Spectre 1 

What does it target?

It targets branch prediction and speculative execution features.

Who is impacted?

Anyone using Intel, AMD, and ARM CPUs.. in short, everyone.

Whats the risk?

Spectre breaks the isolation between programs, enabling the attacker to get good programs to disclose data. Allows you to pull information from running process. Encourages a victim process running on a machine to perform operations it would not normally do and this could leak information via a side channel.

What does it need to hit you?

It needs to be able to execute code on your machine. This can be done through some JavaScript code reportedly but yet to see it in the wild and many browsers have patches to prevent this. They prevent it by randomizing the response time from the cache, thus preventing data disclosure via the high precision timing attack.

 

Brief Description;

The exact flow of Spectre’s execution is still something I am trying to understand fully. What I do know is that the two CPU features used in the exploit are;

Speculative Execution; This is where the CPU execute commands out of order, so a later command that has no previous dependencies can be executed with the result stored in cache until its required. This reduces idle time of the CPU and allows code to execute faster that if it was executed sequentially.

Branch Prediction; In most code we have decision trees, with the one coming to mind being the common IF statement. In order to execute code out of order that has a previous dependency that has not yet been met, such as a user authenticating as an administrator the CPU uses a Branch Predictor that is trained to guess which branch of the decision tree will be followed, this branch is speculatively executed with the result stored in the cache for later use.

By combining these two features and mistraining the branch predictor( to assume you will successfully authenticate) with a precise timing side channel attack similar to how we pulled the data from the cache in our meltdown runthrough we are able to interact with process and exfiltrate information.

Robotron’s blog has an interesting explaination of how this works.

Meltdown

What does it target?

Speculative execution and Intels Privilege Execution features

 

Who is impacted?

Anyone using Intel and some ARM CPU’s; As this targets Intels proprietary Privilege Escalation feature, AMD is not impacted. Im not sure how ARM CPUs are vulnerable, possible they licensed this from Intel?

 

Whats the risk?

Violate the boundary between Ring 3 and Ring 0 to read kernel memory from user space.

 

What does it need to hit you?

Ability to execute code on target machine.

 

Brief Description;

  1. Flush CPU cache
  2. Read char from address that throws exception(seg fault)
  3. Fault is thrown but speculative execution causes the result is stored in CPU cache due to out of order execution.
  4. Check each possible BYTE and measure time against time of returning fault. If the result is stored in the cache, eg for ‘a’, then when we check ‘a’ return should take 60ms as opposed to 200ms if we check ‘b’.
  5. If fault takes a long time to return it means that letter was not stored in the cache and thus, was not in the memory location. If the fault is returned quickly then that letter matches the cache and we can try another memory location and repeat the process, building out what that string says.