APT groups are we talking about? Considering even now after everyone knows the technical details there are still no valid exploits for vulnerable silicone, your assertion is entirely speculative.
@@ABaumstumpf The initial research showed what he says, but you're right, later research did find a far better method. He's not lying, just plain wrong.
I already heard about this from an interview with the researchers that found the vulnerability, but you sure did one hell of a job to visualize and break it down. Funnily, code remaining in some part of some memory has been used in higher-level attacks, like the famous Tweezer Attack on the Wii. Crazy how since the early days of computing, more and more layers have been added, leading to similar problems on lower levels.
I expected you to talk about that shady intel management thing that has unlimited control over cpu and runs mysterious code that only intel knows what it does
Probably because you're sub-68IQ cretin who has been on 4chan for too long and spent a total of 0 seconds researching how it works, when used as intended, if you knew intended use and actually put your time into tinkering with it, you may or may not have figured out how it works just like many people did who know what it does because reverse engineering even a total black box is trivial.
Can you link to what you're referring to? Could be a topic for a future video 👀 EDIT: seems like it is Intel Management Engine. Going to look into this.
from what I could find I heard it runs a modified version of minix to run microcode [CPU code] on the CPU microcontroller. though I don't know if that is true or not... haven't cut open a CPU or tried debugging it their way to get there. though it would be interesting learning more about it, so that we can understand *WHAT* it does, and how like this explanation did. [also he probably can't... TH-cam hates links] just search *intel management engine* and you'll find a wiki and the intel page about it... though I don't know about any vulnerabilities using it though. Hope you have a great day & Safe travels!
this was the first video ive seen that actually showed this exploit in a very easy to digest manner (I'm a computer science major, so I already understood the technical details, but this reinforced it in a way that makes way more sense than I originally had thought)
Nice explanation! I remember when this broke originally all the news coverage just handwaved over the actual cache extraction part, so I was never clear on how the timing attack actually determined the specific value. That array indexing trick is nifty.
You know what's really funny is I remember hearing a lot about this at the time, but it wasn't until just a few days ago that I finally found a video that made it click for me how this worked... and now you come out with this one which does an even better job of explaining it. Also, just to note, I believe that most of the vulnerabilities are not capable of accessing the memory of other processes at all. The biggest concern has been programs like browsers, where code is all running inside the same process, and you have cookies, passwords, credit card numbers, etc which could all potentially be accessed. It seems like for a permanent hardware fix, either they need to evict the data from the cache, or have a separate, speculative cache which is then later committed to the main cache.
This is one of the best explainer video I've seen. You simplify something very complex, and yet do not skip anything. All within a very short time frame.
A side channel attack is a way of deriving information simply by observing the function of a system. Usually its info you shouldnt normally beable to derive.
This was a great video, thanks for explaining the exploit in detail. In my computer architecture class, the professor mentioned these attacks but never actually explained how they worked. I never realized that speculative execution would mess up with the cache!
@2:20 "they're the worst computer bugs in history" I thought they were showing a bug flying around the computer for effect but it was actually a fruit fly on my own monitor 🤣
This is so well explained. So many tech channels flounder when they try to explain the actual mechanisms at hand, but you clearly have a truly excellent understanding. Thank you for making this.
Side channel attack is like gravity or dark matter. You see the effects even though you don't know what's happening. Going to have to do a deep dive to get up to speed.
Computer Scientist and Senior Programmer/Analyst here, you've done a great job covering branch prediction and the problem of thrashing the cache here. Minimizing your bottleneck to main memory is one of my favorite architectural problems and I use it all the time to illustrate architectural principals to juniors.
In the video you said that the operating system prevents your program from accessing memory of other programs, this is not so. The operating system loads in the page table in each core for the current process running on that core (each process is a page table from the CPU hardware point of view, each thread is a stack) every time is does a context switch invoked by the system timer interrupt handler. It's the actual CPU hardware itself that does the privilege check on memory access according to flags set in the page table entries for that address being accessed. If flags don't allow it or if the address is not present then it invokes a page fault interrupt handler from which the OS can spawn a dialog box process and kill process or it can sleep the process and notify the hard drive driver to read in the virtual memory for the missing page entry. So on the event that you access memory you are not allowed to get the CPU will see the flags in the page table and invoke the interupt handler for page faults. The kernel ISR then just populates a log entry with the values stored in registers, puts the bad process to sleep, and quickly exits. The kernel process then sees that log entry and does the work of unloading the stopped process (stopped being just a flag in a data structure that the system timer ISR sees to know not to switch in the page table for the stopped process).
This is very interesting, thanks for pointing it out! I didn't realize this at the time. Thanks for sharing all this info. I went ahead and updated my pinned comment. Thanks again!
@@DanielBoctor 2:27 can spectre really allow user to access virtual memory from other processes? each process has their own address space if mspaint.exe calls ptr=malloc(1), chrome.exe won't have a virtual address that translates to same physical address as what ptr inside mspaint.exe translates to whatever out of bound array access chrome.exe is doing, it wont access ptr inside mspaint.exe based on your description of spectre, i dont see how reading virtual memory from other process is possible
There are a lot of videos talking about computing exploits but the way you wrote and described this one is super approachable and made it really easy to understand.
Nice opening shots of USS Makin Island (LHD-8). She wasn’t in service during Desert Storm. Back then we were riding on Tarawa Class like LHA-3 Belleau Wood. 😊
@@DanielBoctor This beats CNN effect covering the attack as it happened. Iraq just had to watch CNN for info. We complained about too much information being put out during an active assualt. That continued with the second war with embedded reporters like Geraldo Rivera drawing maps in the sand that got him kicked out of the field. 😆
Wow, I usually have trouble focusing on technical videos like this, but you presented this beautifully. It's fascinating stuff too which certainly helps, but you explained it in an impressively digestible way. Thank you very much!
Quite a nice hook you have there. It starts out with an interesting, seemingly unrelated topic, which is a military group wanting to know when air raids will occur. Then you mentioned an extraordinary, very unexpected way to do so. Pizza! At the end, you tied the hook with the topic at hand by explaining that the Pizza index being used to indirectly access confidential information is a side channel attack. You also implied that the computer bugs talked about in this video uses the same thing. I think your introduction is well made. I rarely like videos, but if I had to, this one would be on the almost empty list. Great job!
