Spectre attack explained like you're five

  Рет қаралды 43,612

Jad Joubran

Jad Joubran

Күн бұрын

Пікірлер: 99
@joshhefner7589
@joshhefner7589 7 жыл бұрын
You did a great job with this. Very clear and concise! I can't wait for your video on MeltDown.
@JadJoubran
@JadJoubran 7 жыл бұрын
Awesome :D That will be my next video!
@AlKhawarizmi2
@AlKhawarizmi2 7 жыл бұрын
This is the best explanation of Spectre that i've seen, thank you :)
@JadJoubran
@JadJoubran 7 жыл бұрын
I'm glad to hear that! Meltdown video coming either on Saturday or Monday 🎬
@Addictivemeh
@Addictivemeh 5 жыл бұрын
Great explanation, I thought I understood the method before but didn't understand how they determined the values from timing. The difference in execution between reading from memory and reading from cache makes so much sense, thanks!
@zairoxs
@zairoxs 5 жыл бұрын
I had seen this video in January when I was just curious about the issue, but I now need to understand it for a school assignment. I spend 5 hours looking at confusing explanations from other people and the whole time I said "if I could only find that one video that actually made sense" Well, I did!! Thank you! This one I understood
@FRZmations
@FRZmations 6 жыл бұрын
Couldn't help but laugh when I saw the final clip of that hacker in a hoodie "hacking". Such an accurate representation I am left speechless
@JadJoubran
@JadJoubran 6 жыл бұрын
haha indeed
@Microcontrollerslab
@Microcontrollerslab 5 жыл бұрын
No process can access memory address outside its memory space because each process has a page table in memory which contains both process space and kernel space. This process can not event access kernel space of its own page table. If it do so, operating system will generate an exception which will surely kill the process so how it is possible to read address of from other unprivileged memory space. If you are taking about reading from process own memory space then what is use of spectre?
@Microcontrollerslab
@Microcontrollerslab 5 жыл бұрын
one more thing memory privileged level are already define and user application has lowest privileged level so how it is possible ? Can you please explain it?
@longle3928
@longle3928 5 жыл бұрын
I think it is because the instruction was speculative. If the code was put outside of the if block then an exception would be generated. But because it is put inside the if block, the hardware silently performed the operation without the OS being aware of it.
@Microcontrollerslab
@Microcontrollerslab 5 жыл бұрын
@@longle3928 yes you are right
@SubinPT
@SubinPT 4 жыл бұрын
You made it super simple. Thank you
@chrisdoe2267
@chrisdoe2267 7 жыл бұрын
+1 for the hacker hoodie
@JadJoubran
@JadJoubran 7 жыл бұрын
I'm wearing one as we speak!
@chrisdoe2267
@chrisdoe2267 7 жыл бұрын
who isn't :p
@JadJoubran
@JadJoubran 7 жыл бұрын
Muggles! Or non-hackers 😂
@a.yashwanth
@a.yashwanth 4 жыл бұрын
If you don't know secret how is it possible to find chars[secret] takes 60ms?
@amirsalararyakia1869
@amirsalararyakia1869 4 жыл бұрын
What is the timing attack he uses to recover 'secret'?
@Goonzilla1102
@Goonzilla1102 2 жыл бұрын
great video, like the heartbleed one which you made. but 1 question comes up to my mind, how can the attacker know the correct precedence of the data in the cpu cache which he wants to read? with your example of "private"" mapped to "1000-1006" how would he know that "p" should be at "1000" and not "r" or "i"? would there still in such a cpu-read from 1000 compared to position 1001 be a microsecond of a difference on how fast the cpu would have read it?
@lowprofile2120
@lowprofile2120 5 жыл бұрын
how are you attacked specifically though? i understand spectre, but in terms of my PC being vulnerable for attack specifically how am i found by the attacker? just by being on the internet?
