When you Accidentally Compromise every CPU on Earth

Daniel Boctor
23 Mar 202415:59

Summary

TLDRThe video script discusses the concept of side-channel attacks, using the 'Pizza Index' as an analogy to explain how unintended information leaks can occur. It delves into the historical and technical aspects of such attacks, highlighting the infamous Meltdown and Spectre CPU vulnerabilities. The script provides a detailed explanation of how these vulnerabilities exploit modern CPU microarchitectures, allowing unauthorized access to memory and potentially sensitive information. It emphasizes the difficulty in patching these hardware-based issues and the widespread impact on computing devices.

Takeaways

  • πŸ“… The narrative begins on January 16th, 1991, during the Gulf War, highlighting an unconventional method of predicting military operations based on late-night pizza orders.
  • πŸ• The 'pizza index' was coined due to the correlation between a surge in pizza orders from government offices and imminent military action.
  • πŸ’‘ Side channel attacks leverage unintended emissions of information from the implementation of protocols or algorithms, rather than exploiting design flaws.
  • πŸ” The text discusses the discovery of the severe computer exploits Meltdown and Spectre, affecting billions of devices worldwide by allowing unauthorized memory access.
  • πŸ› οΈ Meltdown is specific to Intel CPUs post-1995, while Spectre is a broader class of attacks affecting all modern CPUs through speculative execution and branch prediction.
  • 🧱 The foundation of Spectre lies in the CPU's speculative execution and branch prediction, which optimizes processing speed but inadvertently introduces security vulnerabilities.
  • πŸš€ Modern CPUs utilize speculative execution to guess the outcome of branch statements, executing instructions ahead of time to improve efficiency.
  • πŸ”„ When a guess in branch prediction is incorrect, the CPU's cache state is not reverted, leaving data from unauthorized memory accesses in the cache.
  • πŸ•’ Spectre exploits this flaw by conditioning the CPU's branch predictor and using a timing attack to extract information from the cache.
  • πŸ” The vulnerability of Spectre is difficult to patch due to it being a fundamental hardware issue present in all modern CPUs and not a bug in software.
  • πŸŽ“ The video script also promotes learning software engineering concepts through practical, hands-on projects in various programming languages, sponsored by Codec Crafters.

Q & A

  • What event is the video script set against the backdrop of?

    -The video script is set against the backdrop of the Gulf War, specifically the night of January 16th, 1991, which is exactly 5 months and 14 days since the start of the war.

  • How did Frank Meeks discover a method to predict military operations without hacking into military systems?

    -Frank Meeks, owner of 43 Domino's pizza outlets in the Washington DC area, discovered that a spike in late-night pizza orders from government offices could indicate imminent military action. He noticed that the night before large military operations, government officials would stay up all night planning and order large amounts of pizza.

  • What is the 'pizza index' and how does it work?

    -The 'pizza index' is a term coined to describe the correlation between government pizza orders and imminent military action. It is based on the observation that government officials tend to order more pizzas the night before a large operation, as they stay up late planning. This side-channel attack uses pizza orders as an unintended emission of information.

  • What are side-channel attacks and how do they differ from traditional cyber attacks?

    -Side-channel attacks are based on the observation of unintended emissions of information that may be leaked due to the fundamental way a protocol or algorithm is implemented, rather than flaws in the design of the protocol or algorithm itself. Unlike traditional cyber attacks that directly breach systems, side-channel attacks exploit indirect indicators like power consumption or acoustic signatures to infer sensitive information.

  • What are the 'meltdown' and 'Spectre' vulnerabilities and why are they considered severe?

    -Meltdown and Spectre are major flaws in computer chips that could enable hackers to steal sensitive information from nearly every modern computing device and smartphone. They are considered severe because they allow any process running on a computer to have unrestricted access to unauthorized memory, including encryption keys, photos, banking information, etc. These vulnerabilities are particularly dangerous as they do not rely on any fundamental weakness or flaws in code but are inherent to modern CPU microarchitectures.

  • How does speculative execution in CPUs contribute to the Spectre vulnerability?