I am far away from understanding coding and detail CPU ways of operation but I got the essence of what happens here. You are doing a good job explaining things in relatively uncomplicated way.
I loved this video! ❤ Finally got an explanation for this surprisingly simple exploit. I will say, I would have loved a section on spectre mitigations instead of ending the video on an unfinished note
1:47 We can figure out your fingerprint by the audio of your fingerprint, swiping the screen? I don’t know that sounds like that would be really inaccurate. I get that there are technologies that the public isn’t privy to, but I’m sure there is a good amount of posturing and bluffing. To make the government sound more powerful, where they might actually be more inept, and given too much credit.
It's brand new research, and I'm no expert on the matter, but I'll link to the source below in case you want to take a look yourself. here's an article that discusses it: www.tomshardware.com/tech-industry/cyber-security/your-fingerprints-can-be-recreated-from-the-sounds-made-when-you-swipe-on-a-touchscreen-researchers-new-side-channel-attack-can-reproduce-partial-fingerprints-to-enable-attacks and here's the underlying paper: www.ndss-symposium.org/wp-content/uploads/2024-618-paper.pdf
@@DanielBoctor Jesus Christ that is impressive and also terrifying. We are absolutely in the future where anything as possible. I appreciate the source. I checked a couple other sources as well. Just didn’t think it was remotely possible. Subbed
thank you i just got this randomly recommended and your explanation was easily digestible enough so that i with no understanding in coding was able to enjoy this video
So I guess they "fixed" this bug now using microcode updates on some older CPUs now? Or are there still billions of CPUs that are silently leaking data?
still some leaking data, i.e, i3-2xxx to i5-6xxx are still unpatched to this day, amd put more effort into patching older CPUs than intel, with the only ones being unpatchable are cpus older than 2006
There are workarounds in modern OS-Kernels. They don't fix the underlying issue, but are more careful when switching around between different processes and memory accesses. This mostly works, but has a performance overhead that can be significant (>10%) in some workloads. Some people insist on booting Linux with mitigations=off to get back that bit of extra performance, but make themselves vulnerable to those "fixed" attacks in the process.
@@polinskitom2277 Maybe I'm wrong, but if the 7th gen chips were patched, I'd imagine the 6th gen were as well because they're the same architecture. Half-way through the 8th generation hardware fixes were introduced. Unfortunately the only reliable way to determine if a particular 8th gen chip has fixes is to look up the model number. 9th gen and newer should be completely good.
It's a theoretical exploit, that would be very impractical to utilize in the real world. The problem is the process executing the exploit may know that it's reading memory outside it's process, but it has no idea of what resides in that memory and whether it's anything valuable or useful.
I certainly sounds like it, but it's not. These predictions are typically made using simpler heuristic-based or statistical approaches, which tend to be based on the history of taken and not-taken branches, rather than 'real' AI algorithms. It's a fascinating area. I'd love to dive deeper into the concept, but it's a little out of scope for me at the moment. Perhaps someone else can chime in with some lower level details.
@@DanielBoctor I've watched this video a few hours ago an now i've stumbled across a primeagen video about the M series problem, where LowLeveLearning explains exactly the same as you did in this video.
6:44 The Von Newman bottle-neck is an absurd way to operate. As John Backus said back in the day, the way we made programming languages and hardware is totally insane and backwards, it worked for simpler machines but it was basically a bodge, and he tried to refuse his Turing award, but was talked out of it. That's how wrong our programming languages and hardware is. That was more than 50 years ago, and people keep venerating Unix, C and VonNewman CPU like a cult or church, like perfection, but that's barely a start. We should do better. Well, this field is very young, and there's much to do to have a perfect cathedral.
@@drivers99don't worry about this guy, I'm not sure how the fact it takes a while to read computer memory is related to it's pure architecture. One could make an ISA which is more explicit in what to do in that gap though
John von Neumann was perhaps the smartest guy alive in this field at the time he pioneered digital computation at the IAS. His approach unified code and data, which was a big deal. Anyone else could have come along since then and proposed a better method suited to subsequent generations of hardware, including John Backus. It never happened because it's a very hard problem. There are a finite number of pins on the CPU package. That's where the bottleneck originates, not the von Neumann architecture. I studied Backus's proposal for the programming language FP back in the 1980s. There was merit in what he was proposing at the software level, but he never contributed anything useful to hardware architecture other than hot air.
This is why security is done in layers. It really doesn't matter if you have an exploit to steal memory data if you can't get through the firewall to implement it.
This was a wonderfully executed video in all aspects. Having these explained to me like this actually blew my mind. The final conclusion was satisfying and brought everything you talked about together beautifully. Well done
What a coincidence. Coming here from ThePrimeTime video where he lets a security researcher who just so happened to be in his chat explain the topic. Great video.
im bit late but lscpu on my 3570k shows Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Spectre v2: Mitigation; Retpolines; STIBP disabled; RSB filling; PBRSB-eIBRS Not affected; BHI Not affected Meltdown: Mitigation; PTI idk what it means but it must have been patched somehow, probably resulting in lot of perfomance i'd guess if it wasn't then like everyone would buy new cpus
Gamers always know when military operations are getting underway. How? Military personnel notify their guilds that they will be absent to avoid being kicked from the guilds. They also make similar arrangements to make bill payments, to have mail delivery changes, and many other things that "side channel" analysis can use to make accurate predictions.
To explain Specter and Meltdown, imagine a bus that arrives every 0.35 seconds. That bus runs you over, despite the bus working properly and being driven by a licensed driver. … No? Two of you thought this was funny.
@@DanielBoctor I was going to further feed the beast with a pun about HOME's We're Finally Landing, but that might be a little too on the nose. Besides, you weren't even eating a slice of pizza while explaining this, sheesh. I'll stop now. 😁 Enjoyed the video!
Awesome explanation. So clear! Made me think about how our central nervous system runs this kind of speculative execution on sensory inputs and can even act directly before brain (CPU) processing. If you touch a very hot surface, your CNS will jerk your hand back long before your brain has evaluated the full sensory input and come up with your 'real' response.
Yeah, sure, i can imagine the dialog "let's release a potential vulnerability to everyone in the world because we're the only smart people able to understand how it works" 🙄🙄 Anyone in the world could have descipher this, including North Korea, for example.
