When you Accidentally Compromise every CPU on Earth
Рет қаралды 692,689
Күн бұрынTry CodeCrafters today with 40% off! 👉 app.codecrafters.io/join?via=...
In this video, we take a deep dive into Spectre and Meltdown, two of the most dangerous and widespread transient execution CPU vulnerabilities, discovered by researchers at Google Project Zero. These vulnerabilities allow a rogue process to read from unauthorized memory on nearly every device in the world. What makes these bugs particularly dangerous is that they don't behave like any software bug we've seen before, as they don't rely on exploiting any fundamental weakness or flaws in any code. These vulnerabilities are baked into the very essence of modern CPU technology, attacking underlying CPU micro-architectures.
JOIN THE DISCORD! 👉 / discord
0:00 - Pizza Index
1:15 - Side Channels
2:05 - Spectre Overview
7:04 - Speculative Execution
10:50 - Exploit
Official Source:
meltdownattack.com/
Official CERT report:
web.archive.org/web/201801040...
Pizza meter:
en.wikipedia.org/wiki/The_Piz...
Google Project Zero blog post:
googleprojectzero.blogspot.co...
A few additional videos that helped me:
• Spectre and Meltdown a... (special thanks to Ymir Vigfusson's awesome video! This video was an inspiration to me, and one of the best spectre explanations on KZfaq)
• Spectre & Meltdown - C...
• Black Hat USA 2018 - M...
• Explaining the Spectre...
• Meltdown And Spectre
MUSIC CREDITS:
LEMMiNO - Cipher
• LEMMiNO - Cipher (BGM)
CC BY-SA 4.0
LEMMiNO - Firecracker
• LEMMiNO - Firecracker ...
CC BY-SA 4.0
LEMMiNO - Nocturnal
• LEMMiNO - Nocturnal (BGM)
CC BY-SA 4.0
LEMMiNO - Siberian
• LEMMiNO - Siberian (BGM)
CC BY-SA 4.0
LEMMiNO - Encounters
• LEMMiNO - Encounters (...
CC BY-SA 4.0
#programming #software #softwareengineering #computerscience #code #programminglanguage #softwaredevelopment #hacking #hack #cybersecurity #exploit #tracking #softwareengineer #vulnerability #pentesting #privacy #spyware #malware #cyber #cyberattack #ethicalhacking #encoding #lowlevelsecurity #zeroday #security #cybersecurity #breaches #databreaches #bug #bugbounty #pentesting #penetrationtesting #backdoor #javascript #hacked #spectre #CPU #intel #AMD #meltdown #assembly #ARM #semiconductor #computerengineering#cybersecurity programming #software #softwareengineering #computerscience #code #programminglanguage #softwaredevelopment #hacking #hack #cybersecurity #exploit #tracking #softwareengineer #vulnerability #pentesting #privacy #spyware #malware #cyber #cyberattack #ethicalhacking #encoding #lowlevelsecurity #zeroday #security #cybersecurity #breaches #databreaches #bug #bugbounty #pentesting #penetrationtesting #backdoor #javascript #hacked #spectre #CPU #intel #AMD #meltdown #assembly #ARM #semiconductor #computerengineering
@DanielBoctor 2 ай бұрын
THANKS FOR WATCHING ❤ Try CodeCrafters today with 40% off! 👉 app.codecrafters.io/join?via=daniel-boctor JOIN THE DISCORD! 👉 discord.gg/WYqqp7DXbm **UPDATE** A few commenters have been asking if spectre was ever used in any real attacks. To my knowledge, the answer is no. Using spectre to pull something off in the real world is incredibly complex and difficult. Kaspersky has a great article outlining the theoretical impacts the bugs could have: www.kaspersky.com/blog/spectre-meltdown-in-practice/43525/ **UPDATE v2** At 12:07, I said that the operating system would notice when trying to access out of bounds data. A few commenters have pointed out that it's the MMU (hardware level) that would raise a fault in response to access violations, not the OS. The OS gets notified afterwards. My apologies for the mistake. Thanks to those who pointed it out! **UPDATE v3** A few people were interested in the audio side channel for fingerprint reconstruction. I'm no expert, but I'll link the source in case any of y'all wanted to take a further look. here's an article that discusses it: www.tomshardware.com/tech-industry/cyber-security/your-fingerprints-can-be-recreated-from-the-sounds-made-when-you-swipe-on-a-touchscreen-researchers-new-side-channel-attack-can-reproduce-partial-fingerprints-to-enable-attacks and here's the underlying paper: www.ndss-symposium.org/wp-content/uploads/2024-618-paper.pdf 👇 Let me know what topics you would like to see next! 👇 Thank you for all of the support, I love all of you
@BillAnt 2 ай бұрын
The Doctor Boctor has done it again. :) Thank you for this great video showing the concepts of these vulnerabilities in an easily understandable format.
@angeltensey 2 ай бұрын
meltdown and spectre are essentially ways to gaslight your computer.
@jasonkhanlar9520 2 ай бұрын
2:30 "process" is mispronunced. maybe human maybe not human generated voice using human live sampling, not sure, either way, the pronunciation is wrong, whether intentional or unintentional
@SailorRob 2 ай бұрын
@@jasonkhanlar9520, it's his real voice, and his accent is common to certain parts of the US and Canada. Separately, I was going to comment that I enjoyed the pace and format of his narration: 1. It's to the point. 2. Quickly gives the relevant information. 3. Clearly said and easy to understand. Despite the northern accent, he gets high marks from me for efficiency.
@simonj.k.pedersen81 2 ай бұрын
Great explanation
@SambinoDev 2 ай бұрын
30 seconds in I thought Frank from Domino's was going to be the one responsible for compromising 80 billion CPUs
@akk2766 2 ай бұрын
I was thinking that too - 🤣. Like the anesthetist who created BFS - en.wikipedia.org/wiki/Con_Kolivas
@dsandoval9396 2 ай бұрын
Same. First couple of minutes I really was thinking Frank must've been a PC savant that came up with that exploit at home. While managing Domino's Pizza store.🤦
@yyyy-uv3po 2 ай бұрын
@@dsandoval9396 Gustavo Fring nerd version
@StefTechSurfer 2 ай бұрын
The perfect cover.
