Meltdown and Spectre Hacks Explained

It has been a heck of a week for the Intel Company. They have taken a beating over the past several days with regards to an issue exposed in the firmware that powers their processor chipsets. If you haven’t heard about this already, here is the short of it. Intel was contacted by several security research teams. All of which found a type of architectural deficiency that could be exploited to gain access to personal data at the processor level. When boiled down, the research teams involved found a total of two exploits. These two exploits could open up your personal data to applications and processes that do not have permission to do so. The exploits have become to be known as “Spectre” and “Meltdown.” Did I mention that these have been around for the past 20 years? The rest of this article is geared to provide a simple explanation of each of these exploits and how they work.

The “Meltdown” Exploit Explained

The term “meltdown” describes a type of exploit that attacks a vulnerability in a performance feature that is built into the architecture of all modern Intel processors. The purpose of this feature is to provide an additional boost in CPU performance. It does so in two parts. One, by providing a way to share data across all processing threads. And two, by predicting and executing instructions before they are needed. The gain in CPU performance comes from the fact that the processor doesn’t have to maintain separate data for each process it is running and it can run more processes in parallel by using the executed instructions it predicted correctly. So far, none of this describes the actual vulnerability, in the architecture, hackers could exploit. In fact, there are security checkpoints in place anytime a user process tries to access the shared data pool. If a process does not have meet the criteria to access the data it is trying to access, then it will not be aloud to. Except in the case of running the predicted instructions, in a process called speculative execution.

Speculative execution is a part of the architecture of the processor that tries to predict what your next executable instruction will be and then executes it. The security exploit exists in how this is accomplished. The proper mechanisms are in place for blocking a user process from reading the shared data during its execution. However, at certain points in the process of a speculative execution, the security checkpoints are dropped and user processes may access all data within the shared data pool. The key to this exploit, is to infer when those gates are down and your process may have free access to the shared data pool. The status of the gates being opened are indirectly tied to the status of speculative execution. A hacker can use these statuses to determine the states of the gate and when their process is free to attack the shared data pool.

The “Spectre” Exploit Explained

The term “spectre” describes a type of exploit that attacks a vulnerability in a performance feature that is built into the architecture a number of processors manufactured by Intel, AMD, and ARM. This feature, called branch prediction, provides a boost in CPU performance by predicting the branch of logic a particular instruction will take. The architecture of this branch prediction is designed in a way that all processes share the same prediction outcome. Meaning that there is no distinction between processes. So in effect, what happens is that multiple applications, running on different processes, share the same logic branch predictions probabilistic outcome.

This design, where all processes share the same branch prediction probabilistic outcome, is where the vulnerability exists. A hacker could implement a process that would “train” the branch prediction algorithm to effectively control a processes’ speculative execution. Forcing the attached process to leak data into the shared data pool.

Author: Joshua Johnson

My name is Joshua Johnson and I am the founder of UA1 Labs. I am passionate about helping other developers to become successful in their paths. When I started developing software, I didn't have many resources to help me out. UA1 Labs is my way of giving back to all those who helped me.

Leave a Reply

Your email address will not be published. Required fields are marked *