    -Speculative execution is an optimization technique used in CPUs where the processor guesses the direction of a branch and begins executing instructions ahead of time. If the guess is correct, the execution continues smoothly; if not, the changes are rolled back. Spectre exploits the fact that when the branch predictor makes an incorrect guess, the state of the CPU cache is not reverted, allowing it to infer information from unauthorized memory through timing attacks.

  • What is the difference between 'meltdown' and 'Spectre' in terms of the CPUs they affect and their fixability?

    -Meltdown is a more specific type of attack that only affects Intel CPUs manufactured after 1995, making it somewhat easier to fix by increasing separation between different memory spaces. Spectre, on the other hand, is a class of attacks that affect all modern CPUs across all manufacturers, as it exploits hardware-level features like speculative execution and branch prediction. Because it is a fundamental hardware issue, it is incredibly difficult to patch.

  • How does the video script illustrate the concept of cache memory in computers?

    -The video script explains cache memory as an additional layer of memory that stores a copy of data from the main memory once it is accessed. Accessing the CPU cache is much faster than accessing the main memory, but its capacity is smaller. The script also highlights that the cache is not directly readable by the program, making it transparent to the software being run.

  • What is the role of branch prediction in the Spectre vulnerability?

    -Branch prediction plays a crucial role in the Spectre vulnerability. It is the logic within the CPU that makes an intelligent guess about which way a branch (like an if statement) might go. If the CPU guesses correctly, it can speculatively execute instructions ahead of time, saving processing time. However, if it guesses incorrectly, the data that was speculatively executed might be cached and not rolled back, leading to potential information leaks through Spectre.

  • How does the video script describe the process of extracting data from unauthorized memory using Spectre?

    -The script describes a process where an attacker induces a rollback by training the CPU's branch predictor to make a bad call on purpose. The attacker then brings data from unauthorized memory into a part of the CPU's cache that can be probed. This is done by speculatively executing code that accesses an out-of-bounds index of an array, which would contain the victim's memory data. The data is then indirectly inferred through a timing attack that measures the time it takes to retrieve data from the cache, indicating whether the memory location was a cache hit or miss.

  • What is the significance of the timing attack in the Spectre exploit?

    -The timing attack is significant in the Spectre exploit as it is the method used to indirectly extract data from the CPU cache. By measuring the time it takes to access each element of a capture array, an attacker can deduce which memory locations are in the cache (cache hits are faster) and which are not (cache misses are slower). This allows the attacker to infer the contents of the victim's memory by correlating the timing differences with the data they are trying to extract.

  • How does the video script conclude in terms of learning and advancing in software engineering?

    -The script concludes by encouraging viewers to expand their knowledge and skills in software engineering through practical, hands-on learning experiences. It promotes a video sponsor, codec Crafters, which offers a platform to build real technologies and learn through the process, providing a comprehensive understanding of software engineering concepts.

Outlines

00:00

πŸ•’ Gulf War and the Discovery of the Pizza Index

This paragraph introduces a historical scenario during the Gulf War, highlighting the unique method of predicting military operations through an unexpected data point - late-night pizza orders. It explains how a spike in orders from government offices to Domino's Pizza outlets, owned by Frank Meeks, signaled the onset of Operation Desert Storm. This phenomenon led to the creation of the 'Pizza Index,' a metaphorical indicator of imminent military action based on the correlation between government pizza orders and large-scale operations. The narrative emphasizes the concept of side-channel attacks, where seemingly unrelated data can reveal sensitive information, a theme that sets the stage for the discussion on computer security vulnerabilities that follow.

05:01

πŸ’‘ The Concept of Side-Channel Attacks and the Meltdown and Spectre Vulnerabilities

The second paragraph delves into the world of cybersecurity, focusing on the concept of side-channel attacks. It introduces the audience to the idea that information can be unintentionally leaked due to the way protocols or algorithms are implemented, rather than through flaws in their design. The segment then transitions into discussing the Meltdown and Spectre vulnerabilities, two major flaws in computer chips that pose a significant threat to modern computing devices. These vulnerabilities allow unauthorized access to system memory, potentially exposing sensitive information. The paragraph explains the severity of these issues, the challenges in patching them, and the broad impact they have on tech firms and users worldwide.