@@xSaDii Yea, North Korea is known for notifying the world of exploits so they can be patched. How long did it take for anyone to figure out VW's emission trick? if (OBD2 plugged in == TRUE) .....;
This was an amazing explanation, thank you very much for deepening our understanding about the exploit, I still remember reading about the exploit but couldn't understand the significance of the danger that the systems were facing
I have pretty much no experience with coding and only a surface level understanding of CPU architecture etc. and this was the first video about Spectre, that I actually understood. VERY well explained. And yes, now that I see how it works, I agree, that solution to "reading" the data without actually reading it is incredibly elegant.
Or, reading and acting on it under cover of an execution environment that doesn't incur a segmentation fault or other consequence of reaching into prohibited memory -- because that's been held off until it is certain that this is a "wanted" speculative execution. If it was not "wanted" then a false alarm would be inappropriate, but the side effects remain. Perhaps "speculative execution failure touched" memory could be identified and evicted from cache if read/written, to obfuscate the timing side effects? This is a sneaky little bug/feature, no matter what.
This is absoulutely fantastic. You make all this very easy to follow and understand. I finally get how these exploits basically work. Really well done!
when are you people going to listen. This underlying theory is sound and TRUE: All computing comes down to 1's and 0's. Where there is a will, there is a way. All the security is made by us, we are not perfect and our work shows it. We need to look at the direction this is taking us towards.
I genuinely thought you were going to tell me that the owner of 40 Domino's pizza stores discovered the Specter and Meltdown exploits and used them to hack the pentagon with that intro lmao
The lemmino music was an incredibly good choice for this video given its topic. It’s some of my favorite music to listen to when focusing on something difficult or working. It’s underrated stuff.
Oh my gosh that was such a perfect breakdown! I actually feel like I fully understand the exploit enough that I could implement it myself (which I might try, depending on how complicated any glossed-over details are). I've only vaguely known that the exploit involved speculative execution and a timing attack against the cache, but now I actually understand how elegant the exploit actually is.
![The moment we stopped understanding AI [AlexNet]](http://i.ytimg.com/vi/UZDiGooFs54/mqdefault.jpg)
![กี่หมื่นฟ้า | Your Sky Series EP.1 [1/4]](http://i.ytimg.com/vi/vLGjxFL6U_I/mqdefault.jpg)
![The Hacker who could turn on ANYONE'S Zoom Camera [Zero-Day]](/img/n.gif)
THANKS FOR WATCHING ❤
Try CodeCrafters today with 40% off! 👉 app.codecrafters.io/join?via=daniel-boctor
JOIN THE DISCORD! 👉 discord.gg/WYqqp7DXbm
**UPDATE**
A few commenters have been asking if spectre was ever used in any real attacks. To my knowledge, the answer is no. Using spectre to pull something off in the real world is incredibly complex and difficult. Kaspersky has a great article outlining the theoretical impacts the bugs could have:
www.kaspersky.com/blog/spectre-meltdown-in-practice/43525/
**UPDATE v2**
At 12:07, I said that the operating system would notice when trying to access out of bounds data. A few commenters have pointed out that it's the MMU (hardware level) that would raise a fault in response to access violations, not the OS. The OS gets notified afterwards. My apologies for the mistake. Thanks to those who pointed it out!
**UPDATE v3**
A few people were interested in the audio side channel for fingerprint reconstruction. I'm no expert, but I'll link the source in case any of y'all wanted to take a further look.
here's an article that discusses it:
www.tomshardware.com/tech-industry/cyber-security/your-fingerprints-can-be-recreated-from-the-sounds-made-when-you-swipe-on-a-touchscreen-researchers-new-side-channel-attack-can-reproduce-partial-fingerprints-to-enable-attacks
and here's the underlying paper:
www.ndss-symposium.org/wp-content/uploads/2024-618-paper.pdf
👇 Let me know what topics you would like to see next! 👇
Thank you for all of the support, I love all of you
The Doctor Boctor has done it again. :) Thank you for this great video showing the concepts of these vulnerabilities in an easily understandable format.
meltdown and spectre are essentially ways to gaslight your computer.
2:30 "process" is mispronunced. maybe human maybe not human generated voice using human live sampling, not sure, either way, the pronunciation is wrong, whether intentional or unintentional
@@jasonkhanlar9520, it's his real voice, and his accent is common to certain parts of the US and Canada.
Separately, I was going to comment that I enjoyed the pace and format of his narration:
1. It's to the point.
2. Quickly gives the relevant information.
3. Clearly said and easy to understand.
Despite the northern accent, he gets high marks from me for efficiency.
Great explanation
30 seconds in I thought Frank from Domino's was going to be the one responsible for compromising 80 billion CPUs
I was thinking that too - 🤣. Like the anesthetist who created BFS - en.wikipedia.org/wiki/Con_Kolivas
Same.
First couple of minutes I really was thinking Frank must've been a PC savant that came up with that exploit at home. While managing Domino's Pizza store.🤦
@@dsandoval9396 Gustavo Fring nerd version
The perfect cover.
pepperoni in the clean room!
That Pizza order thing is a great way to explain what side channel attacks are.
aha, I was hoping it would be! Glad you thought so 😊
not only a great way, but the best one
When you explained the attack at 15:10, I realised why you have mentioned the pizza story at the beginning and understood the attack method right a way. It was perfect 👌
Now if we can only correlate donut and coffee orders to police incidents.
For real! That makes so much sense
all the pentagon would have to do to avoid the side channel attack is throw a pizza party on a random day every month
and utilize different places, assuming that groups are placing people in resturants to track this
bean counters: "hmmm, sounds expensive..."
Exactly. Also, order taxis, drivers, cancel drivers free time, electricity usage (remember what kind of lights you use makes different waveforms in the nearby network) umm no need to track me, 3-letter Sir, I'm just a newborn from halfway across the world, no the GOOD PART... :)
@@gamagama69you can find average wait times on google. After the Russian Wagner group leader died (or maybe some other recent Russian war event, I might not be remembering correctly), anyone who could use google maps for finding restaurants could see that wait times had spiked throughout the Washington DC area. Thanks to google, the DC pizza index is public globally.
That's still not secure. You'd need to throw pizza parties at random intervals irrespective of months.
