Meltdown explained like you're five

  Рет қаралды 29,689

Jad Joubran

Jad Joubran

Күн бұрын

Learn JavaScript 👉learnjavascrip...
React Tutorial 👉react-tutorial...
Learn Programming 👉 learnprogrammi...
Find out how a typical Meltdown attack works in this video that simplifies the code & concept behind it.
Even though there are many pre-requisites to explain how Meltdown works, I've simplified most of the concepts in a 3 minute video.
Subscribe for more videos ► bit.ly/jadjoubran
Icons designed by Freepik, Hadrien & Smashicons from Flaticon

Пікірлер: 45
@JadJoubran
@JadJoubran 4 жыл бұрын
Interested in learning JavaScript and/or React? Checkout my interactive online courses: - Learn JavaScript: learnjavascript.online - React Tutorial: react-tutorial.app
@6lindfish
@6lindfish 7 жыл бұрын
First explanation out of 10 I've watched where the author actually read the paper! Thank you very much Jad!
@JadJoubran
@JadJoubran 7 жыл бұрын
That was the hardest part 😅 I'm glad you like it! I'd appreciate it if you can share it
@mursie100
@mursie100 5 жыл бұрын
Again, I have the same problems with this as with your spectre explanation. What do you mean by "character[secret+15]" ??!! If secret is 'p', how are you accessing "element number 'p'+15" in the array ?!!
@alexhaigh9575
@alexhaigh9575 3 жыл бұрын
The attacker constructed the character array themselves so there is nothing preventing them from accessing it. The attacker doesn't need to access the original data set directly. The character array they created themselves is used to infer the value they attempted to access from the protected data set.
@AnPham-uz3td
@AnPham-uz3td 3 жыл бұрын
@@alexhaigh9575 you did not answer his question
@alexhaigh9575
@alexhaigh9575 3 жыл бұрын
​@@AnPham-uz3td I did, but to break it down further for you. You access "array[p+15]" by iterating the array. As you created the array yourself it is not protected, so you can loop it and access all the values.
@35sherminator
@35sherminator 2 жыл бұрын
Yes, I believe that's a typo. It should be characters[15]. The idea is to guess the secret value already present in cache. When accessing all elements in the characters array, some element character[i] will have a lesser time because of already being present in cache and this is exactly the secret value (since the secret value was present in the cache to begin with). I could be wrong but this is what I got.
@noahwolff2268
@noahwolff2268 Жыл бұрын
You’re about to save me on my CSE 325 final 😂
@kissu_io
@kissu_io 7 жыл бұрын
Didn't understood the difference with the Spectre 👻 one, seems to be pretty the same. It's just because it's in another program?
@JadJoubran
@JadJoubran 7 жыл бұрын
They are very similar, however Spectre takes advantage of speculative execution in branch prediction (when there's an if) whereas meltdown takes advantage of out-of-order execution (multiple lines of code that are running more or less at the same time)
@kissu_io
@kissu_io 7 жыл бұрын
Jad Joubran oh 👌, thanks! Btw, is there a reason only Meltdown can be patched and not Spectre 👻 (with a patch) ?
@JadJoubran
@JadJoubran 7 жыл бұрын
Meltdown is being mitigated by enabling KAISER (en.wikipedia.org/wiki/Kernel_page-table_isolation) which was already developed a few years ago but not fully deployed. Where as for spectre it seems that a decent fix would require changes to the CPU itself
@kissu_io
@kissu_io 7 жыл бұрын
Jad Joubran thanks for the confirmation. 💪
@miriyalajeevankumar5449
@miriyalajeevankumar5449 6 жыл бұрын
it is not shown how out of order execution leads to attack. You used the same temp late of Spectre
@jimmymoore5210
@jimmymoore5210 7 ай бұрын
Great video! Your example at 2:52 is close but incorrect. The CPU would raise an exception trying to convert the virtual memory address associated with `readCharacter(1000)` as the permission bit would indicate that it is trying to access restricted memory so secret is never cached like you state in the video. Instead what would be correct is if you speculatively execute some array access after like `probe_array[4096 * secret]` (Assuming 4096 byte pages) which would then correctly cache the data associated with that array. There are other reasons for indexing into an array which deal with the hardware prefetcher caching adjacent lines of memory if they are not spread out enough. Then you can go through `probe_array` with flush+reload and look for the page access with the fastest time. I do think your explanation provides utility to those that haven't read the paper however because it demonstrates the concept of the cache as a side channel used in the attack and the attack mentioned in the paper can be hard to wrap your head around the first time you read through. Well done on this video!
@xfaon
@xfaon 2 ай бұрын
yea i was gona say, cause the error ud get is pagefault, which is pretty useless and you also dont get acees to page table mappings cause first u dont need it and secondly its a security risk
@abuyoyo31
@abuyoyo31 7 жыл бұрын
Thanks for the effort and simplification. However: (1) it is actually Spectre that can read another process memory while Meltdown can't - and not vice versa. Meltdown is the easier exploit, mitigated by KAISER. (2) chars[secret+15] being read fast does *not* mean that secret==15. Perhaps you meant to write just chars[15]?
