Best Analogy I've seen is as follows: "Imagine that you (i.e. a malicious process) want to know whether someone (i.e. a victim process) has checked out a particular library book. The library (i.e. the CPU) refuses to give you access to their records and does not keep a slip inside the front cover. You can only see the record of which books you have checked out. What you do is follow the person of interest into the library whenever they return a book. You then ask the librarian for a copy of the books you want to know whether the person has checked out. If the librarian looks down and says "You are in luck, I have a copy right here!" then you know the person had checked out that book. If the librarian has to go look in the stacks and comes back 5 minutes later with the book, you know that the person didn't check out that book (this time). The way to make the library secure against this kind of attack is to require that all books be reshelved before they can be lent out again, unless the current borrower is requesting an extension. There are many other ways to use the behavior of the librarian and the time it takes to retrieve a book to figure out which books a person is reading." Not mine, don't know original source.

Thanks for getting a video out on this so quickly and pretending not to panic for the camera. Can we see the cut shots where Dr Bagley is shouting "WE'RE ALL DOOMED" and Brady is talking him down from the window ledge.

This is the best analogy I could come up with for how Spectre works: Imagine you want to know the genre of book a particular person has checked out of the library. However, the library has strict privacy policies, and refuses to give you access to their records, only your own. What you do is reserve a book from every genre that the library carries, and then ask the librarian for the book you reserved of the same genre as the victim's book. The librarian, to save time, immediately begins fulfilling this request, even bringing said book up to the front desk, before finally realizing that the request itself breaches library privacy, and so refuses to return the book to you. Seems like you're out of luck, you don't know the genre of your reserved book behind the desk, so you haven't learned the genre of the victim's book. However, you now begin to request from the librarian every book you reserved one by one. Since these reserved books are properly a part of your records, the librarian happily obliges. For each book you note the librarian takes time to retrieve the book from inside the library, until one suspicious book is requested, which the librarian immediately hands you from behind the desk. That one suspicious book of course is the book requested from earlier, so with it identified and in your possession, you have successfully learned the genre of your victim's book. Now imagine repeating this process multiple times on the same victim using other qualities besides genre: like author, publisher, and so on. Each quality you learn about your victim's book allows you narrow down to the particular book your victim has checked out. Eventually, you will know for certain the identity of your victim's book, all by exploiting your hard working and naive librarian.

The real scandal is that Intel was notified about this over 6 months ago and their CEO dumped millions in stock before announcing this exploit.

Summary of the exploit: "Cache me outside... how bout dat?"

It looks like AMD hardware is only vulnerable to one of the three variants: the bounds check bypass. Some reports argue that this could be fixed by allowing the OS and the application code to disable speculative execution in certain circumstances. As I understand it the boundary check bypass only allows to exfiltrate data from the same process with the branch target injection being able to reach another process and the meltdown making vulnerable even the kernel. Intel and ARM hardware are afflicted by all three.

I knew you’d post a video about it quickly! This is why I’m a happy subscriber

So this is extremely low-level and thus hard for my high-level programmer brain to fully grasp, but let me see if I got this straight: if the bounds of a loop are stored in memory, the CPU will try to optimize by running the code in the loop first while waiting for the bounds to be retrieved; if the bounds turn out to be such that the loop shouldn't have been run, the result of the code is discarded. But when a value is taken from memory and used as an array index, those values are cached to speed up future reads, and the cache is not cleared during that "memory undo" process. So if you try to access a memory location you shouldn't be able to inside a loop that "technically" terminates before that point, the access will still happen. And if you use that value as the index of an array you do have access to, it will be cached. At that point, the indexes of your valid array which are cached represent the values of the bytes you tried to access (the iterations of the loop beyond the slow-to-retrieve maximum bounds), so by timing how long it takes to retrieve those array entries, you can determine the values of the unauthorized bytes by interpreting the indexes of the fastest-loading array entries. Is that correct?

replace cpu? with what, a rock?

What infuriates me is that the majority of the headlines are about the slowdown, and not about the vulnerability itself -.-

Finally someone with knowledge of computer engineering addresses the issue and also points that Meltdown affects Intel specifically.

"Replace CPU hardware" *Straight face* Laughed out loud

That was fast, I thought it would take you a week or so to discuss it.

Interesting to note that all Raspberry Pi versions are invulnerable because their ARM chips either don't implement speculative branch evaluation (just branch prediction) or they don't implement it in a way that leaves traces in the cache.