@rossr6616 2 ай бұрын
pepperoni in the clean room!
@dr.robertnick9599 2 ай бұрын
That Pizza order thing is a great way to explain what side channel attacks are.
@DanielBoctor 2 ай бұрын
aha, I was hoping it would be! Glad you thought so 😊
@Krono159 2 ай бұрын
not only a great way, but the best one
@Batwam0 2 ай бұрын
When you explained the attack at 15:10, I realised why you have mentioned the pizza story at the beginning and understood the attack method right a way. It was perfect 👌
@ahndeux 2 ай бұрын
Now if we can only correlate donut and coffee orders to police incidents.
@RikuRicardo 2 ай бұрын
For real! That makes so much sense
@Jack-lr3dn 2 ай бұрын
Insane they figured out a way to effectively gaslight a cpu
@iraniansuperhacker4382 2 ай бұрын
Ive been having conversations with people recently about how vulnerable airliners are to electronic attack/hacking and people are generally under the assumption it would literally be impossible to hack an airplane and bring it down. I tried to explain to them attacks or rouge engineers sneaking something into the tool chain they use to build the software. Ive spent more then a few years learning how to program and how computers work, they tell me I watch too many movies and they try to give me some wild half assed technical reason as to why they are right. Im for sure going to use this video as a reference in the future.
@freedustin 2 ай бұрын
Not really. People need to quit thinking computers are smart, they are not. They blindly follow every order that makes it to the CPU.
@ahndeux 2 ай бұрын
@@iraniansuperhacker4382 Wrong and lots of bad information in your post. Its not that software can't be hacked, but most source codes have CRC checks to verify against non-approved changes. Most flight level software has multiple level of checks against malicious code. Its not written by one rogue programmer. There are teams of people and verifications on software code. Can code written incorrectly and compromised? Of course. However, you have no clue to the level of verification is needed in software on critical systems. It's not what you think.
@iraniansuperhacker4382 2 ай бұрын
@@ahndeux Are you a programmer?
@jasonfyk 2 ай бұрын
wrong @@ahndeux
@mushroomsamba82 2 ай бұрын
all the pentagon would have to do to avoid the side channel attack is throw a pizza party on a random day every month
@gamagama69 2 ай бұрын
and utilize different places, assuming that groups are placing people in resturants to track this
@consumerextraordinaire8209 2 ай бұрын
bean counters: "hmmm, sounds expensive..."
@tondekoddar7837 2 ай бұрын
Exactly. Also, order taxis, drivers, cancel drivers free time, electricity usage (remember what kind of lights you use makes different waveforms in the nearby network) umm no need to track me, 3-letter Sir, I'm just a newborn from halfway across the world, no the GOOD PART... :)
@DavidTriphon 2 ай бұрын
@@gamagama69you can find average wait times on google. After the Russian Wagner group leader died (or maybe some other recent Russian war event, I might not be remembering correctly), anyone who could use google maps for finding restaurants could see that wait times had spiked throughout the Washington DC area. Thanks to google, the DC pizza index is public globally.
@johnridout6540 2 ай бұрын
That's still not secure. You'd need to throw pizza parties at random intervals irrespective of months.
@lbgstzockt8493 2 ай бұрын
The people finding hardware vulnurabilities are genuine gigabrains. How do you even come up with this?
@GiveThemHorns 2 ай бұрын
While I understand and appreciate the seemingly impossible nature of finding an exploit like this, it doesn't require a 'gigabrain'. It's just a matter of having the right knowledge with the right set of skills (which can be learned). A good, and common, example of where this type of thinking is regularly used is with SDETs. SDETs use their knowledge of the system combined with the experience and know-how of performing technical analysis in order to identify potential flaws and test for them.
@raylopez99 2 ай бұрын
@@GiveThemHorns Still, the hackers were gigabrains. I mean even designing a keyboard logger is hard to do. As an amateur coder I tried in C# to design a keyboard logger than was a TSR program and could not (of course C# has a keyboard library but not persistent after you stop using the program). But these low level language hackers could do it and also make the program tiny to avoid detection, as well as having a randomly changing signature to avoid anti-virus. Gigachads indeed.
@IamFrancoisDillinger 2 ай бұрын
Agreed. I took a cloud security course in undergrad and I remember learning about these attacks (though I've forgotten most of it) and reset attacks on TPMs and all I could think was "These people are crazy...just how?" I wish I had the knack for such things.
@Bug_Abuse 2 ай бұрын
For some it's a hobby. I learned to break systems when I was a teenager by exploiting games. You just have to think outside the box. I learned to exploit before I starting coding. It makes more sense as a coder how you can't think of every possible edge case over time.
@GiveThemHorns 2 ай бұрын
@@Bug_AbuseCoders don't think of every possible edge case, not even close.
@petersmythe6462 2 ай бұрын
"accessing main memory is incredibly slow" "Like a five millionth of a second."
@vampir753 2 ай бұрын
Better go and get a coffee in the meantime, this will take a while.
@DanLivings 2 ай бұрын
@@vampir753You could probably drink a couple of trillion caffeine molecules in that time
@charliekahn4205 2 ай бұрын
Your average RISC instruction takes around four clock cycles. If your clock is 1GHz, one cycle is 1ns. That means you can perform 50 instructions in the time it takes to access one byte on an 8-bit bus.
@kevinjohnston8399 2 ай бұрын
@@charliekahn4205 Actually that's not quite correct. Each individual instruction requires four cycles, but after one cycle of one instruction, a new instruction starts its own first cycle. Most of the time there are 4 instructions all in progress at the same time. Each one starts and finishes one cycle after the previous. So in 200ns the CPU can start 200 instructions, and finish 197 of them. (The last 3 are in different stages of "not finished yet", but they all finish in the next 3 cycles.)