@theforgot3n1
@theforgot3n1 5 жыл бұрын
Very good question. I'm wondering the same. This implies the attacker has to somehow make the victim run their code on their computer. Maybe a malware can do that.
@superdanyal2009
@superdanyal2009 5 жыл бұрын
It's just precision timing. Most browsers have updated javascript limiting the ability of precise timing making it almost impossible to be attacked through it, it's not completely immune of course. The attack seems complicated but is overall very impractical as a standalone vulnerability (because it's slow, depends on the variant of the spectre as well). Because timing is critical here. However if you're doing cloud computing or a provider it's considered a severe threat. Honestly in real time you are more prone to rowhammer attacks then spectre ones. There's so many other doorways for hackers, hell even microarchitectural data sampling is an exploit for processor's that are specifically hyper threaded. If you're a diligent user on your own, you don't need to worry about it.
@lohphat
@lohphat 7 жыл бұрын
What you didn’t explain was how the cache architecture associates chars[secret] with chars[15]. You also have to explain CPU cache associativity en.m.wikipedia.org/wiki/CPU_cache#Associativity There’s not a one to one map of main memory values in moderns CPUs. If two different memory addresses contain the same value then the cache index points to the same cache entry. That’s how the exploit works. This sharing of values. If the cache didn’t share values then this exploit wouldn’t work. I’ve been explaining it to others from that perspective, all the rest of the iterative array poking part of the explanation is secondary.
@JadJoubran
@JadJoubran 7 жыл бұрын
Thanks for the addition! Indeed, I had to omit a lot of details in order to keep it short and easy to understand
@ElectricityTaster
@ElectricityTaster 4 жыл бұрын
Good luck looking through the 85 tabs I currently have opened.
@mursie100
@mursie100 5 жыл бұрын
What do you mean by "chars[secret]". If the value of secret in your example is 'p', what does "chars['p']" even mean ?!!
@Jackisaboss1208
@Jackisaboss1208 4 жыл бұрын
Because of how computers store character information every letter has a numeric equivalent. For example, the character 'p' is equivalent to 112. So chars[p] would give us the 112th element in the character array. We use what's called an ASCII table to convert numeric representations to characters.
@NickKostalas
@NickKostalas 4 жыл бұрын
Great video, thanks for posting! I'm curious: for Spectre exploits, can the attacker ever just read the secret data straight from the cache? Or does it always have to be done by indirect methods like you described? And is/was it any different for Meltdown?
@jordankolbert
@jordankolbert 6 жыл бұрын
Can you explain what you mean at 2:14 when you say "using this information, the attacker would read the value of chars[secret]" is secret the adress there?
@JadJoubran
@JadJoubran 6 жыл бұрын
secret is the value that you're trying to read (but is normally protected by the CPU) We trick the CPU by reading chars of secret (chars[secret]) so you're using that secret value to read one element of the array
@jordankolbert
@jordankolbert 6 жыл бұрын
Jad Joubran but how can you read chars[secret]? Wouldn't you need to know secret to read secret? Also thanks for the video!
@JadJoubran
@JadJoubran 6 жыл бұрын
Not in this case because this is happening under speculative execution, you're not supposed to be able to run this code but the CPU is running it in order to speed up execution, but by the time it realizes that the speculative execution is wrong, the value of secret has already been saved in the CPU Cache The other half of the video that you referred to, tries to recover that value from the CPU Cache
@jordankolbert
@jordankolbert 6 жыл бұрын
But isn't the cache read happening after the speculative execution when secret has been leaked to the cache? How is this code still running under speculative execution? Thanks for your help!
@jordankolbert
@jordankolbert 6 жыл бұрын
I guess I don't understand how it detects the change in cache state, and how it can derive the value of secret in a manner as to be able to read chars[secret]
@a2zuser1
@a2zuser1 5 жыл бұрын
it was very easily explained thanks i want to read more on spectre and meltdown please provide links reading materials
@harshitgupta3386
@harshitgupta3386 3 жыл бұрын
Won't virtual memory prevent this from happening?