It would be awsome if you could make more in depth videos, not only on this topic, maybe including the code explanation

James Bond asks his mate "Mr CPU" to go wait for him at a bar. The Criminal Mastermind named "Meltdown" goes into the bar and says "I have a drink for Mr Bond here, anyone want it?" All in the bar take a while, looking around and asking "are you James Bond?", but Mr CPU instantly answers "No, he is not here", then James bond walks in...

Literally checked this channel for this last night! You guys are awesome! Keep up the great work!

Wait! Are you saying my 486DX is unaffected by this? PHEW! And there I was, thinking I would need to upgrade my CPU.

Somehow Scott Manley, the guy who plays Kerbal Space Program, had a much clearer and more detailed explanation that the Computerphile channel.

Fantastic job explaining these exploits! Probably the cleanest and to-the-point description I've seen on KZfaq so far. You know you're doing good when your viewers can use you as a security news source. 😉

6:55 is when any details Beyond a typical layperson news article start

"Meltdown" (aka "Variant 3") is an Intel issue. Yes, Intel very much wants to confuse the matter, but make no mistake, that's their fuckup. (**see comments)

"Replace CPU-" *quickly pauses, heart sinks, sense of impending doom looms over me* Please god no...

What I find surprising about this is that it took this long to discover this flaw. I don’t know much programming, though I do know some, and even less about implementations details and hacks like this. But even I know that CPUs have implemented speculative execution for a long time now. The methods described here seem to me pretty amazingly simple. It surprises me that no one thought of trying to exploit this before now!

Finally, a tech channel for serious IT people! This is my new goto source for serious vulnerbilities and game-changing tech.

After the end of Moore's Law, it turns out there's no such thing as a free lunch.

The worst part about all of this is it took independent researchers to find this just by chance. Various security agencies have well-funded branches that find bugs like this regularly around the clock all day every day of the year from full hardware exploits to firmware exploits to OS exploits. Hardware ones are less frequent, but still happen especially against embedded devices that don't change regularly. Some older devices are still connected to the internet as well, which is much worse. That includes some hardware that literally controls the backbone of the internet in some regions, some is still ancient and still used simply because it is reliable and If It Works Don't Fix It. (same reason we are still stuck with IPv4!) It's also a hard job to deal with in space hardware because it's feature-progression is considerably slower than main-line hardware. Biggest reason being the new hotness in CPU hardware generally leads to literal hotness in that they run hotter. Much much hotter. (especially branch prediction, which is the parent architectural fault involved in both of these bugs) This is very bad for space because it is stupidly hard to cool things there due to the lack of medium to move the heat in to because space is inert. Only way to get heat away is radiative, which is extremely slow. So you end up needing these complex cryo-cooling systems in CPU-heavy satellites, which limits their maximum operation time quite considerably and increases complexity. (and potential for failure) So this can lead to issues with space hardware if any bugs are found in them as well. All it could take is one hardware exploit to kill the GPS framework and bring modern globalized society to a standstill. (and the smartphone generation) Given how much money gets pumped in to exploitation branches of security agencies, they likely already know a few that could cripple society-wide services. Sometimes if they are really severe, they even announce them. However relationships in the security industry are broken over the whole blanket-spying stuff done by Five Eyes and the like. Many people are taking advantage of it by leaving security agencies and forming their own companies to make some cash. NSA lost loads of people.

Great video. Can always count on Computerphile to provide a detailed yet concise explanation which is easy to understand

This glosses over the most interesting part. :) The covert channel is timing how long it takes to read something, which is affected by what is in cache. Speculative execution can change what is cached and so allows the covert channel to exist, in combination with branch prediction making the wrong prediction. The branch prediction can be trained in a few ways, one of which involves the realization that the branching decision is remembered not by instruction location but by only some low bits of the branching instruction. The neat part is that the speculative execution can include a second lookup based on the first value fetched. Multiplication by the cache line size (the size of the chunk of memory that will be read when it is loaded in to cache), and then using that as a second lookup offset, fetches a unique cache line for each original value. This is the trick that allows the original data to be read (by then timing the reads of each possible offset).

Yeah just let me crack open my iMac and replace the CPU that should be pretty easy

Best computer science channel on KZfaq! 🤓👍

4:48 Dr Bagley is creating an 'off by one' error. In most languages that array would contain 17 items, not 16. Thanks for the buffer overflow, dr Heartbleed.

KZfaq thought I was going to watch this video, but I looked at how long it was and decided not to. Instead, I watched a Numberphile video really carefully, and now I know everything that's said in this video. I don't think that's supposed to happen.

Great explanation, thanks!

The title needs to be better. Before I knew what spectre & meltdown were I had no desire to watch this video. Then I watched The WAN Show and now I want to.