@user-vb2ll8nl6g 2 ай бұрын
@@kevinjohnston8399 Actually that's not quite correct. Modern CPUs are superscalar and can start multiple instructions at once, even in a different order than they are in the running program (which is called "out-of-order" execution).
@exzld 2 ай бұрын
"lets not get ahead of ourselves" that was an unintended pun
@DanielBoctor 2 ай бұрын
I didn't even realize that lol
@raylopez99 2 ай бұрын
I predict this comment will blow up with likes...
@exzld 2 ай бұрын
@@raylopez99nah it will probably just get rolled back...
@pedroandrade8194 2 ай бұрын
@@exzld you might roll back... ill still be a hit
@user-tm7eq3jx4h 2 ай бұрын
xD @@pedroandrade8194
@rog2224 2 ай бұрын
In the 70s, security forces in the UK used a milk bottle metric to predict riots - a dip in returns of empty milk bottles in certain places meant there was going to be serious trouble in the next two-three days.
@chaferweed 2 ай бұрын
Why so?
@Zorro9129 2 ай бұрын
@@chaferweed The bottles could be used for molotov cocktails.
@jtnachos16 2 ай бұрын
@@Zorro9129 Also, the lack of people going about daily chores and staying home/out of sight instead would indicate tensions and concerns amongst the populace. If you've ever hung around a bad neighborhood before, you know when the druggies and other locals suddenly disappear from the streets, you should be disappearing too. You get the same effect in the widlerness too. If the normal noises of the environment suddenly stop, something is wrong.
@dirtydan3029 2 ай бұрын
Im too young to remember milk being in glass bottles
@maid1452 2 ай бұрын
@@jtnachos16 That's a good way to put it.
@wernerviehhauser94 2 ай бұрын
Why you should always consider to generate some garbage on the side channels...... even if that means bying free pizza for your facility management at night.
@lordfrz9339 2 ай бұрын
They now make sure to order small batches of pizza from several different venders. And they buy pizza regularly, not just on big days. So even when the amount of pizza spikes, it just seems like a normal order to each pizza place.
@ryelor123 2 ай бұрын
@@lordfrz9339A spy could just see how many pizza deliveries occur visually.
@josephkanowitz6875 2 ай бұрын
ב''ה, but then they'd think Americans still rely on food
@corvusnocturne 2 ай бұрын
wait, people in other countries dont need to eat?@@josephkanowitz6875
@BudgiePanic 2 ай бұрын
I heard they stopped ordering pizza entirely from the guy who originally published it
@DerSolinski 2 ай бұрын
Why is there a expense claim for 200 pizzas labeled "security measure"? To prevent a side channel attack Sir. So this has nothing to do with several complaints about a "obnoxious party" from the locals? Absolutely not, Sir.
@rightwingsafetysquad9872 2 ай бұрын
If we have an obnoxious party every night, the data miners can't figure out which ones mean we're going to war.
@skop6321 2 ай бұрын
@@rightwingsafetysquad9872 oh yea its bigbrain time
@CuteistFox 2 ай бұрын
actily they use a bunch of pizzarias
@IanBPPK 2 ай бұрын
@@CuteistFoxThey do now to obfuscate, initially it was from a very short list of places.
@tutacat 2 ай бұрын
"Don't give your real address" "I. P. Freely"
@pianowhizz 2 ай бұрын
The funny thing was, the speculative execution feature was a known security risk back in the 1990s. It’s not something new.
@Zaraaashiigal 2 ай бұрын
People always find ways to gaslight and exaggerate. It's common on youtube. I wish more people would realize this.
@ChrisM-tn3hx 2 ай бұрын
Most current methods are very similar to those used back in the 80s and 90s. Take SQL injection for example. One of the oldest and still most common forms of attack. Still works.
@Munenushi 2 ай бұрын
@@Zaraaashiigal youtube is becoming like those commercials where a person - for example - would just dump a bowl of popcorn and then someone would dump a bowl of chips and a voice says "HAVING PROBLEMS WITH BOWLS??" and then the ad begins for a 'new bowl' that has arms attached that go on your thighs when you sit down, so that the bowl doesn't spill as easily.... YT is becoming the "before" (where people just dump bowls stupidly) as the title of the videos here, and then when you click on the video and watch it, it becomes the "after" (where the solution of the new bowl type is shown) - all just clickbait to get people to watch... like the "YOU are doing ______ wrong!" trope lol
@MarcosAlexandre-no3qx 2 ай бұрын
I heard about it, but it was not from the companies if i remember right, but the nsa and the cia would know about this exploit and not inform because they could use it to gather information on people of their interest.
@Zaraaashiigal 2 ай бұрын
@@MarcosAlexandre-no3qx You lost me at "The NSA and the CIA".
@milk-dog 2 ай бұрын
The timing of this video could not have been better. The GoFetch exploit on M1 and M2 silicon was just discovered as a side channel attack, and your explanation helped understand it a lot better. Thanks.
@DanielBoctor 2 ай бұрын
I know, it's a crazy coincidence. I started working on this video about a month ago too. Glad you liked it!
@ben_car_8115 2 ай бұрын
@@DanielBoctorI honestly thought this was released because of the exploit when I first clicked on it. Sometimes thing just line up so well
@tondekoddar7837 2 ай бұрын
@@DanielBoctorDo you keep any videos for a while just to wait for a thing to happen ? Crazy good video, ty.
@fredwupkensoppel8949 2 ай бұрын
Yeah I was reading about GoFetch the other day and went "wait, isn't that just Spectre all over again"? If you're designing a CPU, shouldn't "could this lead to the resurgence of the worst microarchitecture-based security flaw ever" be a question that gets occasionally asked?
