Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Meltdown and Spectre in 10 mins

Meltdown and Spectre in 10 mins

A simplified explanation of how these attacks work along with some advice on staying safe.

Stephen Best

January 11, 2018
Tweet

More Decks by Stephen Best

Other Decks in Technology

Transcript

  1. @thebestie // Karnov Group 2018 Coolest thing ever to happen

    to CPU nerds Best logos associated with a crisis Affect pretty much everyone Worst computer vulnerabilities possibly ever
  2. @thebestie // Karnov Group 2018 Allows unprivileged programs to read

    the entire systems memory Meltdown ‘Melts’ existing memory isolation boundaries Virtual Machines are not safe! AWS, Google Cloud and Azure
  3. @thebestie // Karnov Group 2018 More limited in scope Spectre

    More complicated, tricky to do, difficult to prevent JavaScript proof of concept can read your entire browser’s memory
  4. @thebestie // Karnov Group 2018 What’s at risk? Spectre Your

    cookies and active sessions Entire Gmail inbox Social media accounts PayPal Banks
  5. @thebestie // Karnov Group 2018 Update your operating system What

    can I do? Update your browsers Turn on ‘Strict site isolation’ in Chrome Close some tabs and log out
  6. 1 x = get_some_legal_data(); 2 y = get_some_illegal_data(); 3 do_something_with_value(y);

    @thebestie // Karnov Group 2018 This is slow, while the CPU waits it executes 2
  7. 1 x = get_some_legal_data(); 2 y = get_some_illegal_data(); 3 do_something_with_value(y);

    @thebestie // Karnov Group 2018 This is illegal but the CPU doesn’t know it yet
  8. 1 x = get_some_legal_data(); 2 y = get_some_illegal_data(); 3 do_something_with_value(y);

    @thebestie // Karnov Group 2018 This is where the magic happens
  9. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 This is an array I made earlier, I can read/write
  10. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 1 1 x = get_some_legal_data(); 2 y = get_some_illegal_data(); 3 my_array[y] = 1; Looks like y was 7
  11. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 But that was illegal An exception was raised State is rolled back
  12. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 Something was left over . . . When iterating something strange happens
  13. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 Something was left over . . . When iterating something strange happens
  14. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 Something was left over . . . When iterating something strange happens
  15. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 The CPU has cached the value of 7 The data is returned much faster