As bad as this exploit is, i'm not too worried. As far as the regular folks are concerned, I find it far more likely that they are going to have random other software related exploits whether it be trojan's, keyloggers, phising scams. Plenty of other things for them to fall for, rather than getting a more complicated program on their computer which does this slow data extraction which may or may not be useful, given that the implementer has to know what they are looking for before they can even make use of data. This issue should likely be quite simple to fix for Javascript/code from the web, as the code is compiled by the browser, you could just alter the JS compilation/VM process to break any cache coherence thus resulting in speculative execution not working for higher level code.

Best under fiveteen minutes video on that topic i have seen do far

It's not easy to explain such a thing without going into details too deeply, yet staying meaningful. I think made a great job, as always, here in computerphile. (The cache access time could have been a bit more emphasized, though.) But PLEASE, PLEASE USE A TRIPOD! It would be such a quality leap for these videos!

I like how; while under development, the patch that was applied by Linux devs was given the name "Forcefully Unmap Complete Kernel With Interrupt Trampolines", it was changed for the actual release of the patch because of the same reason as why I like the name... spell out the first letter of each word xD

I understand how you can read the prefetched piece of memory that exceeds the array size check, but a prefetcher doesn't prefetch the entire memory. How is it that you can read everything instead of just the first bits after the end of your own program space?

I cant think of anything I wouldnt rather do instead of computer security. What a nightmare ... constantly a new battle you will inevitably lose

And to make it clear, the Meltdown bug, which has the highest likelihood of speed degradation, does not effect AMD CPUs.

2:14 as i understand it the original google engineer had POC working in javascript the first day and was listing his https tabs open in firefox... best estimates are it can get out about 1k bits per second

Always look forward to watching Computerfile's break down of the newest and greatest security vunribility. Another great video guys! PS: from what I have gathered, it's a vunribility where all the correct things have to be under the exact right circumstances for it to occur. I have yet to see any real real-world examples or instances where this attack has or can be used besides some whitepaper's example code. In other words, I'm not phased by this nor do I care about the risks it brings.

Reminds me of that Computerphile video about the exploit of cache memory byway of specific SQL queries.

I enjoy videos where 200 nanoseconds is 'a reasonably long time'

spectre would work (almost) everywhere 1. cache hit / cache miss 2. row hit / row miss those who have seen specific video about it and know about it from beginning know what I refer to, others should be better off not knowing.

I seen this coming from the moment I began experimenting with parallel programming techniques. Having developed a lot of creative uses of Semaphores to get around the pitfalls of out of order execution, I will be incredibly happy when we start to see processors that don't pretend to know better than the programmer what order their instructions should be executed. I should never have to suspect memory barriers I drop into my code aren't actually doing anything but you would be surprised just how often modern processors completely ignore their presence.

Good high-level explanation, I encourage people interested to read the papers published and do some research about branch prediction. For starters, Tomasulo's algorithm was one of the first OOO execution designs that many processors are still based off of. It's old, so it's easier to comprehend then today's massively complicated schemes, but will still give you a taste of what happens at the h/w level.

Expected a deeper explanation, considering this is computerphile

It has been over three years now, do you know which, if any CPUs have "fixed" this problem?

All your systems are belong to us.

Wow. There's something like 20 years worth of processors which are vulnerable to this family of exploits. Wasn't the Pentium Pro Intel's first out-of-order processor? That came out in the mid-to-late 1990s, so we're in pretty hot water with this lot.

Would you be able to get information from another virtual server if they both lived on the same host?

I'm glad someone finally addressed this.

Steve Bagley Thumbs up for mentioning the BSDs. Their developers haven't been a part of the embargoed information, even though they run a pretty significant part of the Internet's backends...

So, the way to solve this would be to throw out cache lines that were read in by speculatively executed code, right? Does the branch predictor set any flags that could be used as a trigger for an interrupt handling such a thing? So long as you are not using a real-time operating system the slight delay should be virtually undetectable. If the CPU had to be redesigned, the branch predictor may simply need his own dedicated cache lines for backup storage.

too lazy to do my own research on this topic, since I know computerphile will do a better job. Finally it is here, and im not disappointed

Raspberry Pi's blog did an awesome job explaining this. (Mainly because they actually showed (pseudo-)code)

I followed everything up to getting the data out of the cache... How do you get the data once it is in the cache? It could be anywhere in the cache especially once you go far beyond the array end. Even if you knew the exact cache line, how would you retrieve it in user mode anyway?

the one thing i dont really get is, why it is an hardware issue. I mean how can speculative branch evaluation, or rather the logic behind it be implemented in hardware. Or is it?