@AJ3000_ 2 ай бұрын
@@DanielBoctornailed it
@JimAllen-Persona 2 ай бұрын
That’s the Feynman story: when he was going to Los Alamos the army told all the scientists to buy train tickets from different stations for security purposes. So Feynman being Feynman, he went to the Princeton station because no else would be there. When he walks in the station master (who has no idea who he is) tells him all of his stuff they’re shipping there for him should be fine. The army made all the people buy tickets from different locations but shipped all the lab equipment from Princeton.
@octakhan4673 2 ай бұрын
On a similar note: A popular science fiction magazine publisher knew there was something going down in Los Alamos because all his subscriptions suddenly moved to New Mexico!
@zimriel 2 ай бұрын
the movie "Oppenheimer" does pretty well at showing how Oppenheimer hired all his friends who, oopsie! were all communists. Most were simple Trots or just Lefties by that time, but a good deal of Uncle Joe's sympathisers got through.
@mytech6779 Ай бұрын
@@octakhan4673 It wasn't addressed as Los Alamos at the time, it was only addressable by zipcode or something like that. Even birth certificates just had the zipcode as the place with no city or state or hospital name. Special zipcodes are still used, I once worked for a company that had a building with its own zipcode even though it was within a normal city zipcode.
@mytech6779 Ай бұрын
@@octakhan4673 Kodak discovered nuclear information super early via side channel, when radioactive contaminents showed up in some raw material creating spots on their fresh film.
@octakhan4673 Ай бұрын
@@mytech6779 Oh, my mistake. It makes sense the location wouldn't have been publicized anywhere. I believe it was publisher John Campbell who figured out that something was going on over there, based on his subscribers suspiciously moving to New Mexico!
@VivBrodock 2 ай бұрын
putting out this video a couple days after a side channel attack was found on M1 chips is *_wild_* timing
@SeekingTheLoveThatGodMeans7648 2 ай бұрын
Perhaps the You Tube algorithm also helped by noticing the intersection of topics with a trending thing. This could have been mad obscure, otherwise. At any rate, due to vulnerabilities like this, various speculative executions, due to not wanting to go hog wild due to errors incurred during them if they are wrong, can tap out data that should never have been visible to you. Truly serious security in the face of this sounds like it means never letting anything that could be hostile run on your secure computer at any level. Not even websites. As burglar alarms and burglar proof doors get better, data burglars get more clever.
@leogama3422 2 ай бұрын
he speculativelly recorded it
@DanielBoctor 2 ай бұрын
Underrated comment lol. In all honesty it was a coincidence. These videos take a very long time to make - I actually started working on this about a month ago. I'm just as surprised as you guys are 🤯
@l33tninja1 2 ай бұрын
@@SeekingTheLoveThatGodMeans7648 honostly i dont think we shoild have the internet linked to anything vital like our ships, food production and security. Should be as separated from the web as we can manage and the controls should always be on site only.
@devonwilliams2423 Ай бұрын
@@DanielBoctorsure bro, can you stay in town one more day? Boeing lawyers have a few more questions Oh and good news! They booked you a nice hotel with an incredible parking lot 🎉
@Knyllahsyhn 2 ай бұрын
I already heard about this from an interview with the researchers that found the vulnerability, but you sure did one hell of a job to visualize and break it down. Funnily, code remaining in some part of some memory has been used in higher-level attacks, like the famous Tweezer Attack on the Wii. Crazy how since the early days of computing, more and more layers have been added, leading to similar problems on lower levels.
@filker0 2 ай бұрын
There are some CPUs that have speculative execution and branch prediction but don't access memory that is not accessible by the thread. Instead, they note the exception when the address isn't in the active page table and, if the branch isn't taken, raises the exception. These include many power pc flavors.
@rufmeister 2 ай бұрын
Unfortunately, not the M1/M2, it seems.
@filker0 2 ай бұрын
@@rufmeister Not a PPC, ARM followed the Intel memory management model.
@kayakMike1000 2 ай бұрын
Its NOT just the OS that detects you're out of bounds. There's hardware called an MMU that sets an exception or interrupt for an access fault. The OS just initializes this when it sets up an adress space. In smaller micrcontroller systems, you MIGHT have a rudimentary MPU, but not a full MMU
@BillAnt 2 ай бұрын
Right, a well designed MMU should not allows leaking of data into the cache on out-of-bounds memory calls. The problem is likely with the CPU's speculative processing then backtracking on failure without clearing the cache.
@kreuner11 2 ай бұрын
@@BillAntyes
@kayakMike1000 2 ай бұрын
@@BillAnt yup, you're correct. I was vomiting up an angry comment when he just said something about the OS emitting a segfault. I just really get wound up when people minimize the hardware.
@__christopher__ 2 ай бұрын
@@BillAntif ir would catch the illegal access during speculative execution and simply stop the speculative execution in that case, the indexing with the restricted data would not be executed even speculatively, and thus there would not be any cache change In accessible memory that you might run your timing attack on.
@MRL8770 2 ай бұрын
I believe the confusion might've arosen from the fact that the UNIX-like kernels emit the SEGFAULT signal to a process that caused it (which is in fact irrelevant to memory protection as contrary to what Daniel said, the process can still run and access data after receiving that signal), but as you said, the actual segmentation fault comes directly from the MMU as an interrupt.
@Amir_404 2 ай бұрын
An important thing to note is that there was *probably* no cases of Spectre leaking data in the wild. It was a new class of possible exploits so experts freaked out because nobody know what could come of it , however(by shear luck) nobody ever found a usable attack using Spectre. The fastest leak found was 60 bits/hour, and it would take a theoretical unrelated exploit to find what memory address had the data you wanted to steal.