Insane they figured out a way to effectively gaslight a cpu
Ive been having conversations with people recently about how vulnerable airliners are to electronic attack/hacking and people are generally under the assumption it would literally be impossible to hack an airplane and bring it down. I tried to explain to them attacks or rouge engineers sneaking something into the tool chain they use to build the software. Ive spent more then a few years learning how to program and how computers work, they tell me I watch too many movies and they try to give me some wild half assed technical reason as to why they are right. Im for sure going to use this video as a reference in the future.
Not really. People need to quit thinking computers are smart, they are not. They blindly follow every order that makes it to the CPU.
@@iraniansuperhacker4382 Wrong and lots of bad information in your post. Its not that software can't be hacked, but most source codes have CRC checks to verify against non-approved changes. Most flight level software has multiple level of checks against malicious code. Its not written by one rogue programmer. There are teams of people and verifications on software code. Can code written incorrectly and compromised? Of course. However, you have no clue to the level of verification is needed in software on critical systems. It's not what you think.
@@ahndeux Are you a programmer?
wrong
@@ahndeux
"lets not get ahead of ourselves" that was an unintended pun
I didn't even realize that lol
I predict this comment will blow up with likes...
@@raylopez99nah it will probably just get rolled back...
@@exzld you might roll back... ill still be a hit
xD @@pedroandrade8194
In the 70s, security forces in the UK used a milk bottle metric to predict riots - a dip in returns of empty milk bottles in certain places meant there was going to be serious trouble in the next two-three days.
Why so?
@@chaferweed The bottles could be used for molotov cocktails.
@@Zorro9129 Also, the lack of people going about daily chores and staying home/out of sight instead would indicate tensions and concerns amongst the populace.
If you've ever hung around a bad neighborhood before, you know when the druggies and other locals suddenly disappear from the streets, you should be disappearing too. You get the same effect in the widlerness too. If the normal noises of the environment suddenly stop, something is wrong.
Im too young to remember milk being in glass bottles
@@jtnachos16 That's a good way to put it.
Why you should always consider to generate some garbage on the side channels...... even if that means bying free pizza for your facility management at night.
They now make sure to order small batches of pizza from several different venders. And they buy pizza regularly, not just on big days. So even when the amount of pizza spikes, it just seems like a normal order to each pizza place.
@@lordfrz9339A spy could just see how many pizza deliveries occur visually.
ב''ה, but then they'd think Americans still rely on food
wait, people in other countries dont need to eat?@@josephkanowitz6875
I heard they stopped ordering pizza entirely from the guy who originally published it
The timing of this video could not have been better. The GoFetch exploit on M1 and M2 silicon was just discovered as a side channel attack, and your explanation helped understand it a lot better. Thanks.
I know, it's a crazy coincidence. I started working on this video about a month ago too. Glad you liked it!
@@DanielBoctorI honestly thought this was released because of the exploit when I first clicked on it. Sometimes thing just line up so well
@@DanielBoctorDo you keep any videos for a while just to wait for a thing to happen ? Crazy good video, ty.
Yeah I was reading about GoFetch the other day and went "wait, isn't that just Spectre all over again"? If you're designing a CPU, shouldn't "could this lead to the resurgence of the worst microarchitecture-based security flaw ever" be a question that gets occasionally asked?
@@DanielBoctornailed it
"accessing main memory is incredibly slow"
"Like a five millionth of a second."
Better go and get a coffee in the meantime, this will take a while.
@@vampir753You could probably drink a couple of trillion caffeine molecules in that time
Your average RISC instruction takes around four clock cycles. If your clock is 1GHz, one cycle is 1ns. That means you can perform 50 instructions in the time it takes to access one byte on an 8-bit bus.
@@charliekahn4205 Actually that's not quite correct. Each individual instruction requires four cycles, but after one cycle of one instruction, a new instruction starts its own first cycle. Most of the time there are 4 instructions all in progress at the same time. Each one starts and finishes one cycle after the previous. So in 200ns the CPU can start 200 instructions, and finish 197 of them. (The last 3 are in different stages of "not finished yet", but they all finish in the next 3 cycles.)
@@kevinjohnston8399 Actually that's not quite correct. Modern CPUs are superscalar and can start multiple instructions at once, even in a different order than they are in the running program (which is called "out-of-order" execution).
The people finding hardware vulnurabilities are genuine gigabrains. How do you even come up with this?
While I understand and appreciate the seemingly impossible nature of finding an exploit like this, it doesn't require a 'gigabrain'. It's just a matter of having the right knowledge with the right set of skills (which can be learned). A good, and common, example of where this type of thinking is regularly used is with SDETs. SDETs use their knowledge of the system combined with the experience and know-how of performing technical analysis in order to identify potential flaws and test for them.
@@GiveThemHorns Still, the hackers were gigabrains. I mean even designing a keyboard logger is hard to do. As an amateur coder I tried in C# to design a keyboard logger than was a TSR program and could not (of course C# has a keyboard library but not persistent after you stop using the program). But these low level language hackers could do it and also make the program tiny to avoid detection, as well as having a randomly changing signature to avoid anti-virus. Gigachads indeed.
Agreed. I took a cloud security course in undergrad and I remember learning about these attacks (though I've forgotten most of it) and reset attacks on TPMs and all I could think was "These people are crazy...just how?" I wish I had the knack for such things.
For some it's a hobby. I learned to break systems when I was a teenager by exploiting games. You just have to think outside the box. I learned to exploit before I starting coding. It makes more sense as a coder how you can't think of every possible edge case over time.
@@Bug_AbuseCoders don't think of every possible edge case, not even close.
The funny thing was, the speculative execution feature was a known security risk back in the 1990s. It’s not something new.
People always find ways to gaslight and exaggerate. It's common on youtube. I wish more people would realize this.
Most current methods are very similar to those used back in the 80s and 90s. Take SQL injection for example. One of the oldest and still most common forms of attack. Still works.
@@Zaraaashiigal youtube is becoming like those commercials where a person - for example - would just dump a bowl of popcorn and then someone would dump a bowl of chips and a voice says "HAVING PROBLEMS WITH BOWLS??" and then the ad begins for a 'new bowl' that has arms attached that go on your thighs when you sit down, so that the bowl doesn't spill as easily.... YT is becoming the "before" (where people just dump bowls stupidly) as the title of the videos here, and then when you click on the video and watch it, it becomes the "after" (where the solution of the new bowl type is shown) - all just clickbait to get people to watch... like the "YOU are doing ______ wrong!" trope lol
I heard about it, but it was not from the companies if i remember right, but the nsa and the cia would know about this exploit and not inform because they could use it to gather information on people of their interest.
