Discover and read the best of Twitter Threads about #meltdown

Most recents (11)

[THREAD sorry]

So @smealum's #defcon #buttplug talk is done.

Piecing together what I can from slides posted to Twitter since going to Defcon would requires leaving the house.

AFAIK, our software is not affected by this specific exploit chain.

Info and some thoughts follow.
I will warn that this thread will be painfully technical.

If you're following me for intimate UI/UX contexts and don't wanna see a bunch of talk about OS API models and firmware and what not, feel free to mute this thread, I'll tag everything from here out with #meltbutt too.
So, to begin, an explanation of what's up:

@smealum presented today at @defcon 27, outlining a multi-exploit chain for Lovense toys, mostly between the Lovense electron app and their USB key, partially having to do w/ the firmware for the Nordic chip on the USB key.

Read 50 tweets
Speculative Side-Channel Attacks is misleading terminology and usually used incorrectly. We should all avoid using it and @intel, you should avoid using it too. Not only because it is misleading, but because it hinders successful communication on mitigations.
Let me elaborate:
A side-channel attack uses measurements of side effects to gather enough *meta data* (power consumption, runtime, cache state, etc) to *infer* secret information.
#meltdown #spectre #zombieload and related attacks and variants do not leak meta data. They leak the actual data.
There is no need to infer secret information from meta data, there is no meta data involved. Hence, they are *no side-channel attacks*.

"But they use flush+reload". Sure, but that doesn't make the attack a side-channel attack. Let's assume the following:
Read 11 tweets
April is #AutismAwarenessMonth
Everyday, I would try to post something from our #autismjourney to spread #awareness #AutismAwareness #autismfamilies
How do you know if your child loves you/hates you, needs you/doesn’t care about you, is hungry/hurting etc? In #autism we usually guess the need of the child depending upon the intensity of the #meltdown or tantrum. #AutismAwareness #AutismAwarenessMonth #AutismFamilies @yaps9
Avani (my daughter) hadn’t started talking till 2 years of age. That got us worried and we were soon given the diagnosis that our child is on #autismspectrum Although she has speech, am still waiting for her to say ‘mumma’ minus any demand. #AutismAwareness #AutismAwarenessMonth
Read 6 tweets
From what I understand, the latest #OpenBSD vs #Intel thing went a little bit like that:
- OpenBSD: Can we be a part of this rumored Intel bug embargo?
- Intel: No. Go away.
- OpenBSD: dev do their homework, fix FPU bug, publish patch.
- Theo (at @BSDCan): we are worried, we don't have access to info. Please help us.
- Intel: publishes official advisory:…
Now everybody and their dogs are going crazy over #OpenBSD developpers doing their jobs , correcting stuff and "violating"an embargo... That they were *never* a part of. Because Intel did not want them to receive information!
Read 7 tweets
Quotable Quotes on #SoftwareTesting from this talk by @dakami at the inaugural DEF CON China. 1/?
"The goal of this talk is to connect a series of thoughts that you may never have thought were linked...Anything can be linked." 1:15
Read 44 tweets
The assumption "bug collisions are so common in all software that everyone should assume that for any bug disclosed, it's probably been found by attackers & exploited already" contrasts how scientific research works. Security research is no exception.
Bug & research "collisions" can happen due to lots of low-hanging fruit. It can also occur when researchers pay attention to reach other's work. I've discussed researcher "swarming" for years, & recently on stage at BlackHat this summer.
Bug collision or correlation rates for software that has a lot of bugs (bug dense, say, because of not being well-tested) will generally model higher bug collision rates than in software with low bug density. See slides #23-27 from my RSA talk in 2015.…
Read 17 tweets
Thread time! Why can't they just quickly patch #meltdown or #spectre and push out another cpu? Why could it possibly take years? Why don't they use AGILE or x/y/z? Lots of reasons:
(note: my goal is not to criticize chip manufacturers - it's to defend the constraints they have)
Let's start with a standard software product many are familiar with and work off that. First, every time you hit 'build' it's called a 'stepping', costs millions of dollars & takes several months. If you want a profitable product, you may only get 10 chances to press 'build'.
On top of that, half those 'builds' are not 'full layer steppings' meaning you can't change any logic gates, just how they're connected. Even with a full layer stepping you can't shuffle stuff around anywhere like you can with library files and whatnot.
Read 15 tweets
Here's my layman's not-totally-accurate-but-gets-the-point-across story about how  #meltdown & #spectre type attacks work:

Let's say you go to a library that has a 'special collection' you're not allowed access to, but you want to to read one of the books. 1/10
You go in and go to the librarian and say "I'd like special book #1, and the Sue Grafton novel that corresponds to the first letter of page 1 of that book." 2/10
The librarian dutifully goes and gets special book #1, looks at page 1, sees 'C', and also grabs 'C is for Corpse', and comes back to the desk, but does not show you the books. 3/10
Read 10 tweets
Here are a few insights on the #Meltdown and #Spectre vulnerabilities based on my recent @RANDCorporation research. /1…
First, this is yet another reminder that vulnerabilities can last a long time (our data showed vulnerabilities lasted 6.9 years before being publicly disclosed) and have a low chance of being discovered (5.7% per year). /2
But the #Meltdown / #Spectre news also has me thinking about a "swarm mentality" among hackers of all stripes after a vulnerability is disclosed. /3
Read 8 tweets
Explainer on #Spectre & #Meltdown:

When a processor reaches a conditional branch in code (e.g. an 'if' clause), it tries to predict which branch will be taken before it actually knows the result. It executes that branch ahead of time - a feature called "speculative execution".
The idea is that if it gets the prediction right (which modern processors are quite good at) it'll already have executed the next bit of code by the time the actually-selected branch is known. If it gets it wrong, execution unwinds back and the correct branch is executed instead.
What makes the processor so good at branch prediction is that it stores details about previous branch operations, in what's called the Branch History Buffer (BHB). If a particular branch instruction took path A before, it'll probably take path A again, rather than path B.
Read 28 tweets
Some of you might be hearing about #Spectre and #Meltdown today, which allow memory from other processes and the kernel itself to be read. They exploit CPU designs.

I'm still doing my reading, but a good place to start if you're technically inclined is
Spectre involves training the CPU to speculatively run invalid code in the victim's address space, and then using a side-channel (such as cache timings) to infer details about the victim's memory.

It affects at least AMD, Intel and ARM CPUs

The sample exploit reads 10KB/s.
Spectre also includes sample code for breaking out of the JavaScript sandbox on chrome.

It's very, very clever.
Read 10 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!