@KiraSlith 2 ай бұрын
In an optimal setup with a small cache and RAM pool, it could be used to retrieve otherwise inaccessible/secret encryption keys. Technically it'd be easier to just bung whatever app you're trying to steal keys from into a compromised virtual machine engine (FOSS hypervisors like KVM are easy to exfiltrate data from) or exploit DMA devices (like the ethernet controllers on most motherboards) to dump system memory in pages until you find the desired keys. [Edit: Typos]
@saddish2816 2 ай бұрын
nation states will have known about this before it was made public and would have used it, unless they had better methods of achieving the same thing
@_BangDroid_ 2 ай бұрын
@@saddish2816 And which APT groups are we talking about? Considering even now after everyone knows the technical details there are still no valid exploits for vulnerable silicone, your assertion is entirely speculative.
@ABaumstumpf 2 ай бұрын
"The fastest leak found was 60 bits/hour" !?!?! WTF? Why are you lying about this? It was demonstrated to be fast enough for video transmission even.
@Mavendow 2 ай бұрын
@@ABaumstumpf The initial research showed what he says, but you're right, later research did find a far better method. He's not lying, just plain wrong.
@kelstafo 2 ай бұрын
I expected you to talk about that shady intel management thing that has unlimited control over cpu and runs mysterious code that only intel knows what it does
@BrandonFifer 2 ай бұрын
The Intel Management Engine?
@shinobuoshino5066 2 ай бұрын
Probably because you're sub-68IQ cretin who has been on 4chan for too long and spent a total of 0 seconds researching how it works, when used as intended, if you knew intended use and actually put your time into tinkering with it, you may or may not have figured out how it works just like many people did who know what it does because reverse engineering even a total black box is trivial.
@DanielBoctor 2 ай бұрын
Can you link to what you're referring to? Could be a topic for a future video 👀 EDIT: seems like it is Intel Management Engine. Going to look into this.
@ryansullivan3085 2 ай бұрын
Ah that's a comforting thing for an Intel CPU user to hear
@TheSensationalMr.Science 2 ай бұрын
from what I could find I heard it runs a modified version of minix to run microcode [CPU code] on the CPU microcontroller. though I don't know if that is true or not... haven't cut open a CPU or tried debugging it their way to get there. though it would be interesting learning more about it, so that we can understand *WHAT* it does, and how like this explanation did. [also he probably can't... KZfaq hates links] just search *intel management engine* and you'll find a wiki and the intel page about it... though I don't know about any vulnerabilities using it though. Hope you have a great day & Safe travels!
@whamer100 2 ай бұрын
this was the first video ive seen that actually showed this exploit in a very easy to digest manner (I'm a computer science major, so I already understood the technical details, but this reinforced it in a way that makes way more sense than I originally had thought)
@DanielBoctor 2 ай бұрын
That's pretty awesome, glad it was able to help! Thanks for the support ❤️
@snorman1911 Ай бұрын
Look everyone, we got a computer science major over here!
@glitchy_weasel 2 ай бұрын
The best explanation of this vulnerability hands down! Fantastically done!!
@DanielBoctor 2 ай бұрын
I'm honoured, thank you!
@davidvelasco4423 2 ай бұрын
What would you know about that? You're a furry.
@SlightlyNasty 2 ай бұрын
Nice explanation! I remember when this broke originally all the news coverage just handwaved over the actual cache extraction part, so I was never clear on how the timing attack actually determined the specific value. That array indexing trick is nifty.
@robertsmith2956 2 ай бұрын
I never got an answer about the Pentium math bug. Which way did it fail? Should I use it to do my taxes?
@JohnUsp 2 ай бұрын
In Brazil happened that same in the '60s, when suddenly a bakery in a rural area received a huge order of hundreds of breads, they "followed the bread" and discovered the camping of a guerrilla army.
@juliangi8169 2 ай бұрын
This was insanely well explained. Great Video!
@DanielBoctor 2 ай бұрын
Thank you!! Glad you liked it 😊
@nobobo2401 2 ай бұрын
This reminds me of modern warfare 2 (original one on 360). If you spam click matchmaking and back out right before it gets to 100% about 10 times then quickly load into a private lobby, it will load a bunch of randoms into your private game. That game was so full of bugs but the most fun COD ever.
@macksii 2 ай бұрын
i know nothing about computer vulnerabilities but you made it incredibly digestible to understand. nice work!
@DanielBoctor 2 ай бұрын
Thanks for the kind words! Keep on doing what you're doing 😊
@jacob_90s 2 ай бұрын
You know what's really funny is I remember hearing a lot about this at the time, but it wasn't until just a few days ago that I finally found a video that made it click for me how this worked... and now you come out with this one which does an even better job of explaining it. Also, just to note, I believe that most of the vulnerabilities are not capable of accessing the memory of other processes at all. The biggest concern has been programs like browsers, where code is all running inside the same process, and you have cookies, passwords, credit card numbers, etc which could all potentially be accessed. It seems like for a permanent hardware fix, either they need to evict the data from the cache, or have a separate, speculative cache which is then later committed to the main cache.
@robertsmith2956 2 ай бұрын
speculative memory should be flushed if it is wrong, and locked down till it knows if it was wrong.
@tiredpotato5539 2 ай бұрын
Dude. I love your videos, you choose very interesting topics and explain them BEAUTIFULLY.
@DanielBoctor 2 ай бұрын
Glad you think so! Thank you for the support Tired Potato ❤
@MrMCMaxLP 2 ай бұрын
This was a great video, thanks for explaining the exploit in detail. In my computer architecture class, the professor mentioned these attacks but never actually explained how they worked. I never realized that speculative execution would mess up with the cache!
@chasebrower7816 2 ай бұрын
Feels very rare that a channel makes content this cogent and well organized. Great job!
@DanielBoctor 2 ай бұрын
wow, I'm honoured to receive such a comment. thank you for the support!
@floodtheinbox Ай бұрын
There are a lot of videos talking about computing exploits but the way you wrote and described this one is super approachable and made it really easy to understand.