Bring Dr Pound. He explains things in a much better manner. Easy to follow along.

Hello from July 2024. Processors have been getting their low-level ***es kicked this year. This video regularly remains relevant.

From the "Cloud Perspective", the dom0 (hypervisor), could squash these instruction set requests from domX to prevent flaws... just a thought.

Very informative and technical. Just what the doctor ordered. 10/10

Surely it shouldn't execute a copy from array1 to array2 unless the instruction was from the same program?

Excellent video. Very informative and interesting. I just knew Computerphile would cover this.

Could we get the source code for that program that exploits itself? I’m really interested to see how it works myself.

Is the out of order execution order determined by hardware? It sounds like a software kind of thing to calculate that. And if that is solved then the security checks will be done in time.

Who is going to make the replacement CPU, where do I request one and who will pay for the cost of the replacement?

Anyone have a link to the code Steve is walking through?

There has been talk about this for some time (for years), so I'm not sure why this is suddenly seen as a huge problem now. Though I gather nobody knew exactly how to exploit this vulnerability before, and that someone finally decided to make a proof-of-concept.

Is there a way to disable the cache entirely in modern CPUs? Perhaps from the BIOS? That might be a temporary fix, despite the massive slowdown it may cause

I wonder if they will revise the old hardware, so people who buy new cpus can be safe from this bug. I want to upgrade, but now i don't know which CPU to buy. ugh.

so how would this impact major security like fb1 and C1A.....??

We should have correctness higher than performance in our requirments .. but i guess we would still be stuck with single core in this case given how hard it is to mitigate covert channels ..

Timely

Could older CPU technology be (more) advantageous when dealing with this "threat", or is it a generation gap exploit?

This is one of those things where you read about it and it seems like such a glaring security problem. how many people read about out of order execution and never connected the dots like this. this one really sucks ass because the temporary fix is basically going to be to remove some level of optimization

I think it's worth emphasising that Meltdown is specific to Intel's architecture*. The ability to execute code before the security check is a huge deal and I don;t think its fair to tar AMD, ARM etc. with that brush. Meltdown is caused by a broken security model whereas Spectre is a consequence of out-of-order designs. (* potentially Apple's custom ARM cores too)

Cool, this is from the university of Nottingham, same place that makes those awesome Periodic Videos about chemistry and elements!

Love the shirt

I can see how speculative evaluation can get the data to cache, but how does the data in the cache get ex-filtrated?

So, I subscribe to computerphile so I won't be talked down to; but I still get the low-level explanation. Can you guys put an 'advanced course' onKZfaq so I can get deep information from you?

By causing a failed speculative branch to access a privileged address beyond the end of an array, the cache is populated by values that should not be available to the execution context. These values can be accessed immediately after the failed speculative portion of the branch causes the cache to get populated. The failed speculation does not cause the cache line to become invalid, or to be marked as privileged. A subsequent access to the privileged address returns cached data that does not have a privilege flag because it was first accessed via a failed speculation. By measuring how long the loop iteration took, the presence of this privileged data that has not been tagged properly can be determined, thus avoiding a privilege violation for accessing it.

10:15 So does "array 1 [x]" gets stored in cache or "array 2 [array 1 [x] * 512]"?

I was hoping you would make a video on this!

Also, where is the stock-pile they pull from w/ the old printer paper, haha?! Love it.

I guarantee that the CIA knew how to do this for years and sat on it for their own interest.

Everyone is forgetting one vital thing: Your home computer is not important enough to be hacked with this kind of vulnerability. Auto updates off. No worries.

Do you mean the hardware architecture of the MPU? or the microcode? ...or both?

speculative evaluation computation, is it kinda like preload on old ubuntu 12?

So does speculative evaluation just have to go away? Is this a fundamental problem with the idea of speculative evaluation or a specific implementation of it? Sucks if a whole idea for fast computing has to go away. :-(

I appreciate the timely explanation, but I think this video could have benefited from some more graphics. I personally found myself struggling to grasp some parts of this video.

Nice explanation thx PS Not related to this video but was a bit disappointed you didn't cover the root bug on mac os a month or so ago :) Where you could go to settings and use root as a user name on the password prompt

The problem is in the MOB. Those guys never knew what was goin on until it was too late.

A big thumbs up! BTW, could you please add subtitle functionality in the videos?

The science behind the exploits is very interesting.

Super fast :) Most media is not ready yet to explain it well.

So the malicious program can tell if a region of memory has been accessed? How would said program actually get said data? Trying to directly read said data would get blocked by the MMU because the program isn't privileged, wouldn't it?