10:01

πŸš€ Understanding CPU Cache and the Spectre Vulnerability

This paragraph provides a foundational understanding of computer memory and CPU cache, crucial for grasping the mechanics behind the Spectre vulnerability. It explains the slow nature of main system memory (DRAM) and the introduction of cache memory to speed up data retrieval. The segment then discusses the concept of speculative execution, an optimization technique used by CPUs to predict branch outcomes and improve processing speed. The paragraph highlights the critical flaw exploited by Spectre, where incorrect branch predictions and the rollback process do not revert the state of the CPU cache, potentially leaking data from unauthorized memory locations. The explanation sets the stage for understanding how this vulnerability can be exploited through a timing attack, despite the complexities involved.

15:02

πŸ› οΈ Mitigating the Spectre Vulnerability and the Role of Education in Cybersecurity

The final paragraph discusses the implications of the Spectre vulnerability and the broader impact on computing systems. It explains how the vulnerability allows for data to be read from adjacent memory spaces allocated to different processes, bypassing the intended memory isolation provided by the operating system. The segment then introduces a method to mitigate the vulnerability, involving speculative execution and a timing attack to extract data from the CPU cache. The paragraph concludes with a call to action for learning and advancing skills in software engineering and cybersecurity. It promotes an educational platform, Codec Crafters, as a resource for hands-on learning and emphasizes the importance of continuous learning in the ever-evolving field of technology.

Mindmap

Keywords

πŸ’‘Gulf War

The Gulf War refers to a conflict that started in 1990, where a coalition of forces led by the United States responded to Iraq's invasion of Kuwait. In the context of the video, it is mentioned to set the historical backdrop for the narrative about the use of pizza orders to predict military operations.

πŸ’‘Cyber attack

A cyber attack is any attempt to access, disrupt, or damage a computer system or network without authorization. In the video, it is mentioned as an unsuccessful method to predict military operations, highlighting the resilience of military systems against traditional hacking attempts.

πŸ’‘Operation Desert Storm

Operation Desert Storm is the codename for the aerial bombing campaign led by the United States and its allies during the Gulf War, which began on January 17, 1991. The video uses this historical event to illustrate the concept of the 'pizza index,' a non-traditional method of predicting military actions based on changes in behavior or patterns.

πŸ’‘Side Channel Attack

A side channel attack is a security exploit where an attacker gains information about a system by analyzing its physical implementation rather than its intended logical functioning. In the video, this term is used to describe how unintended emissions of information can be observed and exploited, such as through the 'pizza index' or CPU cache analysis.

πŸ’‘Meltdown and Spectre

Meltdown and Spectre are names given to two major security vulnerabilities discovered in modern computer processors that could potentially allow unauthorized access to sensitive information. These vulnerabilities exploit the speculative execution and branch prediction features of CPUs, which are fundamental to their operation.

πŸ’‘Speculative Execution

Speculative execution is a technique used by modern CPUs to improve performance by executing instructions ahead of time based on predictions about the program's future behavior. If the prediction is correct, the execution can continue without delay; if not, the work is discarded. The video explains that Spectre exploits this feature by inducing incorrect predictions and using the CPU cache to leak information.

πŸ’‘Branch Prediction

Branch prediction is a technique used by CPUs to guess which path a branch of code is likely to take, allowing the processor to execute instructions ahead of time and improve performance. The video explains that Spectre vulnerabilities exploit branch prediction by conditioning the predictor to make incorrect guesses, leading to information leaks.

πŸ’‘CPU Cache

The CPU cache is a small, fast memory storage used by the processor to store frequently accessed data temporarily, reducing the need to access slower main memory. In the context of the video, the CPU cache is exploited in Spectre attacks to retain data accessed during speculative execution, which is then extracted through timing attacks.

πŸ’‘Timing Attack

A timing attack is a side-channel attack that analyzes the time taken by an operation to execute in order to deduce information about the system. In the context of the video, timing attacks are used to extract data from the CPU cache by measuring the differences in retrieval times between the cache and main memory.

πŸ’‘Security Patch

A security patch is a piece of software designed to fix vulnerabilities or flaws in a system. In the video, it is mentioned that tech firms are rushing to patch the security holes caused by the Meltdown and Spectre vulnerabilities, highlighting the importance of ongoing updates to protect against such threats.

