7. Speculative Execution
● Coffee shop analogy for easy understanding.
● Why?
○ Instructions which require reading from memory take longer. CPU idle time is a waste of resources,
speculative execution is the solution.
8. Branch predictors
● Use fancy algorithms to predict which condition might be met.
● Speculatively execute the branch that is predicted.
● What happens when the prediction turns out to be true?
● And what happens when the prediction is wrong?
● P.S: Branch predictors are often over 99% accurate at guessing.
9.
10. User Space vs Kernel Space
● Kernel space & user space are segregations of the virtual memory.
● Each process is given virtual memory which is divided into kernel & user space.
● The user space region contains data, code, stack, heap of the process.
● The kernel-space contains things such as the page table for the process, kernel
data structures and kernel code, etc.
● To run kernel space code, control must shift to kernel mode(using 0x80 software
interrupt for system calls) & kernel stack is basically shared among all processes
currently executing in kernel space.
12. Spectre: Variant 1(CVE-2017-5753)
● Bounds check bypass.
● The instructions after a conditional branch are speculatively executed as the result
of a misprediction.
13.
14.
15.
16.
17.
18. Spectre: Variant 2(CVE-2017-5715)
● Branch target injection
● The CPU executes instructions at a location determined by a mispredicted branch
target.
21. Meltdown: Variant 3(CVE-2017-5754)
● Rogue data cache load, memory access permission check performed after kernel
memory is read.
● It leverages out-of-order execution capabilities in modern CPUs.
● Vulnerable CPUs allow memory reads in out-of-order instruction execution, and
also contain a race condition between the raising of exceptions and the
out-of-order instruction execution.
22.
23.
24.
25.
26.
27. Countermeasures
● Spectre (Variant 1):
○ Compiler patches.
○ Use barriers (LFENCE instruction) to prevent speculation for x86 - Sequential instructions.
○ Static analysis to identify locations where attackers can control speculation.
● Spectre (Variant 2):
○ Separate BTBs(Branch Target Buffers) for each process in the Branch predictor unit.
○ Prevent BTBs across SMT(Simultaneous MultiThreading) threads.
29. FAQ’s
● Can I detect if someone has exploited Meltdown or Spectre against me?
● Can my antivirus detect or block this attack?
● Is there a workaround/fix?
● Why is it called Meltdown?
● Why is it called Spectre?
● Can I see Meltdown in action? Check this
30. References
● A 3 minute video explaining speculative execution. Link
● Meltdown paper. Link
● Spectre paper. Link
● Redhat documentation. Link
● Meltdown and spectre official website. Link
● IIT-M course by Chester Robeiro: Link
● Report by CMU: Link
● Miscellaneous: Link1, Link2, Link3, Link4