Meltdown Type

Affected systems include most Intel CPUs since 1995.

• Also some ARM and PowerPC, AMD Phenom, EPYC, ZEN

Meltdown

The problem

• Out of order execution implies that instructions will be executed before they should.

• Executing future operations causes side effects to the present.

Basic algorithm

1. Allocate a 256*4096 chunk of memory.

   1. 256 because the objective is to find the value of a byte, which can have a value from 0 to 256.

   2. Because pages are not accessed, they exist in RAM but not in cache.

   3. There is a timing cover channel present as access cache is faster than accessing RAM.

2. Create an exception.

3. Read byte from the target memory (outside the scope of the program).

4. Multiply byte by 4096.

5. Use value to access the memory allocated in 1.

Spectre

Similar to Meltdown but exploring different flaws.

• Meltdown explores an exception, expecting that following instructions are still executed, causing side effects which can be measured.

Spectre explores branch predictors.

1. Train branch predictor so that CPU predict a positive branch (that is, doesn’t branch).

2. Execute a condition that will fail.

   1. Code inside that condition will be executed speculatively and result will be discarded

   2. Timing side effects will be present in the cache lines.

3. Proceed as with meltdown.

Doesn’t generate any exception, can be explore by remote attackers.

• Javascript in browsers.

• Network drivers when processing packets.

Mitigating Spectre and Meltdown

For remotely exposed systems (browsers, network), limiting the accuracy of timers is a quick solution.

• Although the vulnerability exists, data exfiltration will not be possible.

For local systems, microcode and kernel updates are required.

• Adding barriers to exceptions, preventing speculative execution.

• Generating bytecode not presenting an attack potential.

Problem... new variants are being presented, exploring an ever increasing surface.