πŸ’‘Hardware Issue

A hardware issue refers to a problem that originates from the physical components of a device, rather than its software. In the video, the Spectre vulnerability is described as a hardware issue because it is inherent to the microarchitecture of modern CPUs, making it difficult to patch and requiring a fundamental change in CPU hardware to fully resolve.

Highlights

The narrative begins on the night of January 16th, 1991, exactly 5 months and 14 days since the start of the Gulf War.

There is a suspicion that the United States armed forces are planning an aerial bombing campaign against Iraq, but the exact timing is unknown.

Frank Meeks, owner of 43 Domino's pizza outlets, discovers a method to predict military operations based on late-night pizza orders from government offices.

Operation Desert Storm is predicted to commence on January 17th due to a spike in late-night pizza orders, indicating that government officials were planning and staying up all night.

The concept of the 'pizza index' is introduced, which successfully predicted military action ahead of time in many other cases.

The story transitions to a discussion on side-channel attacks, which exploit unintended emissions of information from protocols or algorithms.

An example of a side-channel attack is the analysis of power consumption or extracting fingerprints by listening to the acoustic signatures from swiping on a phone's touchscreen.

Tech firms are rushing to patch a severe security hole affecting billions of computers and smartphones, caused by two major flaws in computer chips called Meltdown and Spectre.

Meltdown and Spectre are considered the worst computer bugs in history, potentially allowing hackers to steal sensitive information from nearly every modern computing device and smartphone.

These vulnerabilities allow any process on a computer to have unrestricted access to unauthorized memory without requiring elevated permissions or malicious installs.

Meltdown is specific to Intel CPUs manufactured after 1995, while Spectre is a more sinister, pervasive issue affecting all modern CPUs across manufacturers.

Spectre exploits hardware-level features like speculative execution and branch prediction, making it incredibly difficult to patch.

The United States Computer Emergency Readiness Team recommends replacing vulnerable CPU hardware to fully remove the Spectre vulnerability.

A foundational understanding of computer memory and CPU functioning is necessary to comprehend the mechanics at the heart of Spectre.

Speculative execution is an optimization technique that allows CPUs to execute instructions ahead of time to save time, but it is central to the Spectre vulnerability.

The flaw in Spectre involves the CPU cache not being reverted after an incorrect guess during branch prediction and speculative execution.

Spectre can induce a rollback by training the CPU's branch predictor to make a bad call on purpose, allowing data leakage from the cache.

The attack involves bringing data from unauthorized memory into a part of the CPU's cache that can be probed, using a timing attack to measure data retrieval times.

Spectre comes in many variations but all rely on getting the CPU to speculatively run code that illegally accesses memory and then exfiltrating the memory using a timing side channel on the CPU cache.