@riddler112
@riddler112 3 жыл бұрын
whats the difference between specter and meltdown vulnerability?....even tho i saw both the video they seem the same.
@JadJoubran
@JadJoubran 4 жыл бұрын
Interested in learning Programming, JavaScript or React? Checkout my interactive online courses: - Learn Programming (for beginners) learnprogramming.online? - Learn JavaScript: learnjavascript.online? - React Tutorial: react-tutorial.app?
@ondrej8018
@ondrej8018 2 жыл бұрын
So simplified that it does not make sense in the end
@justalonelypoteto
@justalonelypoteto 11 ай бұрын
(more digestible explanation at the bottom) admittedly it is quite confusing unless you already understand meltdown, but all that's happening is we're ensuring a large chunk of memory is not cached. Then, in a conditional branch which will turn out to be missed but the CPU's predictor thinks otherwise, will begin to be executed. In there, we will take the memory address to this chunk of un-cached stuff and attempt to add to it a value, this value being something we want to exfiltrate which we're not allowed to read. The execution unit of the CPU which received this will dispatch an order for both the memory address which we just calculated illegally, as well as the privilege check. What we're counting on is that the memory read will take place before the privilege check, resulting in the byte (whose value is unimportant) at the address (THIS IS THE IMPORTANT PART) of address + secret to be loaded into the CPU's cache. Since the branch predictor will miss (more complicated than how the guy in the video shows it but same principle), this entire branch's changes will be discarded, so our program won't be killed by the OS due to a memory access violation / SegFault. However, the kind of processor vulnerable to our attack does not remember that this memory read which it cached during the speculative execution should be of privileged access only, so we will be able to read that one byte whose address is the important part, from the cache. Now, we will take our memory address from before and start trying to read it or otherwise perform calculations with it. This will be slow, however, once we read from the MEMORY ADDRESS (address+secret) we will find it to be faster, now we know that the number we just used to offset our memory address is the same as the secret value. If you don't know C, this might be a good moment to learn the basics of it as, without any understanding of pointers and memory addresses, this might be just as confusing. As an alternative: When I say address+secret, what I mean is that I want to read the n-th byte of our RAM, where n is a number we know, address to which we added a secret we shouldn't be allowed to know. Let's imagine our malicious program requested from the OS/Kernel to receive 500 bytes for a variable, this might be, in terms of RAM, bytes number 40000 through 40499. We want to know what's written at byte 83002 but the CPU won't let us, so what we do is do something with the value stored at the byte n, where n is 40000 + VALUE OF 83002. This will read byte 83002 and add its value to 40000, then read the value at that address. Through the stuff I explained above, the CPU won't yet care that we're not allowed to know what's at 83002, so it'll happily cache the value we want to know, this value being at 40093 (the secret value here is 93). Now all we do is test address 40000, 40001 for the lenght of time to do something with it, and once we encounter 40093 and it reads faster we'll know that 93 was the secret value. This all happens because the CPU in question simply caches things, a smarter implementation would perhaps have accompanied this caching with a note saying which privilege was required to legally perform the operation that caused it.
@arkadiprath2918
@arkadiprath2918 5 жыл бұрын
If secret is already in cpu cache when speculative execution is done then while reading secret why would we go to memory?
@zeztro
@zeztro 5 жыл бұрын
The secret isn't in the cache until the assignment operation is performed. Doing the assignment 'secret = data[input]' fetches the value from memory and stores it in the cache in case it needs to be used again soon.
@hemantahire1131
@hemantahire1131 6 жыл бұрын
Easy to understand..Thanks for sharing
@chamaldesilva506
@chamaldesilva506 6 жыл бұрын
Now I understand. Thanks!