@spoobspoob2270 2 ай бұрын
This was a wonderfully executed video in all aspects. Having these explained to me like this actually blew my mind. The final conclusion was satisfying and brought everything you talked about together beautifully. Well done
@ryangrogan6839 2 ай бұрын
A side channel attack is a way of deriving information simply by observing the function of a system. Usually its info you shouldnt normally beable to derive.
@Luzum 2 ай бұрын
great vid, gj with the editing and analogies, keep doing what u do
@DanielBoctor 2 ай бұрын
Thanks for the kind words
@ethanlewis1453 14 күн бұрын
@2:20 "they're the worst computer bugs in history" I thought they were showing a bug flying around the computer for effect but it was actually a fruit fly on my own monitor 🤣
@MichaelFiguresItOut Ай бұрын
Just subscribed because that explanation was fantastic! Looking forward to checking out more of your videos!
@scootsmcgoots1 2 ай бұрын
This was fascinating and really well explained. Great video
@exildur 2 ай бұрын
Absolutely fascinating video, and very well made & explained!
@DanielBoctor 2 ай бұрын
Glad you liked it! Thanks for the comment
@cleoh3 2 ай бұрын
Wow, I usually have trouble focusing on technical videos like this, but you presented this beautifully. It's fascinating stuff too which certainly helps, but you explained it in an impressively digestible way. Thank you very much!
@ashrocks8443 2 ай бұрын
This was an amazing explanation, thank you very much for deepening our understanding about the exploit, I still remember reading about the exploit but couldn't understand the significance of the danger that the systems were facing
@YeloPartyHat 2 ай бұрын
Wow. Great explanation. I knew about this before but never has it been so well explained
@DanielBoctor 2 ай бұрын
haha, I'm honoured you think so ❤
@IvanToshkov 2 ай бұрын
This is really well explained. Thank you!
@g.4279 2 ай бұрын
Fantastic video! Great analogies and break downs. Branch mispredictions can also be used in physical hardware attacks.
@karanjagtiani 2 ай бұрын
This video was absolutely amazing! Thanks for taking the effort to make it.
@geraldfisher7460 2 ай бұрын
The last time I tried programming something was a TV remote 3 decades ago. That being said this was fascinating! Well done.
@DanielBoctor 2 ай бұрын
Thanks!!
@Dreamer66617 2 ай бұрын
10/10 video subbed. nice visuals direct and clear excplanations
@DanielBoctor 2 ай бұрын
Thanks! Glad you have you apart of the community
@magefreak9356 2 ай бұрын
Very well pull together video! Thanks for the explanation.
@Nennius_ 2 ай бұрын
amazing video! you did a really good job explaining this subject to a broader audience
@darkguardian1314 2 ай бұрын
Nice opening shots of USS Makin Island (LHD-8). She wasn’t in service during Desert Storm. Back then we were riding on Tarawa Class like LHA-3 Belleau Wood. 😊
@DanielBoctor 2 ай бұрын
haha, you got me there! cool to know
@darkguardian1314 2 ай бұрын
@@DanielBoctor This beats CNN effect covering the attack as it happened. Iraq just had to watch CNN for info. We complained about too much information being put out during an active assualt. That continued with the second war with embedded reporters like Geraldo Rivera drawing maps in the sand that got him kicked out of the field. 😆
@billyj.causeyvideoguy7361 2 ай бұрын
You ever think about the fact that we are only one exploit away from being forced back to the 80s in terms of technology?
@stargazer7644 Ай бұрын
This is why security is done in layers. It really doesn't matter if you have an exploit to steal memory data if you can't get through the firewall to implement it.
@slime_stick 2 ай бұрын
I loved this video! ❤ Finally got an explanation for this surprisingly simple exploit. I will say, I would have loved a section on spectre mitigations instead of ending the video on an unfinished note
@DanielBoctor 2 ай бұрын
Thank you! I definitely realize now that I should have included a section on patches / mitigations. Going to keep this is mind for future videos.
@dronaacharya2183 2 ай бұрын
This was just pure gold, Subscribed ! Keep going man.
@DanielBoctor 2 ай бұрын
Welcome aboard! Thanks for the support ❤️
@jussiheino 2 ай бұрын
Good stuff, clear explanation
@tripplefives1402 2 ай бұрын
In the video you said that the operating system prevents your program from accessing memory of other programs, this is not so. The operating system loads in the page table in each core for the current process running on that core (each process is a page table from the CPU hardware point of view, each thread is a stack) every time is does a context switch invoked by the system timer interrupt handler. It's the actual CPU hardware itself that does the privilege check on memory access according to flags set in the page table entries for that address being accessed. If flags don't allow it or if the address is not present then it invokes a page fault interrupt handler from which the OS can spawn a dialog box process and kill process or it can sleep the process and notify the hard drive driver to read in the virtual memory for the missing page entry. So on the event that you access memory you are not allowed to get the CPU will see the flags in the page table and invoke the interupt handler for page faults. The kernel ISR then just populates a log entry with the values stored in registers, puts the bad process to sleep, and quickly exits. The kernel process then sees that log entry and does the work of unloading the stopped process (stopped being just a flag in a data structure that the system timer ISR sees to know not to switch in the page table for the stopped process).
@DanielBoctor 2 ай бұрын
This is very interesting, thanks for pointing it out! I didn't realize this at the time. Thanks for sharing all this info. I went ahead and updated my pinned comment. Thanks again!
@BSOD.Enjoyer 2 ай бұрын
@@DanielBoctor 2:27 can spectre really allow user to access virtual memory from other processes? each process has their own address space if mspaint.exe calls ptr=malloc(1), chrome.exe won't have a virtual address that translates to same physical address as what ptr inside mspaint.exe translates to whatever out of bound array access chrome.exe is doing, it wont access ptr inside mspaint.exe based on your description of spectre, i dont see how reading virtual memory from other process is possible
@gregs6403 19 күн бұрын
This is so well explained. So many tech channels flounder when they try to explain the actual mechanisms at hand, but you clearly have a truly excellent understanding. Thank you for making this.