Transcripts

00:00

it's the night of January 16th 1991 it's

00:03

been exactly 5 months and 14 days since

00:05

the start of the Gulf War you suspect

00:07

that the United States armed forces is

00:09

planning an aerial bombing campaign

00:11

against Iraq however you don't know when

00:13

they're going to initiate the operation

00:15

how can you find out the exact date

00:17

you've already tried to hack into

00:18

military systems with every traditional

00:20

Cyber attack in the book but to no avail

00:22

it turns out that there's a method to

00:24

find out without directly breaching

00:26

military systems discovered by Frank

00:28

Meeks owner of 43 Domino's pizza outlets

00:31

in the Washington DC area he knows that

00:33

Operation Desert Storm is going to

00:35

commence tomorrow on January 17th due to

00:38

the spike in late night pizza orders

00:39

from government offices you see the

00:42

night before large military operations

00:44

government officials tend to stay up all

00:46

night planning ordering in copious

00:48

amounts of pizza with Meek stating I

00:50

don't think they're sitting around

00:51

watching Redskins reruns that night

00:54

after 10: p.m. the White House ordered

00:56

55 pizzas relative to their Baseline of

00:58

five over at the Pentagon this number

01:01

surged to 101 pizzas relative to their

01:03

Baseline of three this correlation of

01:05

government pizza orders and imminent

01:07

military action was coined the pizza

01:09

index which also successfully predicted

01:11

military action ahead of time in many

01:13

other cases this is a classic example of

01:16

a side Channel attack with the pizza

01:17

orders acting as the side Channel Side

01:20

Channel attacks are based on the

01:21

observation of unintended emissions of

01:24

information certain information may be

01:26

leaked due to the fundamental way a

01:27

protocol or algorithm is implemented

01:30

rather than flaws in the design of the

01:32

protocol or algorithm itself we're soon

01:34

going to learn that even though a

01:35

program's code may be entirely safe and

01:37

bug-free this doesn't necessarily mean

01:40

that the execution of these programs is

01:42

going to be safe as the CPU could

01:44

inadvertently end up leaking information

01:46

at runtime these side channels are

01:48

everywhere spanning from the analysis of

01:50

power consumption all the way to being

01:52

able to extract your own fingerprints

01:54

just by listening to the acoustic

01:55

signatures generated by swiping on your

01:57

phone's touchcreen in this video we're

01:59

going to be diving deep covering one of

02:01

the most severe exploits in the history

02:03

of

02:05

computation Tech firms are rushing to

02:07

patch a security hold that is affecting

02:09

billions of computers and smartphones

02:11

it's caused by two major flaws in

02:13

computer chips called meltdown and

02:16

Spectre the defect could enable hackers

02:18

to steal sensitive information from

02:19

nearly every modern Computing device and

02:22

smartphone they're the worst computer

02:24

bugs in history and they could be coming

02:26

for your personal information what if

02:28

there was a way for any process running

02:30

on your entire computer without

02:32

requiring any elevated permissions or

02:34

malicious installs to have free access

02:37

to all of your systems memory both from

02:39

other applications including different

02:41

virtual machines and even from the

02:43

operating system kernel itself this

02:45

means that even the benign client side

02:47

JavaScript running within a browser tab

02:49

could have full access to all of your

02:51

computer's memory being able to recover

02:53

encryption Keys photos banking

02:55

information or anything else present in

02:57

your systems Ram this was the reality in

03:00

early 2018 when two of the most

03:02

dangerous and widespread CPU

03:04

vulnerabilities meltdown and Spectre

03:06

were discovered by researchers at Google

03:08

project zero allowing any process on any

03:11

device unrestricted access to

03:13

unauthorized memory what makes these

03:15

bugs particularly dangerous is that they

03:16

don't behave like any software bug we've

03:18

seen before as they don't rely on

03:20

exploiting any fundamental weakness or

03:22

flaws in any code these vulnerabilities

03:25

are baked into the very essence of

03:27

modern CPU technology attacking

03:29

underlying CPU

03:31

microarchitectures meltdown is a more

03:33

specific type of attack only affecting

03:35

Intel CPUs manufactured after

03:37

1995 this made it somewhat easier to fix

03:40

involving increased separation between

03:42

different memory spaces Spectre on the

03:44

other hand is much more Sinister it is a

03:47

whole class of attacks that take

03:48

advantage of something called

03:49

speculative execution and Branch

03:51

prediction which are Hardware level

03:53

features present on all modern CPUs

03:56

pervasive across all CPU manufacturers

03:58

and architectur

04:00

present in virtually every desktop

04:02

