Demystifying Meltdown & Spectre
Attempting to break down the two biggest security flaws the world has ever seen.
📅️February 16, 2018
📖8 min read ∙ 1617 words
📅️February 16, 2018
📖8 min read ∙ 1617 words
I created this presentation as part of a DocuSign developer evangelist interview.
More context can be found here.
As a developer evangelist, you will often be called upon to speak at a variety of events from hackathons to meetups to company all-hands calls to large conferences.
An invaluable skill in the evangelist’s toolbox is the ability to quickly learn a technical topic and then teach/explain it to audiences of varying technical expertise.
Security researchers recently found and disclosed details about a chip flaw present in most modern CPUs.
Explain Meltdown and Spectre: what are they, how are they different, how do they work, and why are they scary?
You can choose any format you’d like: PowerPoint deck, rap lyrics, whiteboard coding, no slides whatsoever, it’s completely up to you.
A stellar presentation will address the widest possible audience: everyone from a non-technical salesperson or your grandmother to a senior engineering director or CTO.
I had less about two days to come up with a 20-minute presentation that breaks down Meltdown & Spectre so I’m open to any feedback if you notice something off. 😊
Originally presented Friday, February 16th, 2018. As a developer evangelist, you will often be called upon to speak at a variety of events from hackathons to m…
Hey everyone! So I was tasked with “demystifying Meltdown & Spectre” for you all.
Ideally, by the end of this presentation, you’ll have a better high-level understanding of how they both work.
We’ll be first providing some context into Meltdown & Spectre, deep diving into the mechanisms, how they compare, existing solutions and why everyone freaked out in the first place.
So as you know the two players in questions are Meltdown and Spectre.
These are probably some of the best logos I’ve seen that are associated with what are probably the worst computer vulnerabilities to ever be discovered since they pretty much affect everyone around the world.
Okay, so having said that, Meltdown and Spectre are the names given to CPU flaws that affect nearly every computer chip manufactured within the last 22 years.
The CPU is the hardware in charge of executing all the programs on our devices.
The CPU meaning the “central processing unit” of a machine or otherwise known as “the brain” of the machine.
The researchers behind the project who came from Google Project Zero and universities like the Graz University of Technology actually knew of the bugs since last summer but were actually not supposed to be leaked to the public until January 9th of this year.
So from around July 2017 to January 2018, the bugs were supposed to be kept top secret so that companies could have time to create and release patches to mitigate the issues.
However, a British tech news site called The Register eventually leaked it a few days before in the first week of January…
…and media outlets went into frenzy mode but more on that later.
So going in for deep dive, let’s explore how Meltdown works first.
Meltdown affects Intel processors and basically melts security boundaries which are normally enforced by the hardware.
It does this by breaking down the mechanism that keeps applications from accessing memory.
Let me provide an analogy.
Let’s say you’re trying to rob a bank vault where inside there is a piece of paper with the bank manager’s password in it.
The bank vault has a lot of security and is heavily guarded so it seems pretty well protected.
…But that bank is about to experience a Meltdown.
Being the mastermind you are, you lead a group of robbers to help carry out an attack.
You have an unlimited supply of robbers so you sort of brute force it and sends an agent in to try and get in without getting caught.
Each of your agents wears a microphone so you can hear them at all times.
Since there’s an unlimited number of agents so you just keep trying until one succeeds.
Finally, an agent gets into the vault and is able to look at the piece of paper with the password on it.
They whisper the password into the microphone just before the guard shoots them down.
Now you know the password and can use it as needed to gain access to private accounts.
That’s how meltdown works on a computer or device.
The attacker has code that looks at the memory that should be restricted.
The computer processor throws an exception and the CPU cleans everything up, erasing any evidence of the crime.
But the attacks keep coming, and while the CPU is doing cleanup, it’s also executing other code out of order.
This is what leaks the password.
The out of order code is what transmits the restricted information while the CPU is busy.
Okay, so that seems pretty horrendous. But it gets worse.
But before we get into Spectre, we have to first understand Speculative Execution.
Think of your computer as a restaurant called the speculation diner.
This diner specializes in speculating which basically means forming a theory without concrete evidence.
So at this diner, there is a customer that comes in every day at breakfast and orders the same thing - eggs & bacon.
Eventually, the cook sees this pattern and starts making the order ahead of time.
It’s more efficient and breakfast is ready the minute the customer comes in so they’re very happy.
However, one day the customer decides not to order eggs and bacon and instead decides to try pancakes.
The chef is fine with this and just throws away the previously prepared food into the trash.
And the cook prepares the pancakes instead. No biggie.
So that whole process is what modern CPU chips take advantage of.
Programs are prepped to execute but if they don’t actually end up being needed, they are stored in an unsecured area called cache memory.
Because the programs are prepped to execute, they run a lot faster.
Just like the customers who get their orders faster, programs are able to run faster and speed performance is great.
And much like the Space Race from the 20th century, chip makers for the last two decades have been competing fiercely to provide the fastest processor.
Modern chip makers like Intel and AMD have been racing for the last two decades to provide the fastest processors which is why the speculative execution was so useful.
So Spectre is more dangerous because it is more crafty. Spectre gets its name from the root cause, which is called “Speculative Execution” which I described earlier.
Spectre works by exploiting those speculations —mistraining the processor to make it predict wrongly and execute. So in essence, Spectre works by tricking programs into leaking their secrets
As it is not easy to fix, it will haunt us for quite some time.
Hence, the ghostie.
If we consider a program “If A is true, then compute function X; if A is false, then compute function Y”, the chip can start computing both functions X and Y in parallel before it even knows whether A is true or false.
Once it knows whether A is true or false, it already has a head start on what comes after, which speeds up processing overall.
So going back to that restaurant analogy - programs that were prepped but not actually executed end up in an unsecured area of the computer called cache memory where unauthorizes users can access it through a side channel.
If we wanted to compare the two, we can see that both Meltdown and Spectre allow low-privilege users who execute code on your system to read sensitive information from memory via Speculative Execution.
The difference is that Meltdown takes advantage of a specific Intel privilege escalation issue to do this, while Spectre uses the combination of Speculative Execution and Branch Prediction.
Both issues can be addressed with software patches, but this is more effective for Meltdown than Spectre.
Regardless, the end results are the same - compromised data.
Although there are existing remedies, they have been proven to result in the computer running slower.
And at the end of the day, the flaw is hardware-based, not software-based so a simple software update isn’t going to solve the real issue.
And the only way to fix a hardware flaw is to
So why did everyone freak out?
Well, for one, the verbiage on the official website was pretty frightening.
“Am I affected by the vulnerability?”
Most certainly, yes.
So nonchalant but intense at the same time. Yikes!
And as mentioned before, this is a hardware flaw and the only way to remedy a hardware flaw completely is to replace the hardware.
What I actually found most troubling personally is that the folks behind these chips decided to prioritize speed over security or money over the safety of their products.
Also just this week, there were new exploits called MeltdownPrime and SpectrePrime found that are just new ways to abuse the flaw but no worries, the patches out there fix these too.
If we think about the future and how quantum computing is the next big thing, it’s disturbing to think about the potential consequences the next great hardware flaws could cause.
One can only hope there are more ethical guidelines put in place.
But until then, patch away!