@@MarcosAlexandre-no3qx You lost me at "The NSA and the CIA".
Why is there a expense claim for 200 pizzas labeled "security measure"?
To prevent a side channel attack Sir.
So this has nothing to do with several complaints about a "obnoxious party" from the locals?
Absolutely not, Sir.
If we have an obnoxious party every night, the data miners can't figure out which ones mean we're going to war.
@@rightwingsafetysquad9872 oh yea its bigbrain time
@@VelocifyerThey do now to obfuscate, initially it was from a very short list of places.
"Don't give your real address"
"I. P. Freely"
Just randomly hold Pentagon pizza nights.
putting out this video a couple days after a side channel attack was found on M1 chips is *_wild_* timing
Perhaps the You Tube algorithm also helped by noticing the intersection of topics with a trending thing. This could have been mad obscure, otherwise.
At any rate, due to vulnerabilities like this, various speculative executions, due to not wanting to go hog wild due to errors incurred during them if they are wrong, can tap out data that should never have been visible to you.
Truly serious security in the face of this sounds like it means never letting anything that could be hostile run on your secure computer at any level. Not even websites. As burglar alarms and burglar proof doors get better, data burglars get more clever.
he speculativelly recorded it
Underrated comment lol. In all honesty it was a coincidence. These videos take a very long time to make - I actually started working on this about a month ago. I'm just as surprised as you guys are 🤯
@@SeekingTheLoveThatGodMeans7648 honostly i dont think we shoild have the internet linked to anything vital like our ships, food production and security. Should be as separated from the web as we can manage and the controls should always be on site only.
@@DanielBoctorsure bro, can you stay in town one more day? Boeing lawyers have a few more questions
Oh and good news! They booked you a nice hotel with an incredible parking lot 🎉
This reminds me of modern warfare 2 (original one on 360). If you spam click matchmaking and back out right before it gets to 100% about 10 times then quickly load into a private lobby, it will load a bunch of randoms into your private game. That game was so full of bugs but the most fun COD ever.
There are some CPUs that have speculative execution and branch prediction but don't access memory that is not accessible by the thread. Instead, they note the exception when the address isn't in the active page table and, if the branch isn't taken, raises the exception. These include many power pc flavors.
Unfortunately, not the M1/M2, it seems.
@@rufmeister Not a PPC, ARM followed the Intel memory management model.
Its NOT just the OS that detects you're out of bounds. There's hardware called an MMU that sets an exception or interrupt for an access fault. The OS just initializes this when it sets up an adress space. In smaller micrcontroller systems, you MIGHT have a rudimentary MPU, but not a full MMU
Right, a well designed MMU should not allows leaking of data into the cache on out-of-bounds memory calls. The problem is likely with the CPU's speculative processing then backtracking on failure without clearing the cache.
@@BillAntyes
@@BillAnt yup, you're correct. I was vomiting up an angry comment when he just said something about the OS emitting a segfault. I just really get wound up when people minimize the hardware.
@@BillAntif ir would catch the illegal access during speculative execution and simply stop the speculative execution in that case, the indexing with the restricted data would not be executed even speculatively, and thus there would not be any cache change In accessible memory that you might run your timing attack on.
I believe the confusion might've arosen from the fact that the UNIX-like kernels emit the SEGFAULT signal to a process that caused it (which is in fact irrelevant to memory protection as contrary to what Daniel said, the process can still run and access data after receiving that signal), but as you said, the actual segmentation fault comes directly from the MMU as an interrupt.
In Brazil happened that same in the '60s, when suddenly a bakery in a rural area received a huge order of hundreds of breads, they "followed the bread" and discovered the camping of a guerrilla army.
An important thing to note is that there was *probably* no cases of Spectre leaking data in the wild. It was a new class of possible exploits so experts freaked out because nobody know what could come of it , however(by shear luck) nobody ever found a usable attack using Spectre. The fastest leak found was 60 bits/hour, and it would take a theoretical unrelated exploit to find what memory address had the data you wanted to steal.
In an optimal setup with a small cache and RAM pool, it could be used to retrieve otherwise inaccessible/secret encryption keys. Technically it'd be easier to just bung whatever app you're trying to steal keys from into a compromised virtual machine engine (FOSS hypervisors like KVM are easy to exfiltrate data from) or exploit DMA devices (like the ethernet controllers on most motherboards) to dump system memory in pages until you find the desired keys. [Edit: Typos]
nation states will have known about this before it was made public and would have used it, unless they had better methods of achieving the same thing
@@saddish2816 And which APT groups are we talking about? Considering even now after everyone knows the technical details there are still no valid exploits for vulnerable silicone, your assertion is entirely speculative.
"The fastest leak found was 60 bits/hour" !?!?!
WTF? Why are you lying about this? It was demonstrated to be fast enough for video transmission even.
@@ABaumstumpf The initial research showed what he says, but you're right, later research did find a far better method. He's not lying, just plain wrong.
I already heard about this from an interview with the researchers that found the vulnerability, but you sure did one hell of a job to visualize and break it down. Funnily, code remaining in some part of some memory has been used in higher-level attacks, like the famous Tweezer Attack on the Wii. Crazy how since the early days of computing, more and more layers have been added, leading to similar problems on lower levels.
well shit now we need an entirely NEW cpu architecture to get around this problem🤣🤣🤣🤣🤣
I expected you to talk about that shady intel management thing that has unlimited control over cpu and runs mysterious code that only intel knows what it does
The Intel Management Engine?
Probably because you're sub-68IQ cretin who has been on 4chan for too long and spent a total of 0 seconds researching how it works, when used as intended, if you knew intended use and actually put your time into tinkering with it, you may or may not have figured out how it works just like many people did who know what it does because reverse engineering even a total black box is trivial.
Can you link to what you're referring to? Could be a topic for a future video 👀
EDIT: seems like it is Intel Management Engine. Going to look into this.