@DanielBoctor 19 күн бұрын
thank you for the feedback! I appreciate it. I'm glad you thought so
@jacksonc8243 2 ай бұрын
Awesome video. I remember hearing about this attack years ago, but thought it would fly over my head because it was at such a low level. Thank you for the explanation!
@TheLexikitty 2 ай бұрын
Fantastic video, instant sub 💞
@DanielBoctor 2 ай бұрын
Glad you liked it! Thanks for the sub
@pewpewpew8613 2 ай бұрын
Excellent explanation of the basic idea behind this attack. Great video, thanks!
@kineticcat5557 2 ай бұрын
FANTASTIC video! makes the attack super understandable and now I'm going to use that side-channel example everywhere
@DanielBoctor 2 ай бұрын
I know, it's a great analogy. Thanks for watching!
@Xenonuxium 2 ай бұрын
Thanks to you, I finally understood it!
@DanielBoctor 2 ай бұрын
That's awesome to hear! I'm honoured 😊. Thanks for watching
@linux2420 2 ай бұрын
Wait, so how can modern CPUs do this securely?
@stargazer7644 Ай бұрын
you make sure to roll back ALL changes, including flushing the cache
@fletcherluders415 23 күн бұрын
Wow, that was the most simple and straightforward explanations of this attack that I've heard!
@Youbetternowatchthis 2 ай бұрын
This is absoulutely fantastic. You make all this very easy to follow and understand. I finally get how these exploits basically work. Really well done!
@DanielBoctor 2 ай бұрын
Thank you!
@YellowDice 2 ай бұрын
i do like how the headlines for the hot fixes for these were like 20% performance decrease!!!! When in real-time the difference is near unnoticeable.
@Bialy_1 2 ай бұрын
Because 20% performance decrease in real-time is near to unnoticeable...
@Blox117 Ай бұрын
unnoticeable if all you use your computer for is minecraft, fortnite, and tiktok
@narayanbandodker5482 2 ай бұрын
So I guess they "fixed" this bug now using microcode updates on some older CPUs now? Or are there still billions of CPUs that are silently leaking data?
@polinskitom2277 2 ай бұрын
still some leaking data, i.e, i3-2xxx to i5-6xxx are still unpatched to this day, amd put more effort into patching older CPUs than intel, with the only ones being unpatchable are cpus older than 2006
@Ocastia 2 ай бұрын
To be fair Skylake is now over 8 years old so whilst this isn't great I doubt that it matters too much.
@Momi_V 2 ай бұрын
There are workarounds in modern OS-Kernels. They don't fix the underlying issue, but are more careful when switching around between different processes and memory accesses. This mostly works, but has a performance overhead that can be significant (>10%) in some workloads. Some people insist on booting Linux with mitigations=off to get back that bit of extra performance, but make themselves vulnerable to those "fixed" attacks in the process.
@rightwingsafetysquad9872 2 ай бұрын
@@polinskitom2277 Maybe I'm wrong, but if the 7th gen chips were patched, I'd imagine the 6th gen were as well because they're the same architecture. Half-way through the 8th generation hardware fixes were introduced. Unfortunately the only reliable way to determine if a particular 8th gen chip has fixes is to look up the model number. 9th gen and newer should be completely good.
@stefanl5183 2 ай бұрын
It's a theoretical exploit, that would be very impractical to utilize in the real world. The problem is the process executing the exploit may know that it's reading memory outside it's process, but it has no idea of what resides in that memory and whether it's anything valuable or useful.
@AR-yr5ov 2 ай бұрын
Very good explanation and this video is really well made, thanks!
@darkguardian1314 2 ай бұрын
Side channel attack is like gravity or dark matter. You see the effects even though you don't know what's happening. Going to have to do a deep dive to get up to speed.
@Elesario 2 ай бұрын
Interesting this came out when they've just found there's a side-channel exploit in the M series chips used in apple computers.
@DanielBoctor 2 ай бұрын
I know, it's a crazy coincidence. I started working on this video about a month ago too.
@pixobit5882 2 ай бұрын
@@DanielBoctor I've watched this video a few hours ago an now i've stumbled across a primeagen video about the M series problem, where LowLeveLearning explains exactly the same as you did in this video.
@dexterantonio3070 2 ай бұрын
How did they try to patch it?
@sub0rLai 2 ай бұрын
it's un-patchable, you need a new CPU without speculative execution and branching. don't even know if they exist atm.
@dexterantonio3070 2 ай бұрын
@@sub0rLai That is not entirely true. I know intel sent out some fix that ended up bumping up some server energy consumption by 40%
@jet.pvckVR 2 ай бұрын
the pictures representing words and the whole video is so easy to follow and understand. well done with the editing. just had to comment and say.
@tamertamertamer4874 2 ай бұрын
Ngl that’s absolutely crazy. Also nice timing with the M1 thingy even tough you didn’t know about it yet :)
@olegmakarikhin 2 ай бұрын
Spectre and meltdown in smartphones? 😮
@monad_tcp 2 ай бұрын
6:44 The Von Newman bottle-neck is an absurd way to operate. As John Backus said back in the day, the way we made programming languages and hardware is totally insane and backwards, it worked for simpler machines but it was basically a bodge, and he tried to refuse his Turing award, but was talked out of it. That's how wrong our programming languages and hardware is. That was more than 50 years ago, and people keep venerating Unix, C and VonNewman CPU like a cult or church, like perfection, but that's barely a start. We should do better. Well, this field is very young, and there's much to do to have a perfect cathedral.
@drivers99 2 ай бұрын
Interesting! Any good search terms to find out more? I’m interested in building computer architectures and other systems from scratch.