laptop server and smartphone in the

04:04

world because this is not a bug or flaw

04:07

in any software but rather a fundamental

04:09

Hardware issue it's incredibly difficult

04:11

to properly patch it the United States

04:14

computer emergency Readiness team's

04:16

recommendation was to replace your CPU

04:18

stating fully removing the vulnerability

04:21

requires replacing vulnerable CPU

04:23

Hardware in order to understand the

04:25

mechanics at the heart of Spectre we're

04:27

first going to need a foundational

04:28

understanding of how computers work

04:30

specifically their memory what does

04:32

execution on a modern computer look like

04:34

you have the CPU which is responsible

04:36

for processing data and the memory which

04:38

stores data during regular execution the

04:40

CPU will constantly be reading and

04:42

writing data to and from memory it's

04:45

going to be helpful to visualize memory

04:47

as a long sequence of boxes where each

04:49

box contains one bite of information now

04:52

this type of memory is the main system

04:54

memory also known as dam short for

04:56

dynamic Random Access Memory while it is

04:58

relatively large capacity it is very

05:01

slow to read and write from let's say

05:03

your CPU wants to load some data in from

05:05

memory this retrieval process is

05:07

incredibly slow let's say in the order

05:09

of 200 NS every single time you need to

05:12

access something in memory your CPU is

05:14

going to need to wait for the incredibly

05:15

slow main memory to respond with the

05:17

data that it wants it turns out that

05:19

there's additional layers of memory

05:21

called cache memory to make this process

05:23

faster once a particular memory location

05:25

is accessed for the first time the CPU

05:28

is going to store a copy in its cap

05:30

accessing the CPU cache is blazingly

05:32

fast achieving sub Nan speeds however

05:35

its capacity is quite small relative to

05:37

Dam the next time the same memory

05:39

location is accessed the CPU can just

05:41

get the data directly out of its cache

05:44

without needing to wait for a call to

05:45

the main memory something interesting to

05:47

note about the cache is that it's not

05:49

directly readable essentially being

05:51

transparent to the program being ran

05:54

there's no direct way to know if the

05:55

specific bite of memory you're accessing

05:57

is in cash or if it's coming from m main

05:59

memory now the cachee only speeds things

06:02

up for data that has already been

06:04

accessed from the main memory at least

06:05

once before over the regular course of

06:08

execution you're inevitably going to run

06:10

into the fact that your program is going

06:12

to need to read some data from Main

06:13

memory bottlenecking the CPU let's

06:16

visualize this with an example let's say

06:18

we have some variable meem defined in

06:20

memory and only if meem is equal to True

06:23

do we want to execute a bunch of other

06:25

instructions if meem is not already in

06:27

Cache we'll need to load it in for main

06:28

memory taking upwards of 200 NS during

06:32

this memory retrieval process the CPU is

06:34

going to be forced to sit idly by as it

06:36

waits for this slow response from memory

06:38

which is an absurd way to have a CPU

06:40

operate only after the value of mem is

06:43

retrieved from memory can the CPU start

06:45

executing the rest of the instructions

06:47

needless to say it is very inefficient

06:49

to have our CPU idle during the long

06:51

memory lookup process What if after

06:54

starting the retrieval process we could

06:56

get a head start sprinting ahead in

06:58

executing our instruction

07:00

speculatively so that we're already done

07:02

by the time you receive the value of

07:04

meem this is called speculative

07:05

execution which is an optimization

07:07

technique present in virtually every CPU

07:10

since the 1990s and it's actually one of

07:12

the reasons why modern CPUs are so fast

07:15

any time we have a branch such as this

07:17

if statement the CPU has some logic that

07:19

makes an intelligent guess about which

07:21

way the branch might go this is called a

07:23

branch prediction if the CPU thinks that

07:25

it's likely for meem to be equal to true

07:28

it can Sprint ahead and spec

07:29

speculatively execute these instructions

07:31

even before it gets its response from

07:33

memory once the lookup is finally

07:35

complete if we guessed right in meem is

07:38

indeed equal to true we just saved a lot

07:40

of time as our instructions are already

07:42

executed we can keep everything we just

07:44

did which is called a commit and resume

07:47

execution from this point on this sounds

07:49

pretty cool however we obviously need to

07:51

handle the case where we get the guess

07:53

wrong meaning that everything done

07:54

spectively needs to be fully reversible

07:57

if we guessed wrong in M was not equal

07:59

to true we would need to roll back all

08:01

of the changes that were made including

08:03

reverting all of the register values

