Profile picture
Clay Shirky @cshirky
, 10 tweets, 2 min read Read on Twitter
I'm going to try explaining the Spectre attack with an analogy: Imagine a bank with safe deposit boxes. Every client has an ID card, and can request the contents of various boxes, which they can then take out of the vault.
The bank is concerned about security. People have to show ID, and can't walk out of the vault with stuff that isn't theirs. However, the vault is enormous, and the clients impatient. There are also many clerks. To speed things up, sometimes the clerks *guess* which boxes you want
To enable this predictive fetching, they don't check whether you need the contents till after they've fetched it. Sometimes these guesses pan out, sometimes not, but nbd. If they bring something you don't need, you can just leave it there.
So here's the bug. The bank's protocol for checking ID, and for making sure you don't walk out with other people's stuff, are both good. However, the security for fetching safe deposit boxes is bad, because it is optimized for speed.
Once your ID checks out, the clerks trust you, just for a moment. If you show ID and ask for one of your boxes, #117254, you'll get it. But if you show ID and ask for #440587, you'll get to see the contents of someone else's box instead.
And you can do this again and again, asking to see the contents of boxes that aren't yours. You can't alter the contents, but you can know what they are. Over many iterations, you can learn the entire contents of the vault.
So the bank is the CPU, your requests are a program, the clerks are processes, and the deposit boxes are memory. A trusted program can ask process to fetch chunks of memory it has no right to. To enable fetching, checks on whether data is valid for a process only come later.
As many people have noted, this is craziest with cloud computing, where your virtual server shares actual hardware with many other users. If you can run Spectre on that hardware (if you can show ID in that bank), you can see data from other users. (Gigs of it, from many users.)
And if someone else runs Spectre on that hardware, of course, they can see your data. This is just fishing. You can't easily target a particular person or firm. But it is *driftnet* fishing -- an industrial-scale attack on large collections of data.
And Spectre is not a trivial side-effect -- high-speed pre-fetching is how substantially all modern CPUs work. spectreattack.com/spectre.pdf
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Clay Shirky
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related threads

Profile picture
🕊GHWB🕊

‘I Love You, Too’: GHWB’s Final Days

GHWB, the 41st president of the US & the father of the 43rd, who steered the nation thro a tumultuous period in 🌎 affairs, died on Friday. He was 94.

His death came less than 8 mos after that of his wife of 73 years, Barbara Bush.
🕊GHWB🕊

Cohen kept Trump apprised of his comms re Trump Tower Moscow, including a “lengthy substantive convo” w/ Peskov personal asst to Putin + other interactions as late of June 2016”

Dmitry Peskov showed some letters sent by Cohen to reporters & read parts of them out loud
🕊GHWB3🕊

CIA Intercepts Underpin Assessment Saudi Crown Prince Targeted Khashoggi.

👉🏼U.S. Probing Whether Malaysian Fugitive Laundered Funds to Pay Chris Christie and Trump Lawyer

👉🏼Jho Low under investigation for alleged embezzlement of $4.5 billion from 1MDB fund
Read 65 tweets
Profile picture
#Bitcoin and fractional reserve banking (FRB). Thread 👇

Ok, this is going to be a controversial one. I've avoided the topic for a long time, but since there are many important experts -- ppl that I truly admire -- discussing the subject, I can no longer ignore it.
1/ Since the @Bakkt announcement, the issue has gained steam, especially through the works of @CaitlinLong_ (who's a real champion of #Bitcoin and liberty btw) and her concerns on WallSt's financialization of crypto. B/c of that, FRB is now inserted frequently into debates.
2/ As a background for laymen, FRB is considered THE BIG CONTENTIOUS & UNRESOLVED DEBATE within adherents of the so-called Austrian School of Economics. Rothbardians tend to think it's fraudulent, inflationary and causes economic cycles. They are the proponents of 100% reserves.
Read 33 tweets
Profile picture
Thread time! Why can't they just quickly patch #meltdown or #spectre and push out another cpu? Why could it possibly take years? Why don't they use AGILE or x/y/z? Lots of reasons:
(note: my goal is not to criticize chip manufacturers - it's to defend the constraints they have)
Let's start with a standard software product many are familiar with and work off that. First, every time you hit 'build' it's called a 'stepping', costs millions of dollars & takes several months. If you want a profitable product, you may only get 10 chances to press 'build'.
On top of that, half those 'builds' are not 'full layer steppings' meaning you can't change any logic gates, just how they're connected. Even with a full layer stepping you can't shuffle stuff around anywhere like you can with library files and whatnot.
Read 15 tweets
Profile picture
Explainer on #Spectre & #Meltdown:

When a processor reaches a conditional branch in code (e.g. an 'if' clause), it tries to predict which branch will be taken before it actually knows the result. It executes that branch ahead of time - a feature called "speculative execution".
The idea is that if it gets the prediction right (which modern processors are quite good at) it'll already have executed the next bit of code by the time the actually-selected branch is known. If it gets it wrong, execution unwinds back and the correct branch is executed instead.
What makes the processor so good at branch prediction is that it stores details about previous branch operations, in what's called the Branch History Buffer (BHB). If a particular branch instruction took path A before, it'll probably take path A again, rather than path B.
Read 28 tweets
Profile picture
Some of you might be hearing about #Spectre and #Meltdown today, which allow memory from other processes and the kernel itself to be read. They exploit CPU designs.

I'm still doing my reading, but a good place to start if you're technically inclined is spectreattack.com
Spectre involves training the CPU to speculatively run invalid code in the victim's address space, and then using a side-channel (such as cache timings) to infer details about the victim's memory.

It affects at least AMD, Intel and ARM CPUs

The sample exploit reads 10KB/s.
Spectre also includes sample code for breaking out of the JavaScript sandbox on chrome.

It's very, very clever.
Read 10 tweets
Profile picture
If you self-identify as pro-urban & anti-NIMBY, why aren't you demanding more public housing? | shelterforce.org/2017/11/02/tim… "The affordable housing field shouldn’t cede the 'increasing the supply of housing' and 'freeing up units through filtering' arguments to the luxury developers"
A lot of YIMBYs are replying to say that of course they support public housing! Surprised but delighted to discover that there are such huge numbers of municipal socialists in the YIMBY ranks
There's obviously a significant difference between "public housing" on the one hand and "affordable housing" or "below market-rate housing" (which many replies have invoked) on the other, but we let's leave that aside for now.
Read 14 tweets

Trending hashtags

#ItsTime #cryptocurrency #PeakTV #45DaysOfElvisCostello #ThiefTP #China #blockofwood #Hitman #NutShellReport #Spectre #Qatar #Meltdown #SPECTRE #AccidentsWillHappen #bots #PAM #twinpeakstunnel #RecordStoreDay2019 #PHOENCIA #Safe #WEF #scobserver #Dishonored2 #day1 #owledition

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!