Ah that's a comforting thing for an Intel CPU user to hear
from what I could find I heard it runs a modified version of minix to run microcode [CPU code] on the CPU microcontroller.
though I don't know if that is true or not... haven't cut open a CPU or tried debugging it their way to get there.
though it would be interesting learning more about it, so that we can understand *WHAT* it does, and how like this explanation did.
[also he probably can't... TH-cam hates links] just search *intel management engine* and you'll find a wiki and the intel page about it... though I don't know about any vulnerabilities using it though.
Hope you have a great day & Safe travels!
this was the first video ive seen that actually showed this exploit in a very easy to digest manner (I'm a computer science major, so I already understood the technical details, but this reinforced it in a way that makes way more sense than I originally had thought)
That's pretty awesome, glad it was able to help! Thanks for the support ❤️
Look everyone, we got a computer science major over here!
Nice explanation! I remember when this broke originally all the news coverage just handwaved over the actual cache extraction part, so I was never clear on how the timing attack actually determined the specific value. That array indexing trick is nifty.
I never got an answer about the Pentium math bug. Which way did it fail? Should I use it to do my taxes?
i know nothing about computer vulnerabilities but you made it incredibly digestible to understand. nice work!
Thanks for the kind words! Keep on doing what you're doing 😊
The best explanation of this vulnerability hands down! Fantastically done!!
I'm honoured, thank you!
What would you know about that? You're a furry.
This was insanely well explained. Great Video!
Thank you!! Glad you liked it 😊
You know what's really funny is I remember hearing a lot about this at the time, but it wasn't until just a few days ago that I finally found a video that made it click for me how this worked... and now you come out with this one which does an even better job of explaining it.
Also, just to note, I believe that most of the vulnerabilities are not capable of accessing the memory of other processes at all. The biggest concern has been programs like browsers, where code is all running inside the same process, and you have cookies, passwords, credit card numbers, etc which could all potentially be accessed.
It seems like for a permanent hardware fix, either they need to evict the data from the cache, or have a separate, speculative cache which is then later committed to the main cache.
speculative memory should be flushed if it is wrong, and locked down till it knows if it was wrong.
This is one of the best explainer video I've seen.
You simplify something very complex, and yet do not skip anything.
All within a very short time frame.
thank you for this. I appreciate the support
@@DanielBoctor You very much deserve it!
A side channel attack is a way of deriving information simply by observing the function of a system. Usually its info you shouldnt normally beable to derive.
Dude. I love your videos, you choose very interesting topics and explain them BEAUTIFULLY.
Glad you think so! Thank you for the support Tired Potato ❤
This was a great video, thanks for explaining the exploit in detail. In my computer architecture class, the professor mentioned these attacks but never actually explained how they worked. I never realized that speculative execution would mess up with the cache!
@2:20 "they're the worst computer bugs in history" I thought they were showing a bug flying around the computer for effect but it was actually a fruit fly on my own monitor 🤣
This is so well explained. So many tech channels flounder when they try to explain the actual mechanisms at hand, but you clearly have a truly excellent understanding. Thank you for making this.
thank you for the feedback! I appreciate it. I'm glad you thought so
Side channel attack is like gravity or dark matter.
You see the effects even though you don't know what's happening.
Going to have to do a deep dive to get up to speed.
Feels very rare that a channel makes content this cogent and well organized. Great job!
wow, I'm honoured to receive such a comment. thank you for the support!
The last time I tried programming something was a TV remote 3 decades ago. That being said this was fascinating! Well done.
Thanks!!
Computer Scientist and Senior Programmer/Analyst here, you've done a great job covering branch prediction and the problem of thrashing the cache here. Minimizing your bottleneck to main memory is one of my favorite architectural problems and I use it all the time to illustrate architectural principals to juniors.
In the video you said that the operating system prevents your program from accessing memory of other programs, this is not so. The operating system loads in the page table in each core for the current process running on that core (each process is a page table from the CPU hardware point of view, each thread is a stack) every time is does a context switch invoked by the system timer interrupt handler. It's the actual CPU hardware itself that does the privilege check on memory access according to flags set in the page table entries for that address being accessed. If flags don't allow it or if the address is not present then it invokes a page fault interrupt handler from which the OS can spawn a dialog box process and kill process or it can sleep the process and notify the hard drive driver to read in the virtual memory for the missing page entry.
So on the event that you access memory you are not allowed to get the CPU will see the flags in the page table and invoke the interupt handler for page faults. The kernel ISR then just populates a log entry with the values stored in registers, puts the bad process to sleep, and quickly exits. The kernel process then sees that log entry and does the work of unloading the stopped process (stopped being just a flag in a data structure that the system timer ISR sees to know not to switch in the page table for the stopped process).
This is very interesting, thanks for pointing it out! I didn't realize this at the time. Thanks for sharing all this info. I went ahead and updated my pinned comment. Thanks again!
@@DanielBoctor 2:27 can spectre really allow user to access virtual memory from other processes? each process has their own address space
if mspaint.exe calls ptr=malloc(1), chrome.exe won't have a virtual address that translates to same physical address as what ptr inside mspaint.exe translates to
whatever out of bound array access chrome.exe is doing, it wont access ptr inside mspaint.exe
based on your description of spectre, i dont see how reading virtual memory from other process is possible
There are a lot of videos talking about computing exploits but the way you wrote and described this one is super approachable and made it really easy to understand.
Whoa. Just goes to show how hard security really is. If not truly possible.
I worked tech support for a virtualisation company while this was current and I’m feeling the nostalgia 😭
Nice opening shots of USS Makin Island (LHD-8).
She wasn’t in service during Desert Storm.
Back then we were riding on Tarawa Class like LHA-3 Belleau Wood. 😊
haha, you got me there! cool to know
@@DanielBoctor This beats CNN effect covering the attack as it happened. Iraq just had to watch CNN for info.
We complained about too much information being put out during an active assualt.
That continued with the second war with embedded reporters like Geraldo Rivera drawing maps in the sand that got him kicked out of the field. 😆
Wow, I usually have trouble focusing on technical videos like this, but you presented this beautifully. It's fascinating stuff too which certainly helps, but you explained it in an impressively digestible way. Thank you very much!
This was fascinating and really well explained. Great video
Government needs to start baking their own in house pizza before someone poisons them all lol
Absolutely fascinating video, and very well made & explained!
