Profile picture
Paul Fenwick @pjf
, 10 tweets, 3 min read Read on Twitter
Some of you might be hearing about #Spectre and #Meltdown today, which allow memory from other processes and the kernel itself to be read. They exploit CPU designs.

I'm still doing my reading, but a good place to start if you're technically inclined is
Spectre involves training the CPU to speculatively run invalid code in the victim's address space, and then using a side-channel (such as cache timings) to infer details about the victim's memory.

It affects at least AMD, Intel and ARM CPUs

The sample exploit reads 10KB/s.
Spectre also includes sample code for breaking out of the JavaScript sandbox on chrome.

It's very, very clever.
#Meltdown works by exploiting the fact that CPUs will execute instructions ahead of the "current" instruction as means of optimisation.

It's possible to observe the side-effects of instructions that were executed but never committed.
Meltdown reads from kernel memory (an illegal op), then uses that read times the page size to make a second memory access.

By observing cache hits and misses, you can infer the memory that was read by the invalid-and-discarded operation.

Which means you can read kernel memory.
By use of some clever optimisations, #Meltdown kernel dumping at a speed of 122KB/s is possible.

On modern (Broadwell+) Intel CPUs, a speed of 502KB/s is achieved.
In addition, because kernel memory usually maps the physical address space, #Meltdown can read most (on unpatched Windows) or all (on unpatched Linux) physical memory.

So it can and does break containers, virtual machines, and everything else we rely upon.
The good news is that #Meltdown can be defended against with a series of kernel patches. On Linux these are known as KPTI (formerly KAISER).

These exist in Linux 4.15, 4.14.11, Windows 10 Build 17035, and OSX 10.13.2.

Upgrade your systems if you haven't already done so.
Both of these vulnerabilities are scary.

Meltdown because lots of devices won't get patched.

Spectre because patching at all seems to be extremely challenging to patch at all. It's named because it will "haunt us for some time".
We're seeing a lot more vulnerabilities exploiting flaws & artefacts of hardware.

Rowhammer changes memory by using voltage fluctuations to flip bits.

I've seen ssh sessions run over cache invalidation channels between VMs.

I don't think spectre and meltdown will be the last.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Paul Fenwick
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!