Friday, January 5, 2018

A simplified explanation of "Spectre" and "Meltdown" security exploits

Lets talk about what programming is at a high level, it is a specific set of instructions a computer must follow in order to complete a task. For my example I will use baking a cake:
  1. Check recipe for ingredients
  2. Inventory kitchen for ingredients
  3. If you do not have all ingredients go to the store
    1. Get in car
    2. Arrive at store
    3. Buy missing ingredients
    4. Travel home
  4. If you have ingredients begin preparation
    1. Combine dry matter and eggs
    2. Stir ingredients
    3. If the oven is off
      1. Turn on oven to desired temperature
      2. Wait for 15 minutes
    4. Place ingredients in pan
    5. Place pan in oven
    6. Bake for 30 minutes. 
  5. Remove cake
  6. Enjoy cake

Normal execution mode

Modern processors have many cores (cooks), think of these cores as miniature processors that can each do their own task or in our example they would represent second cook in the kitchen. 

In order to speed up the execution of requested tasks modern processors begin the execution of multiple steps of work at a time, often the work they begin processing is part of a logical conditional statement (IF this THEN do something). They sometimes get the prediction of the logic statement correct (speculatively) and this will speed up the overall execution time of the task.

In our example it would be similar to having two cooks in the kitchen. At the beginning of the task, we would proactively dispatch one of the cooks to the store, in a prediction that we will need ingredients to bake our cake. This would happen in parallel to the first cook beginning to check the recipe. The assumption (speculation) is if we arrive at the conclusion we are missing eggs, we have already began work on fetching the eggs, so we can get to the step of combining ingredients faster. If our cook who job it is to check inventory arrives to the conclusion we have all of the required ingredients, we tell the second cook who is headed to the store to undo his effort of acquiring supplies (return items to shelf, get back in car, drive back to home). This is called a roll back. 

Speculative execution mode

Modern processors are designed to  pre-process various steps of conditional statements in effort to improve the overall performance of a computer. In order to more accurately predict which decision path they will need to start working on, modern processors utilize various types of local memory about prior decisions to make this prediction via their local cache and BHB (Branch History Buffer). If the last time you baked a cake and you were missing ingredients, they will predict that this time you will also be missing ingredients and take the necessary steps to remedy this ahead of time.

Like all fortune tellers, they don't always get this prediction correct and will need to roll back / or undo their proactive work. In our example they would recall the cook who was dispatched to the store, but they do not purge the prior list of ingredients from their memory. from the last time you tried to bake a cake. Removal of this prior memory would negatively impact the performance of the system, and as such the prior decision/memory persists in the system.

The current security vulnerability takes advantage of the CPU's prior memory state, it allows an attacker to read this data, if the prior state was something like a log in session, it could allow an attacker to obtain privileged information such as a security token or password by accessing this memory that is tracking the current inventory of the kitchen. There is a second level to this attack where the attacker can prime the conditional statement with nefarious code and force the CPU to execute this code out of order in order to take over the system, but this concept is beyond the scope for a high level summary - just know this is where things get dark and dirty quick.

Many people have asked if we (security community) believes this exploit as been known by groups such as the NSA/CIA/FBI, to our knowledge it was not, as this exploit is rooted in the base hardware of the processor and negatively impacts their systems as well. Due to it being a hardware bug, it is exceptionally difficult to patch and control. We strongly feel it would have been reported to Intel if discovered. 

I hope this explanation helps a few of my non-technical friends to understand the reasons why this bug is so serious, as the only true fix is a redesigned/replacement of your computer's CPU (brain chip). In the meantime major operating system vendors (Apple, Linux Community, and Microsoft) are working on software patches that will limit the scope of this bug/vulnerability, but unfortunately the fix will have to disable a key feature that was designed to boost the performance of modern processors, as such it will have a negative impact to all systems that are vulnerable to this attack. Early estimates indicate that the patch for this vulnerability could slow down all computers vulnerable to this attack by 30%. Imagine if your processing task (computer vision/perception/AI) utilized 95% of your systems performance... yup oooops. 

A big hats off to the team at Google's Project Zero for discovery of this critical bug.