@lemonsh
@lemonsh 4 жыл бұрын
I have a question. As CPU Cache is basically a long array of bytes, how can an attacker know what does the data he got mean? Let's assume he actually got 1kb of data from the cache. What now? Apart from doing an ASCII convert and read this shit manually, how can he know what does that 1kb mean and from what app is it?
@aeebeecee3737
@aeebeecee3737 11 ай бұрын
Question: now day we’re using virtual memory, the memory space is isolated each other, How can spectre meltdown load memory space that not belong to its? Or if is spectre meltdown must be a injection to access it, But if it is an injection that can access memory directly, why should it use the bug of speculative execution to do so? Could any one explain to me?
@kamilziemian995
@kamilziemian995 2 ай бұрын
I'm not a excerpt, but if you want, I can write what I know. I hope this is unnecessary since you already found answer to your questions.
@codingtudou
@codingtudou 2 жыл бұрын
If the secret is already in the cpu cache, the. Why would it take 60ms to do char[secret]?
@justalonelypoteto
@justalonelypoteto 11 ай бұрын
You got it jumbled up, I think. When we say chars[i], what we're saying is really (for 1-byte elements of an array, so chars or bytes) that we want "THE VALUE stored at the memory address of chars, offset by i bytes", i.e. if the array chars starts at memory address 1000, we want the value of the byte at 1000+i. We don't know secret, and even if secret is in the cache we wouldn't be allowed to access it. What's really happening is the following: -We cause a branch prediction execution -We take our big array, which should be completely off the cache, and ask the computer: "take the address of the array and add this secret value (somewhere outside of this program's allowed memory) to it, then read the resulting address". -This read will be sent off along with the privilege check, and will result in address 1000+secret value being loaded into the cache. -When the privilege check determines that this wasn't allowed / when the branch predictor notices this conditional branch (if ... code) will not take place because its condition is not met, it undoes everything that was changed, but doesn't touch the cache as 1000+secret is part of the array which belongs to our program. The value it contains we're allowed to have, but the specific address which is stored in the cache is what we shouldn't know, yet the part that undoes this illegal operation in the CPU does not know that -Importantly, most of our array at 1000+something is not loaded into the cache, but one part of it, that at address 1000+secret, is -We now perform operations with every part of the array, as in at 1000, 1001, ... and for each we measure the time it takes to do this -Once we reach (for example) 1043, it suddenly executes faster. Now we know that 1043 is the byte that the failed speculative execution from before mistakenly loaded. We now know the secret, 43. EDIT: TLDR It's not about the secret value sitting in our cache, it's that we used the secret value to calculate a memory address and this specific memory address is the only thing in the cache, so by trying every address this could've possibly resulted in until we find one which is cached, we eventually learn which memory address was cached and from this we know the secret
@marciandmnd
@marciandmnd 7 жыл бұрын
Excellent! Looking forward to more vids!
@JadJoubran
@JadJoubran 7 жыл бұрын
Meltdown video coming in the next few days!
@WeightlessFlex
@WeightlessFlex Жыл бұрын
What is “secret” when you are explaining the attack specifically. You never say what that is. Is it a memory address?
