Best Analogy I've seen is as follows: "Imagine that you (i.e. a malicious process) want to know whether someone (i.e. a victim process) has checked out a particular library book. The library (i.e. the CPU) refuses to give you access to their records and does not keep a slip inside the front cover. You can only see the record of which books you have checked out. What you do is follow the person of interest into the library whenever they return a book. You then ask the librarian for a copy of the books you want to know whether the person has checked out. If the librarian looks down and says "You are in luck, I have a copy right here!" then you know the person had checked out that book. If the librarian has to go look in the stacks and comes back 5 minutes later with the book, you know that the person didn't check out that book (this time). The way to make the library secure against this kind of attack is to require that all books be reshelved before they can be lent out again, unless the current borrower is requesting an extension. There are many other ways to use the behavior of the librarian and the time it takes to retrieve a book to figure out which books a person is reading." Not mine, don't know original source.

The real scandal is that Intel was notified about this over 6 months ago and their CEO dumped millions in stock before announcing this exploit.

Summary of the exploit: "Cache me outside... how bout dat?"

Thanks for getting a video out on this so quickly and pretending not to panic for the camera. Can we see the cut shots where Dr Bagley is shouting "WE'RE ALL DOOMED" and Brady is talking him down from the window ledge.

replace cpu? with what, a rock?

Interesting to note that all Raspberry Pi versions are invulnerable because their ARM chips either don't implement speculative branch evaluation (just branch prediction) or they don't implement it in a way that leaves traces in the cache.

"Replace CPU hardware" *Straight face* Laughed out loud

So this is extremely low-level and thus hard for my high-level programmer brain to fully grasp, but let me see if I got this straight: if the bounds of a loop are stored in memory, the CPU will try to optimize by running the code in the loop first while waiting for the bounds to be retrieved; if the bounds turn out to be such that the loop shouldn't have been run, the result of the code is discarded. But when a value is taken from memory and used as an array index, those values are cached to speed up future reads, and the cache is not cleared during that "memory undo" process. So if you try to access a memory location you shouldn't be able to inside a loop that "technically" terminates before that point, the access will still happen. And if you use that value as the index of an array you do have access to, it will be cached. At that point, the indexes of your valid array which are cached represent the values of the bytes you tried to access (the iterations of the loop beyond the slow-to-retrieve maximum bounds), so by timing how long it takes to retrieve those array entries, you can determine the values of the unauthorized bytes by interpreting the indexes of the fastest-loading array entries. Is that correct?

What infuriates me is that the majority of the headlines are about the slowdown, and not about the vulnerability itself -.-

It looks like AMD hardware is only vulnerable to one of the three variants: the bounds check bypass. Some reports argue that this could be fixed by allowing the OS and the application code to disable speculative execution in certain circumstances. As I understand it the boundary check bypass only allows to exfiltrate data from the same process with the branch target injection being able to reach another process and the meltdown making vulnerable even the kernel. Intel and ARM hardware are afflicted by all three.

I knew you’d post a video about it quickly! This is why I’m a happy subscriber

Literally checked this channel for this last night! You guys are awesome! Keep up the great work!

That was fast, I thought it would take you a week or so to discuss it.

Finally someone with knowledge of computer engineering addresses the issue and also points that Meltdown affects Intel specifically.

This is the best analogy I could come up with for how Spectre works: Imagine you want to know the genre of book a particular person has checked out of the library. However, the library has strict privacy policies, and refuses to give you access to their records, only your own. What you do is reserve a book from every genre that the library carries, and then ask the librarian for the book you reserved of the same genre as the victim's book. The librarian, to save time, immediately begins fulfilling this request, even bringing said book up to the front desk, before finally realizing that the request itself breaches library privacy, and so refuses to return the book to you. Seems like you're out of luck, you don't know the genre of your reserved book behind the desk, so you haven't learned the genre of the victim's book. However, you now begin to request from the librarian every book you reserved one by one. Since these reserved books are properly a part of your records, the librarian happily obliges. For each book you note the librarian takes time to retrieve the book from inside the library, until one suspicious book is requested, which the librarian immediately hands you from behind the desk. That one suspicious book of course is the book requested from earlier, so with it identified and in your possession, you have successfully learned the genre of your victim's book. Now imagine repeating this process multiple times on the same victim using other qualities besides genre: like author, publisher, and so on. Each quality you learn about your victim's book allows you narrow down to the particular book your victim has checked out. Eventually, you will know for certain the identity of your victim's book, all by exploiting your hard working and naive librarian.

It would be awsome if you could make more in depth videos, not only on this topic, maybe including the code explanation

Fantastic job explaining these exploits! Probably the cleanest and to-the-point description I've seen on KZbin so far. You know you're doing good when your viewers can use you as a security news source. 😉

Great video. Can always count on Computerphile to provide a detailed yet concise explanation which is easy to understand

Wait! Are you saying my 486DX is unaffected by this? PHEW! And there I was, thinking I would need to upgrade my CPU.

Great explanation, thanks!

Somehow Scott Manley, the guy who plays Kerbal Space Program, had a much clearer and more detailed explanation that the Computerphile channel.