@JadJoubran
@JadJoubran 7 жыл бұрын
Thanks Ofek! (1) According to spectreattack.com/spectre.pdf Spectre can only read from the current process. For example Javascript that is being compiled JIT can escape its sandbox mode and read data from the current process. Whereas meltdown allows to read data from other processes (meltdownattack.com/meltdown.pdf) (2) correct, this is an over-simplification for measuring access time when probing the whole array (i.imgur.com/2nJ0IV2.png)
@abuyoyo31
@abuyoyo31 7 жыл бұрын
Jad Joubran The javascript example is the least interesting in the paper. Cf section 5 for the cross-process technique - specifically the section on windows implementation example (that ends with 'The completed attack allows the reading of memory from the victim process.'). Also pls read on the KAISER patch, which already pretty much mitigated meltdown in linux.
@JadJoubran
@JadJoubran 7 жыл бұрын
Yes indeed, the KAISER patch which was recently deployed helped mitigate the issue on Linux
@abuyoyo31
@abuyoyo31 7 жыл бұрын
Jad Joubran Spectre will not have a patch in the near future (retpoline is a promising idea, but it is at the compiler level). Spectre is by far the worse one.
@samiramirbagher2146
@samiramirbagher2146 4 жыл бұрын
Why spectre can only access within the same program and meltdown is between different programs?
@baldbadger7644
@baldbadger7644 2 жыл бұрын
To the best of my understanding, the main difference between Spectre and Meltdown is that Spectre exploits mis-trained branch-predictor, and meltdown exploits seg fault. Is this roughly correct? (Context: I think I understand Spectre really well, but I don't get how meltdown differs from Spectre)
@kuldeepsharma7499
@kuldeepsharma7499 4 жыл бұрын
Underrated KZbinr you are great subbed!
@minghuichow574
@minghuichow574 6 жыл бұрын
Hi Jad, from my understanding, there isn't any use of transient instructions in the video, am I right? Or perhaps do you mean that the probing of the characters[secret] is done simultaneously as secret = readCharacter(1000)? (which does not seem right to me)
@JadJoubran
@JadJoubran 6 жыл бұрын
yes indeed proving the array happens as a transient instruction right before the CPU realizes that this is a segmentation fault and that this current program doesn't have access to that secret value
@retpolanne
@retpolanne 4 жыл бұрын
Holy crap, I've been reading the paper for a while and I still haven't understood how did they exfiltrate data from the cache. Now I do, thanks!
@victorzedwings
@victorzedwings 6 жыл бұрын
I never send diagnostics data to developer )))
@mehd-q1w
@mehd-q1w 2 ай бұрын
i still can't get the difference between spectre and meltdown
@a2zuser1
@a2zuser1 5 жыл бұрын
very helpful. Ouestion to you on Meltdown attack. Say attacker has 2 lines of code. Line 1 raises exception while reading restricted memory. This exception stores secret data into cpu cache. Line 2 tries to guess the secret data in the cpu cache. CPU will raise exception at line 1, continues to execute line 2 due to Out-of-Order execution. Is it right that attacker guesses cache data by executing line 2?
@martindunn439
@martindunn439 7 жыл бұрын
Very well explained and easy to understand!
@JadJoubran
@JadJoubran 7 жыл бұрын
I'm glad you like it :D
@Microcontrollerslab
@Microcontrollerslab 5 жыл бұрын
Why did you remove my comment without even answering my question?
@dudewhoisnotfunny
@dudewhoisnotfunny 7 жыл бұрын
Amazing video, quick informative and to the point.
@JadJoubran
@JadJoubran 7 жыл бұрын
I'm glad that you like it! I also always love it when videos are concise
@Goonzilla1102
@Goonzilla1102 2 жыл бұрын
very helpful, appreciated
@tcdoe
@tcdoe 7 жыл бұрын
Nicely done, subscribed.
@JadJoubran
@JadJoubran 7 жыл бұрын
Awesome! I'm glad you like it :D
@jd-foo
@jd-foo 6 жыл бұрын
Can you now explain like I'm three?
@lightning_4480
@lightning_4480 5 жыл бұрын
Thank you very much !!
@kaytube2542
@kaytube2542 6 жыл бұрын
Thank you :)
@JadJoubran
@JadJoubran 6 жыл бұрын
My pleasure 😃
@JoaquitoG
@JoaquitoG 5 жыл бұрын
Masterpiece
Spectre attack explained like you're five
3:42
Jad Joubran
Рет қаралды 43 М.
TCP Meltdown - Computerphile
14:52
Computerphile
Рет қаралды 221 М.
It works #beatbox #tiktok
00:34
BeatboxJCOP
Рет қаралды 41 МЛН
Spectre & Meltdown - Computerphile
13:45
Computerphile
Рет қаралды 349 М.
2,147,483,647: The story behind this special number
3:54
Jad Joubran
Рет қаралды 34 М.
Heartbleed - What Happened? A Bug That Nearly Broke the Internet
9:49
Meltdown: Basics, Details, Consequences
46:54
Black Hat
Рет қаралды 9 М.
Why are Spectre and Meltdown So Dangerous?
7:43
Techquickie
Рет қаралды 1,1 МЛН
Rowhammer attacks explained simply
18:49
Ymir Vigfusson
Рет қаралды 30 М.
Dear Game Developers, Stop Messing This Up!
22:19
Jonas Tyroller
Рет қаралды 764 М.
Learn programming faster: make these mistakes.
9:46
Jad Joubran
Рет қаралды 3,5 М.
Meltdown And Spectre
48:03
Matt Godbolt
Рет қаралды 31 М.
The Shellshock Bug In About Four Minutes
4:30
Tom Scott
Рет қаралды 1,9 МЛН