Glad you liked it! Thanks for the comment
The obvious solution to this problem would be to clear the cache automatically once there is an incorrect branch prediction.
explain starts at 10:50
An extremely complex topic explained in an extremely simple way. True hallmark of an expert. Keep this up. Subscribed 👍
Much appreciated!
Wait, so how can modern CPUs do this securely?
you make sure to roll back ALL changes, including flushing the cache
Quite a nice hook you have there. It starts out with an interesting, seemingly unrelated topic, which is a military group wanting to know when air raids will occur.
Then you mentioned an extraordinary, very unexpected way to do so. Pizza!
At the end, you tied the hook with the topic at hand by explaining that the Pizza index being used to indirectly access confidential information is a side channel attack. You also implied that the computer bugs talked about in this video uses the same thing.
I think your introduction is well made. I rarely like videos, but if I had to, this one would be on the almost empty list. Great job!
thank you! I really appreciate this comment, haha. I'm honored :)
Wow. Great explanation. I knew about this before but never has it been so well explained
haha, I'm honoured you think so ❤
A comprehensive explanation, not excessively technical, with excellent visual aids to boot. BRILLIANT VIDEO!
great vid, gj with the editing and analogies, keep doing what u do
Thanks for the kind words
FANTASTIC video! makes the attack super understandable and now I'm going to use that side-channel example everywhere
I know, it's a great analogy. Thanks for watching!
i do like how the headlines for the hot fixes for these were like 20% performance decrease!!!! When in real-time the difference is near unnoticeable.
Because 20% performance decrease in real-time is near to unnoticeable...
unnoticeable if all you use your computer for is minecraft, fortnite, and tiktok
I am far away from understanding coding and detail CPU ways of operation but I got the essence of what happens here.
You are doing a good job explaining things in relatively uncomplicated way.
We made rocks think with electricity and maths, and look where we are.
Industrial society, and so on.
The caught Pablo like this as well. He ordered too many taco's for delivery all at once.
Thanks to you, I finally understood it!
That's awesome to hear! I'm honoured 😊. Thanks for watching
I loved this video! ❤
Finally got an explanation for this surprisingly simple exploit.
I will say, I would have loved a section on spectre mitigations instead of ending the video on an unfinished note
Thank you! I definitely realize now that I should have included a section on patches / mitigations. Going to keep this is mind for future videos.
10/10 video subbed. nice visuals direct and clear excplanations
Thanks! Glad you have you apart of the community
Who remembers when the "Strava" Fitbit maps were revealing the locations "secret" military installations?
Fantastic video, instant sub 💞
Glad you liked it! Thanks for the sub
The fact that you were able to something insane so so simply is insane. Great video
1:47 We can figure out your fingerprint by the audio of your fingerprint, swiping the screen? I don’t know that sounds like that would be really inaccurate. I get that there are technologies that the public isn’t privy to, but I’m sure there is a good amount of posturing and bluffing. To make the government sound more powerful, where they might actually be more inept, and given too much credit.
It's brand new research, and I'm no expert on the matter, but I'll link to the source below in case you want to take a look yourself.
here's an article that discusses it:
www.tomshardware.com/tech-industry/cyber-security/your-fingerprints-can-be-recreated-from-the-sounds-made-when-you-swipe-on-a-touchscreen-researchers-new-side-channel-attack-can-reproduce-partial-fingerprints-to-enable-attacks
and here's the underlying paper:
www.ndss-symposium.org/wp-content/uploads/2024-618-paper.pdf
@@DanielBoctor Jesus Christ that is impressive and also terrifying. We are absolutely in the future where anything as possible. I appreciate the source. I checked a couple other sources as well. Just didn’t think it was remotely possible. Subbed
Mission Impossible’s next film: CPU Gaslight protocol
This is really well explained. Thank you!
thank you i just got this randomly recommended and your explanation was easily digestible enough so that i with no understanding in coding was able to enjoy this video
haha, that's awesome!
Good stuff, clear explanation
I already knew what a side channel attack was, but this is the most elegant description of it I've ever heard. Great work!
So I guess they "fixed" this bug now using microcode updates on some older CPUs now? Or are there still billions of CPUs that are silently leaking data?
still some leaking data, i.e, i3-2xxx to i5-6xxx are still unpatched to this day, amd put more effort into patching older CPUs than intel, with the only ones being unpatchable are cpus older than 2006
To be fair Skylake is now over 8 years old so whilst this isn't great I doubt that it matters too much.
There are workarounds in modern OS-Kernels. They don't fix the underlying issue, but are more careful when switching around between different processes and memory accesses. This mostly works, but has a performance overhead that can be significant (>10%) in some workloads. Some people insist on booting Linux with mitigations=off to get back that bit of extra performance, but make themselves vulnerable to those "fixed" attacks in the process.
@@polinskitom2277 Maybe I'm wrong, but if the 7th gen chips were patched, I'd imagine the 6th gen were as well because they're the same architecture. Half-way through the 8th generation hardware fixes were introduced. Unfortunately the only reliable way to determine if a particular 8th gen chip has fixes is to look up the model number. 9th gen and newer should be completely good.
It's a theoretical exploit, that would be very impractical to utilize in the real world. The problem is the process executing the exploit may know that it's reading memory outside it's process, but it has no idea of what resides in that memory and whether it's anything valuable or useful.
The people that figure this stuff out are geniuses
~13:00 kinda sounds like AI. Have computers been using AI to speed up tasks for some 20 years ?
I certainly sounds like it, but it's not. These predictions are typically made using simpler heuristic-based or statistical approaches, which tend to be based on the history of taken and not-taken branches, rather than 'real' AI algorithms. It's a fascinating area. I'd love to dive deeper into the concept, but it's a little out of scope for me at the moment. Perhaps someone else can chime in with some lower level details.
Wow, that was the most simple and straightforward explanations of this attack that I've heard!
Interesting this came out when they've just found there's a side-channel exploit in the M series chips used in apple computers.
I know, it's a crazy coincidence. I started working on this video about a month ago too.
@@DanielBoctor I've watched this video a few hours ago an now i've stumbled across a primeagen video about the M series problem, where LowLeveLearning explains exactly the same as you did in this video.