After the end of Moore's Law, it turns out there's no such thing as a free lunch.

James Bond asks his mate "Mr CPU" to go wait for him at a bar. The Criminal Mastermind named "Meltdown" goes into the bar and says "I have a drink for Mr Bond here, anyone want it?" All in the bar take a while, looking around and asking "are you James Bond?", but Mr CPU instantly answers "No, he is not here", then James bond walks in...

"Meltdown" (aka "Variant 3") is an Intel issue. Yes, Intel very much wants to confuse the matter, but make no mistake, that's their fuckup. (**see comments)

6:55 is when any details Beyond a typical layperson news article start

Excellent video. Very informative and interesting. I just knew Computerphile would cover this.

This glosses over the most interesting part. :) The covert channel is timing how long it takes to read something, which is affected by what is in cache. Speculative execution can change what is cached and so allows the covert channel to exist, in combination with branch prediction making the wrong prediction. The branch prediction can be trained in a few ways, one of which involves the realization that the branching decision is remembered not by instruction location but by only some low bits of the branching instruction. The neat part is that the speculative execution can include a second lookup based on the first value fetched. Multiplication by the cache line size (the size of the chunk of memory that will be read when it is loaded in to cache), and then using that as a second lookup offset, fetches a unique cache line for each original value. This is the trick that allows the original data to be read (by then timing the reads of each possible offset).

Always look forward to watching Computerfile's break down of the newest and greatest security vunribility. Another great video guys! PS: from what I have gathered, it's a vunribility where all the correct things have to be under the exact right circumstances for it to occur. I have yet to see any real real-world examples or instances where this attack has or can be used besides some whitepaper's example code. In other words, I'm not phased by this nor do I care about the risks it brings.

It's not easy to explain such a thing without going into details too deeply, yet staying meaningful. I think made a great job, as always, here in computerphile. (The cache access time could have been a bit more emphasized, though.) But PLEASE, PLEASE USE A TRIPOD! It would be such a quality leap for these videos!

Would you be able to get information from another virtual server if they both lived on the same host?

Great video! As I understand Meltdown affects Intel CPUs specifically and is currently being patched in all OSes. Question: will the patch itself affect the speed of other CPUs, or are they written to come into effect only on Intel systems? Are we better off with AMD for brand new systems until updated hardware comes out?

Wow, very fast content reaction to current "Computerphile" topics. Great! By the way: does CERT list hardware which is considered "secure" in terms of Spectre and Meltdown?

soo.. would it be possible to get ahold of the test code shown in the video? i'd like to compile and see for myself.

Could we get the source code for that program that exploits itself? I’m really interested to see how it works myself.

All your systems are belong to us.

What I find surprising about this is that it took this long to discover this flaw. I don’t know much programming, though I do know some, and even less about implementations details and hacks like this. But even I know that CPUs have implemented speculative execution for a long time now. The methods described here seem to me pretty amazingly simple. It surprises me that no one thought of trying to exploit this before now!

Finally, a tech channel for serious IT people! This is my new goto source for serious vulnerbilities and game-changing tech.

Thank you! Have been wondering how this actually worked, media have been pretty universally poor in how they're covering this (as usual). Then again it's pretty difficult to explain to the layman apparently, I'm not far from that but I think I just about get it. Does the 'patch' simply hinder speculative evaluation?

Thanks for this interresting and easy-to-understand explanation of the exploit. However, one thing remains unclear to me: This is a bug in the hardware, so how can it be patched in the OS?

Question: Since most computers from atleast the early 90s - present have this flaw with the new security issue, would it be possible (if having an old development unit for a videogame system or something (say N64) or a dev cartridge) would it be theoretically possible with the right tools (and the Meltdown/Spectre flaws) to obtain source code/ documentation on videogames in which the source code was thought to be locked down under the aformentioned cartridge/cpu ?

Could older CPU technology be (more) advantageous when dealing with this "threat", or is it a generation gap exploit?

Reminds me of that Computerphile video about the exploit of cache memory byway of specific SQL queries.

So, the way to solve this would be to throw out cache lines that were read in by speculatively executed code, right? Does the branch predictor set any flags that could be used as a trigger for an interrupt handling such a thing? So long as you are not using a real-time operating system the slight delay should be virtually undetectable. If the CPU had to be redesigned, the branch predictor may simply need his own dedicated cache lines for backup storage.

I seen this coming from the moment I began experimenting with parallel programming techniques. Having developed a lot of creative uses of Semaphores to get around the pitfalls of out of order execution, I will be incredibly happy when we start to see processors that don't pretend to know better than the programmer what order their instructions should be executed. I should never have to suspect memory barriers I drop into my code aren't actually doing anything but you would be surprised just how often modern processors completely ignore their presence.

It has been over three years now, do you know which, if any CPUs have "fixed" this problem?

how much back does this go? is the whole intel icore line affected from first generation onward?

A big thumbs up! BTW, could you please add subtitle functionality in the videos?

Best under fiveteen minutes video on that topic i have seen do far

Is the out of order execution order determined by hardware? It sounds like a software kind of thing to calculate that. And if that is solved then the security checks will be done in time.