08:05

which is called a discard here's where

08:07

things start to get interesting let's

08:09

introduce the flaw that Spectre was

08:11

exploiting it turns out that when the

08:13

branch predictor makes an incorrect

08:15

guess and we roll back all of the

08:16

changes that were made during

08:18

speculative execution the state of the

08:20

CPU cache is actually not reverted let's

08:23

make this clear the code being

08:25

spectively executed might have triggered

08:27

some data to be loaded in from Main

08:29

memory resulting in it getting cashed if

08:32

it turns out that we made a bad call and

08:34

everything needs to be rolled back the

08:36

data is actually going to remain within

08:38

the CPU cache even after the roll back

08:41

this is quite serious keeping in mind

08:43

that from the software point of view

08:45

this code was quite literally never

08:46

executed we're soon going to see that

08:48

Spectre can induce one of these roll

08:50

backs by training the cpu's branch

08:52

predictor or officially conditioning it

08:54

to make a bad call on purpose the tricky

08:57

part is going to be extracting this

08:58

information from from the cache as it

09:00

contents are not directly readable

09:02

essentially being transparent since we

09:04

know that the cach responds faster than

09:06

main memory the contents of the Cache

09:08

can be inadvertently leaked with a

09:09

timing attack measuring the amount of

09:11

time it takes to retrieve the data this

09:14

alone seems easy but to be able to do

09:16

this on unauthorized memory is going to

09:18

be quite tricky however we're soon going

09:20

to see an incredibly elegant solution to

09:22

bring data from unauthorized memory into

09:24

a part of the cpu's cache that we can

09:26

probe but I digress let's not get ahead

09:29

of ourselves

09:30

with this we now have all the

09:31

ingredients needed to understand

09:33

Spectre if you've made it this far and

09:36

you're interested in learning new skills

09:37

advancing your career in building a

09:39

comprehensive understanding of software

09:41

engineering Concepts look no further

09:43

than this video sponsor codec Crafters

09:46

with codec Crafters you learn by

09:47

building your own versions of real

09:49

Technologies such as bit torrent Docker

09:51

or even redus each project Dives deep

09:54

into a specific topic starting from

09:56

scratch to final specification in a

09:58

practical Hands-On environment the cool

10:01

thing is that all of these challenges

10:02

are available in a wide variety of

10:04

programming languages meaning that you

10:06

can learn language specific skills or

10:08

new languages entirely in a real world

10:10

environment regardless of what the

10:11

original tool is written in you can get

10:14

started with any setup as you progress

10:16

through the different stages you'll be

10:17

conveniently pushing your code for

10:19

automatic rating the whole time you'll

10:21

have access to hints code examples and

10:24

even screencasts from fellow community

10:25

members if you get stuck in addition to

10:28

this any knowledge apps will be filled

10:30

in along the way as interactive

10:31

tutorials are provided to teach you

10:33

fundamental concepts when needed you can

10:36

get started with code Crafters today by

10:37

clicking the link in the description

10:39

they're offering a free tier and a 40%

10:42

discount on their paid memberships to

10:43

viewers of this channel thanks again to

10:45

codec crafters for supporting the

10:47

channel now let's get back to

10:49

Spectre let's go ahead and set the scene

10:52

starting with our main memory the

10:54

operating system kernel is responsible

10:56

for allocating this memory to different

10:57

applications a simil thing also happens

11:00

in multi-tenanted Cloud environments as

11:02

well with the hypervisor allocating

11:04

memory to different virtual machines

11:06

instead in either case this means that

11:08

there could be adjacent parts of memory

11:10

allocated to a process that we control

11:12

and to a potential victim the operating

11:15

system is supposed to isolate the memory

11:16

spaces between different processes

11:19

ensuring that any given process

11:20

including the JavaScript running within

11:22

your browser can't access another

11:24

process's memory so how do Spectre

11:27

circumvent this enabling us to read data

11:29

from a victim process let's start by

11:32

initializing an array in the part of

11:33

memory that we control we know that we

11:35

can access the elements within our array

11:38

by indexing into whatever position that

11:39

we want to retrieve all this does under

11:41

the hood is some simple pointer

11:43

arithmetic adding together the memory

11:45

location of the start of the array and

11:47

the index in order to find the memory

11:49

location that we want let's suppose that

11:51

the part of victim memory that we're

11:53

trying to read from contains the number

11:54

six but of course our code doesn't know

11:57

this what if we try to index into into a