@kreuner11 2 ай бұрын
@@drivers99don't worry about this guy, I'm not sure how the fact it takes a while to read computer memory is related to it's pure architecture. One could make an ISA which is more explicit in what to do in that gap though
@afterthesmash 2 ай бұрын
John von Neumann was perhaps the smartest guy alive in this field at the time he pioneered digital computation at the IAS. His approach unified code and data, which was a big deal. Anyone else could have come along since then and proposed a better method suited to subsequent generations of hardware, including John Backus. It never happened because it's a very hard problem. There are a finite number of pins on the CPU package. That's where the bottleneck originates, not the von Neumann architecture. I studied Backus's proposal for the programming language FP back in the 1980s. There was merit in what he was proposing at the software level, but he never contributed anything useful to hardware architecture other than hot air.
@ardonjr 2 ай бұрын
This is byfar the best explanation I've seen on Spectre and Meltdown. My compliments!
@JohnSmith-of2gu 2 ай бұрын
A comprehensive explanation, not excessively technical, with excellent visual aids to boot. BRILLIANT VIDEO!
@knghtbrd 2 ай бұрын
To explain Specter and Meltdown, imagine a bus that arrives every 0.35 seconds. That bus runs you over, despite the bus working properly and being driven by a licensed driver. … No? Two of you thought this was funny.
@DanielBoctor 2 ай бұрын
I must be one of the two LOL
@knghtbrd 2 ай бұрын
@@DanielBoctor I was going to further feed the beast with a pun about HOME's We're Finally Landing, but that might be a little too on the nose. Besides, you weren't even eating a slice of pizza while explaining this, sheesh. I'll stop now. 😁 Enjoyed the video!
@pranaypallavtripathi2460 Ай бұрын
An extremely complex topic explained in an extremely simple way. True hallmark of an expert. Keep this up. Subscribed 👍
@DanielBoctor 19 күн бұрын
Much appreciated!
@nile6076 2 ай бұрын
Great explanation! The visuals made this very clear.
@cry1273 2 ай бұрын
First 🎉 nice video
@DanielBoctor 2 ай бұрын
First indeed. Glad you liked it! Thanks for watching ❤
@HamguyBacon 2 ай бұрын
These are not vulnerabilities or accidents, they are deliberate and demanded by the unintelligence agencies.
@xSaDii 2 ай бұрын
Yeah, sure, i can imagine the dialog "let's release a potential vulnerability to everyone in the world because we're the only smart people able to understand how it works" 🙄🙄 Anyone in the world could have descipher this, including North Korea, for example.
@robertsmith2956 2 ай бұрын
@@xSaDii Yea, North Korea is known for notifying the world of exploits so they can be patched. How long did it take for anyone to figure out VW's emission trick? if (OBD2 plugged in == TRUE) .....;
@SIPEROTH 2 ай бұрын
I am far away from understanding coding and detail CPU ways of operation but I got the essence of what happens here. You are doing a good job explaining things in relatively uncomplicated way.
@MinishMan 2 ай бұрын
Awesome explanation. So clear! Made me think about how our central nervous system runs this kind of speculative execution on sensory inputs and can even act directly before brain (CPU) processing. If you touch a very hot surface, your CNS will jerk your hand back long before your brain has evaluated the full sensory input and come up with your 'real' response.
@theideaofevil 2 ай бұрын
Computer Scientist and Senior Programmer/Analyst here, you've done a great job covering branch prediction and the problem of thrashing the cache here. Minimizing your bottleneck to main memory is one of my favorite architectural problems and I use it all the time to illustrate architectural principals to juniors.
@tirthb 2 ай бұрын
Thanks for explaining difficult concepts so simply.
@prima_ballerina Ай бұрын
Very well explained! I never looked into this and I'm shocked how simple it is to pull this off. One interesting question / topic for another video (?) would be what actually i.e. the Linux Kernel patches do to avoid this.
@yavnrh Ай бұрын
What an excellent video! Super clear and concise!
@cerkitbreaker Ай бұрын
Some really good explanations. I can have trouble understanding explanations which aren’t super clear; had no such issues here.
@rustycherkas8229 2 ай бұрын
Who remembers when the "Strava" Fitbit maps were revealing the locations "secret" military installations?
@MrSammyTeee 5 күн бұрын
Fantastic use of the Pizza index to explain side-channel attacks!
@psychechip 2 ай бұрын
Excellent explanation. Loved the pizza story, it helped a lot
@BillAnt 2 ай бұрын
Indeed, a very clever attack. I would imagine that by now chip manufacturers have included some sort of out of bounds/cache protection. To protect against a pizza side-channel attack (lol), the Pentagon has to order it to a proxy location then have someone pick it up and deliver it.
@psychechip 2 ай бұрын
@@BillAnt Yeah, probably it's how they are doing right now. I assume a full MMU for cache would be really slow
@Zilkat 2 ай бұрын
Great explanation and visualization!
@Jason-ot6jv 2 ай бұрын
wow nice video. I never thought branch prediction could be exploited like this. Pretty crazy how creative some of these people can be when looking for exploits!
@atursams5501 Ай бұрын
Great work on this video.
@Rasterizing 2 ай бұрын
Amazing! Really well explained!
@neuralelectric3248 2 ай бұрын
Wow, great explanation and work. Thank you.
@ConverseMidas 2 ай бұрын
This is a brilliantly explained video; thank you!
@Eihrister 2 ай бұрын
There are few videos I really recommend others to watch, but this is an excellent explanation of many aspects.. thank you!
@inesguedes725 Ай бұрын
First video i see of you, I loved how well you explained all the concepts, fastest subscribe of my life
@DanielBoctor 19 күн бұрын
wow, I'm honoured. glad you have you aboard!
@nufosmatic 2 ай бұрын
0:53 - I drove past the Defense Mapping Agency building in Reston, Virgina, (now National Geospatial Agency) on my way to work every morning. You knew something was up when the lights were on in the building at 6AM and the parking lot was full. They've sense built a parking garage out of sight from the main highway...
Unani Encyclopaedia: For AIAPGET & Academics
Рет қаралды 12
Гохич
Рет қаралды 2,6 МЛН