@justalonelypoteto
@justalonelypoteto 11 ай бұрын
I'll explain it with meltdown, since it is more specific and I am more confident in understanding it: What we are basically doing is clearing the cache, then we do the whole tricking the branch predictor stuff and what we then do is some operation on an address that we have access to, that address being a pointer we have and offsetting it with a value we're not allowed to read. The reason this works is because, during speculative execution, the CPU will defer the privilege check, i.e. it will check if you were allowed to do this later on, because it is a rare occurrence that programs actually violate their memory space and doing it before would severely reduce performance (you'd have to do it for most instructions), and if it finds this to be the case it will just undo the operation. However, if this operation takes place before the privilege check it will result in the value at the address "pointer+secret" to have been cached, and since the cache for this exploit has no knowledge of which privilege is required to read it, our program can then just try to read all possible addresses of pointer+n until it finds one that returns quicker, meaning you've just hit this not cleaned up value and you know the byte you weren't allowed to read is n In code: pointer = malloc(...) //allocate a large chunk so we have space to work with (...) //maybe assign values to everything in base, ENSURE THE CACHE IS FLUSHED if(...) { *(pointer+secret) ... //do something that will require us to read the address of pointer offset by the secret value, which is currently not in cache } (...) //now do a timing attack on the cache until you find which address was cached The more scary thing about this was that spectre, the papers presenting more general ways to do this, found it possible to do this with JavaScript by playing around with the code to force your computer's compiler (JS is compiled locally just-in-time) to predictably make something that flushes the cache, as this is not a command available to you in JS. AFAIK the missed branch ensures your program doesn't crash because a segmentation fault (memory violation) is handled by the operating system, also I seem to remember being in a speculative branch is key to ensuring the privilege check is done late enough EDIT: I realize I might not have answered your question, it's a value that we add to our pointer. i.e. we take our address, 0x7f45bd4f, and add a number to it which we must not know and is firmly outside of our program's memory, it's a byte sitting somewhere like 0x2e4f3d47 and maybe it's the value 0x23 which, when added, gives us 0x7f45bd72. Once the CPU performs an operation (or even just prepares to do so) on this address, the specific byte at the position 0x7f45bd72 will then be loaded into cache
@WeightlessFlex
@WeightlessFlex 11 ай бұрын
I graduated last year with your help, thanks bro I am now working at an aerospace company fulfilling my dreams
@vittoriosilva1454
@vittoriosilva1454 5 жыл бұрын
Could never happen on a private network.....This vulnerability could only occur in a public cloud infrastructure ....
@halbgefressen9768
@halbgefressen9768 5 жыл бұрын
well somebody doesnt understand virtualization
@vittoriosilva1454
@vittoriosilva1454 5 жыл бұрын
Yes , yes I do , there would be no reason for one self hosted virtual instance to try and break into another , owned and hosted by the same company ....And furthermore , this exploit is only "theoretical" and has never been deployed in the wild.....
@vittoriosilva1454
@vittoriosilva1454 5 жыл бұрын
All this is because moore's law has hit a bump in the road , and hardware sales are down ...Because the only real advantage to buying a new server , is in the electric bill ...
@xerxis301
@xerxis301 7 жыл бұрын
Burning Mac at the end of the video = instant like. :) You've also done a great job explaining Spectre attack, thank you.
@JadJoubran
@JadJoubran 7 жыл бұрын
haha awesome :D
@elhamjemal2660
@elhamjemal2660 7 жыл бұрын
great! simple and clear
@JadJoubran
@JadJoubran 7 жыл бұрын
Thanks! I'm glad you like it :D
@messapatingy
@messapatingy 6 жыл бұрын
There is no mention of how "hello" fits into the introduction to the explanation at 1:03. I get lost here.
@JadJoubran
@JadJoubran 6 жыл бұрын
At 0:38 the attacker is trying to read a "data" variable that they created. Later I showcase how they're able to read other data from the memory by using Spectre attack. The "Hello" is an example of data that you have access to, but "private" comes almost right next afterwards
@messapatingy
@messapatingy 6 жыл бұрын
@@JadJoubran "Later" and "almost almost right next afterwards" are not helping. Please explain in order. Thanks
@messapatingy
@messapatingy 6 жыл бұрын
Just a thought in teaching.Things should be explained in an order whereby things are known in advance. If you leave people hanging, tell them.
@fetteschimmel9396
@fetteschimmel9396 5 жыл бұрын
@@messapatingy shut your bitch ass up
@HA-bj5ck
@HA-bj5ck 13 күн бұрын
Wowww!! The Goat!
@MPK1881
@MPK1881 2 жыл бұрын
Excellent.