Ngl that’s absolutely crazy. Also nice timing with the M1 thingy even tough you didn’t know about it yet :)
That is the highest quality of communication I’ve seen in any format for a long time - what a fucking achievement - well done
haha, this is one of my favourite comments of all time. I'm honoured. thank you for the support ❤️
6:44 The Von Newman bottle-neck is an absurd way to operate. As John Backus said back in the day, the way we made programming languages and hardware is totally insane and backwards, it worked for simpler machines but it was basically a bodge, and he tried to refuse his Turing award, but was talked out of it.
That's how wrong our programming languages and hardware is. That was more than 50 years ago, and people keep venerating Unix, C and VonNewman CPU like a cult or church, like perfection, but that's barely a start. We should do better.
Well, this field is very young, and there's much to do to have a perfect cathedral.
Interesting! Any good search terms to find out more? I’m interested in building computer architectures and other systems from scratch.
@@drivers99don't worry about this guy, I'm not sure how the fact it takes a while to read computer memory is related to it's pure architecture. One could make an ISA which is more explicit in what to do in that gap though
John von Neumann was perhaps the smartest guy alive in this field at the time he pioneered digital computation at the IAS. His approach unified code and data, which was a big deal. Anyone else could have come along since then and proposed a better method suited to subsequent generations of hardware, including John Backus. It never happened because it's a very hard problem. There are a finite number of pins on the CPU package. That's where the bottleneck originates, not the von Neumann architecture. I studied Backus's proposal for the programming language FP back in the 1980s. There was merit in what he was proposing at the software level, but he never contributed anything useful to hardware architecture other than hot air.
Wow. You explain very complex algorithms so freaking well that it's captivating.
You ever think about the fact that we are only one exploit away from being forced back to the 80s in terms of technology?
This is why security is done in layers. It really doesn't matter if you have an exploit to steal memory data if you can't get through the firewall to implement it.
This was a wonderfully executed video in all aspects. Having these explained to me like this actually blew my mind. The final conclusion was satisfying and brought everything you talked about together beautifully. Well done
Spectre and meltdown in smartphones? 😮
What a coincidence. Coming here from ThePrimeTime video where he lets a security researcher who just so happened to be in his chat explain the topic. Great video.
How did they try to patch it?
it's un-patchable, you need a new CPU without speculative execution and branching. don't even know if they exist atm.
@@sub0rLai That is not entirely true. I know intel sent out some fix that ended up bumping up some server energy consumption by 40%
im bit late but lscpu on my 3570k shows
Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Spectre v2: Mitigation; Retpolines; STIBP disabled; RSB filling; PBRSB-eIBRS Not affected; BHI Not affected
Meltdown: Mitigation; PTI
idk what it means but it must have been patched somehow, probably resulting in lot of perfomance i'd guess
if it wasn't then like everyone would buy new cpus
Gamers always know when military operations are getting underway. How? Military personnel notify their guilds that they will be absent to avoid being kicked from the guilds. They also make similar arrangements to make bill payments, to have mail delivery changes, and many other things that "side channel" analysis can use to make accurate predictions.
To explain Specter and Meltdown, imagine a bus that arrives every 0.35 seconds. That bus runs you over, despite the bus working properly and being driven by a licensed driver. … No?
Two of you thought this was funny.
I must be one of the two LOL
@@DanielBoctor I was going to further feed the beast with a pun about HOME's We're Finally Landing, but that might be a little too on the nose. Besides, you weren't even eating a slice of pizza while explaining this, sheesh.
I'll stop now. 😁 Enjoyed the video!
Awesome explanation. So clear! Made me think about how our central nervous system runs this kind of speculative execution on sensory inputs and can even act directly before brain (CPU) processing. If you touch a very hot surface, your CNS will jerk your hand back long before your brain has evaluated the full sensory input and come up with your 'real' response.
These are not vulnerabilities or accidents, they are deliberate and demanded by the unintelligence agencies.
Yeah, sure, i can imagine the dialog "let's release a potential vulnerability to everyone in the world because we're the only smart people able to understand how it works" 🙄🙄 Anyone in the world could have descipher this, including North Korea, for example.
@@xSaDii Yea, North Korea is known for notifying the world of exploits so they can be patched. How long did it take for anyone to figure out VW's emission trick?
if (OBD2 plugged in == TRUE) .....;
This was an amazing explanation, thank you very much for deepening our understanding about the exploit, I still remember reading about the exploit but couldn't understand the significance of the danger that the systems were facing
First 🎉 nice video
First indeed. Glad you liked it! Thanks for watching ❤
I’m 100% going to steal the example of pizzas to explain side-channel attacks to junior developers!
1:22 I’m only this far and I already love it. That is one of the best and most intuitive explanations of a side channel attack I’ve ever seen!!!!!!
I have pretty much no experience with coding and only a surface level understanding of CPU architecture etc. and this was the first video about Spectre, that I actually understood. VERY well explained. And yes, now that I see how it works, I agree, that solution to "reading" the data without actually reading it is incredibly elegant.
Or, reading and acting on it under cover of an execution environment that doesn't incur a segmentation fault or other consequence of reaching into prohibited memory -- because that's been held off until it is certain that this is a "wanted" speculative execution. If it was not "wanted" then a false alarm would be inappropriate, but the side effects remain. Perhaps "speculative execution failure touched" memory could be identified and evicted from cache if read/written, to obfuscate the timing side effects? This is a sneaky little bug/feature, no matter what.
This is absoulutely fantastic. You make all this very easy to follow and understand.
I finally get how these exploits basically work.
Really well done!
Thank you!
when are you people going to listen. This underlying theory is sound and TRUE:
All computing comes down to 1's and 0's. Where there is a will, there is a way.
All the security is made by us, we are not perfect and our work shows it. We need to look at the direction this is taking us towards.
Finally, I found another vulnerability explaining channel! Instant sub.
Welcome aboard!
I genuinely thought you were going to tell me that the owner of 40 Domino's pizza stores discovered the Specter and Meltdown exploits and used them to hack the pentagon with that intro lmao
The lemmino music was an incredibly good choice for this video given its topic. It’s some of my favorite music to listen to when focusing on something difficult or working. It’s underrated stuff.
Oh my gosh that was such a perfect breakdown! I actually feel like I fully understand the exploit enough that I could implement it myself (which I might try, depending on how complicated any glossed-over details are). I've only vaguely known that the exploit involved speculative execution and a timing attack against the cache, but now I actually understand how elegant the exploit actually is.
I'm glad you thought so! thanks for sharing :)