11:59

position so high that we went out of

12:01

bounds in read from victim memory let's

12:04

call this array of x if you tried to do

12:06

this the operating system is going to

12:08

notice that we're trying to access

12:09

unauthorized memory deeming this an

12:11

illegal operation triggering a fault

12:14

preventing us from accessing the data

12:16

now what if we Instead try to do this

12:18

operation speculatively this is going to

12:20

be interesting so we want to index into

12:23

our array at position X but how can we

12:25

force this operation to be done

12:27

spectively we're going to need to add

12:29

some sort of Branch beforehand let's go

12:31

ahead and add a simple bouns check

12:33

making sure that X is within the bounds

12:35

of the array before proceeding simple

12:38

what we're going to do now is we're

12:39

actually going to train the cpu's branch

12:41

predictor conditioning it to determine

12:43

that it is likely for X to be in bounds

12:46

we can do this by making repeated calls

12:48

to this function handing it values of X

12:50

that are always in bounds if it keeps on

12:53

saying that X tends to be in bounds it

12:55

is going to become conditioned to

12:57

speculatively execute the body of the if

12:59

statement since there's a very high

13:01

chance that the bounce check will pass

13:03

based off its previous interactions

13:05

there's malicious intent here as once

13:07

the CPU has been trained we can hand it

13:09

a value of x that is purposefully out of

13:11

bounds and our CPU will happily Speed

13:14

Ahead speculatively executing the

13:16

instruction so how is this handled the

13:19

CPU is going to index into array of X

13:22

however it won't know that it's out of

13:23

bounds yet if this were to actually be

13:26

ran the colonel would kill the process

13:28

but the specul cative execution engine

13:30

just looks ahead and reads the number

13:32

six from victim memory the operating

13:34

system won't actually check if it's

13:36

accessing an illegal memory location

13:38

until later this is a crucial Nuance to

13:41

understand as a result data from victim

13:44

memory was indeed accessed this is very

13:46

interesting but once the CPU realizes

13:49

that it's gone the wrong way it's going

13:51

to roll back all of the erroneous work

13:53

that it's done even though illegal

13:55

memory has been accessed its contents

13:57

will be forgotten we need to find a way

13:59

to retain it after the roll back if it

14:01

can't be retained then all of this was

14:03

for nothing bear with me on this we're

14:06

actually going to define a second larger

14:08

array to capture this information akin

14:10

to Casting a large net let's modify our

14:13

code slightly to index into capture of

14:15

array of X when array of X is evaluated

14:19

to the number six capture of six is now

14:22

going to be accessed this is the crucial

14:24

part of the attack because we just read

14:27

from the capture array at index X6 this

14:30

memory location is going to be put into

14:32

the cache after the roll back as we now

14:35

know the cach is going to remain intact

14:38

think about that we never directly stole

14:40

the data from victim memory we just

14:42

brought an element of our own array into

14:45

cache at the index number that

14:47

corresponded to the data that we wanted

14:49

to steal it's quite an elegant trick

14:51

don't forget that the cash itself is

14:53

still not accessible to us the last step

14:56

is going to be a timing attack which is

14:58

a specific type type of side Channel

14:59

attack that's going to try and deduce

15:02

the data contained within the cache by

15:03

taking advantage of the timing

15:05

differences between cash in main memory

15:08

we can go ahead and access each and

15:10

every element of our capture array

15:12

timing how long it takes to retrieve

15:14

each element we're going to get a

15:16

sequence of slow 200 nond cache misses

15:20

until finally we get a near instant

15:22

cache hit since we found our cache hit

15:25

on array element 6 we know that the data

15:28

contained within the victim memory was

15:29

the number six it's quite a beautiful

15:32

attack Spectre comes in many different

15:34

variations what I just outlined was a

15:37

highly simplified version of Spectre

15:39

variant 1 although they all rely on the

15:41

same idea getting the CPU to spectively

15:43

run some code that illegally accesses

15:46

memory and then exfiltrating said memory

15:48

using a timing side channel on the CPU

15:51

cache if you're interested in more

15:52

vulnerability breakdowns check out these

15:54

videos and subscribe to the channel for

15:56

more content thanks for watching

Rate This
β˜…
β˜…
β˜…
β˜…
β˜…

5.0 / 5 (0 votes)

Related Tags
CybersecuritySide-Channel AttacksSpectre VulnerabilityMeltdown FlawTech HistoryFrank MeeksPizza IndexIntel CPUsData LeakageSpeculative ExecutionBranch PredictionCache MemoryTiming AttacksSoftware EngineeringSecurity PatchesGoogle Project ZeroVulnerability ExploitsComputer HardwareInformation Security