So new cpu will fix it? what about other components? Does it mean that all parts will be warrantable in the future?

Yeah just let me crack open my iMac and replace the CPU that should be pretty easy

Could the CPU architecture be programmed so that coders have more control over what is loaded into cache? I mean indexing in cache is useful but could we have say a keyword in languages that says "this data shouldn't be cached". Maybe somewhere in memory would be reserved specifically for types of important data that should never be cached? I know it would cause performance issues if this was frequently used but is this a sort of viable solution (I realise regular RAM access is waaay slower than even L3 cache)

@2:30 - In what universe is "running slightly slower" a "significant impact"?

Is there a way to disable the cache entirely in modern CPUs? Perhaps from the BIOS? That might be a temporary fix, despite the massive slowdown it may cause

Very timely. Good job. :)

Good high-level explanation, I encourage people interested to read the papers published and do some research about branch prediction. For starters, Tomasulo's algorithm was one of the first OOO execution designs that many processors are still based off of. It's old, so it's easier to comprehend then today's massively complicated schemes, but will still give you a taste of what happens at the h/w level.

"Replace CPU-" *quickly pauses, heart sinks, sense of impending doom looms over me* Please god no...

I was hoping you would make a video on this!

I'm glad someone finally addressed this.

10:15 So does "array 1 [x]" gets stored in cache or "array 2 [array 1 [x] * 512]"?

Thanks for the explanation.

Very good explanation, thanks guys!

I understand how you can read the prefetched piece of memory that exceeds the array size check, but a prefetcher doesn't prefetch the entire memory. How is it that you can read everything instead of just the first bits after the end of your own program space?

I just have one question...so is the University of Nottingham still using dot matrix printers? I see a lot of continuous stationary on both Computerphile and Numberphile.

Very informative and technical. Just what the doctor ordered. 10/10

Do you mean the hardware architecture of the MPU? or the microcode? ...or both?

Thank you!

Who is going to make the replacement CPU, where do I request one and who will pay for the cost of the replacement?

Can we get the Dr. Steve's code? It would be very nice to have this example :)

From the "Cloud Perspective", the dom0 (hypervisor), could squash these instruction set requests from domX to prevent flaws... just a thought.

I followed everything up to getting the data out of the cache... How do you get the data once it is in the cache? It could be anywhere in the cache especially once you go far beyond the array end. Even if you knew the exact cache line, how would you retrieve it in user mode anyway?

Timely

the one thing i dont really get is, why it is an hardware issue. I mean how can speculative branch evaluation, or rather the logic behind it be implemented in hardware. Or is it?

speculative evaluation computation, is it kinda like preload on old ubuntu 12?

Do you have a link to the program somewhere?

and the timing can be measured fast accurately enough to find out whether or not something is in cache? Or is the attack done multiple times and then the timing averaged?

Anyone have a link to the code Steve is walking through?

I like how; while under development, the patch that was applied by Linux devs was given the name "Forcefully Unmap Complete Kernel With Interrupt Trampolines", it was changed for the actual release of the patch because of the same reason as why I like the name... spell out the first letter of each word xD

so how would this impact major security like fb1 and C1A.....??

Best computer science channel on KZbin! 🤓👍

where is that code you ran on your computer?

Is this severe enough for sandboxed instances to be able to access resources it shouldn't? To me it seems to be possible for the vulnerability to grant access to code outside of that sandboxed state. If so, this would be a very bad issue indeed.

Could you do a video on the possibility that ARM architecture replaces x86 arhitecture. Microsoft recently launched Windows 10 for the Arm architecture, with an "highly efficient" x86 emulator.

I can see how speculative evaluation can get the data to cache, but how does the data in the cache get ex-filtrated?

where was that test code available from?

Raspberry Pi's blog did an awesome job explaining this. (Mainly because they actually showed (pseudo-)code)

What VSCode skin is that? Looks really nice.

I've been reading very mixed opinions on the likely effect on Intel CPU performance. I'd love to hear a detailed and unbiased explanation of this. Also, does this mean consumers should avoid buying new computers until the next generation of redesigned CPUs?

Great explanation many thanks

The science behind the exploits is very interesting.

Does anyone know what text editor he's using?

what is that editor you are using? looks like vi but it isn't

One question, though: how does the malware/hacker know what it/he/she's looking at? -ok, things can be pulled out of memory at the CPU level, but as far as I understand it, it's another three levels (kernel, API and application) before that data is human readable and in context. Good luck figuring out I'm watching a Heartstone commercial on KZbin. Also... execution speed seems quite slow, won't locations be overwritten with something else before the program has run it's cycle, further complicating matters?

Surely it shouldn't execute a copy from array1 to array2 unless the instruction was from the same program?

Some CPUs (Intel?) allow for a microcode update - wonder if that would be a way...

what computer software was he using for the code? it looked like sublime text, but not the one I'm using

Great video!

wait... how can I read a cache-line of another process??? - or is it only inside own process, so it can access that cache-line? then why can I not access it regardless of whether someone else cached it or not?

And to make it clear, the Meltdown bug, which has the highest likelihood of speed degradation, does not effect AMD CPUs.

is this like a stack overflow error from back in the day?