@reepdaggle2410
@reepdaggle2410 6 жыл бұрын
very hlepful man thank you.
@JadJoubran
@JadJoubran 6 жыл бұрын
I'm glad you like it! :D
@xavier9480
@xavier9480 3 жыл бұрын
I don't understand, if you don't know what secret is how can you do chars[secret]
@justalonelypoteto
@justalonelypoteto 11 ай бұрын
the last part was maybe badly explained. What we do is trick the CPU into using secret to calculate a number, we then do something with the memory address "number" and this results in that specific address ending up in cache, and this is not undone by the CPU once it realizes it wasn't supposed to execute that code. So, number = some address we know + the secret value. We now read a bunch of memory addresses and check how long it takes, once we find one that is faster we just subtract "some address we know" and we get the secret value. Maybe this is confusing if you've never learned C or something low-level like it, but you have to remember that the value stored at "number" or anywhere around the address we know is completely irrelevant, what we really care about is its position in memory because we calculated this position using the secret value that we shouldn't be allowed to see, so if we then later find out which specific memory position was the one that was cached, we can then extract the secret value from that.
@alhamdulil-lard4577
@alhamdulil-lard4577 6 жыл бұрын
Perfect Video. I got nothing more to say
@kamilziemian995
@kamilziemian995 2 ай бұрын
Good video.
@Anthonylimere
@Anthonylimere 7 жыл бұрын
very nice
@JadJoubran
@JadJoubran 7 жыл бұрын
😬
@Abydos33RA
@Abydos33RA 4 жыл бұрын
A guy from Google with Intel that needs to sell cpus and Microsoft to sell windows
@kaytube2542
@kaytube2542 6 жыл бұрын
Thank you man (y)
@JadJoubran
@JadJoubran 6 жыл бұрын
I'm glad you like it 😍
@sulemanhanif2687
@sulemanhanif2687 4 жыл бұрын
0:22
@sinanyaman2007
@sinanyaman2007 5 жыл бұрын
Awesome video, perfect explanation but change the title bro. This might be intended to be a clickbait but does the opposite
@theforgot3n1
@theforgot3n1 5 жыл бұрын
No it's perfect
@l3aIIin23
@l3aIIin23 4 жыл бұрын
thanks
@Abydos33RA
@Abydos33RA 4 жыл бұрын
Has ever happened? :))
@gracewood6768
@gracewood6768 6 жыл бұрын
This is thesis. But. I am afraid
@wildweasel3001
@wildweasel3001 Жыл бұрын
Nope, not spectre. There is a new one 😂
@Noone-of-your-Business
@Noone-of-your-Business 7 жыл бұрын
Just half a minute in, no 5-year-old can possibly understand this. You might want to fix your title.
@ShopperPlug
@ShopperPlug 3 жыл бұрын
This is just basic common sense to wipe the cpu cache with all zeros after a "particular" cpu cycle. the same shit you find in wiping ram blocks or hard drive sectors with all zeros. if the chip designers never implemented a specific machine code for the cpu to which erases the cpu cache... thats literally a lawsuit against the chip designers for never implementing such basic fucking task to wipe the stupid cpu cache. I highly doubt the chip designers never provided such basic needed machine code to do such thing. today we have an immense population of arrogant ass programmers just never put in thought to say hey maybe its a good idea to erase the cpu cache just for good practice in safety and bug error prevention. same concept as to always erase and release the heap memory space, same concept for the cpu cache but just write with all zeros or ones.
@MaryMary-sh5ge
@MaryMary-sh5ge 8 ай бұрын
Ha già colpito la mia password ufffffffffv
@benjistokman
@benjistokman Жыл бұрын
This is literally incorrect
@chuian7978
@chuian7978 4 жыл бұрын
totally understand! 3q
Spectre & Meltdown - Computerphile
13:45
Computerphile
Рет қаралды 349 М.
Spectre and Meltdown attacks explained understandably
16:19
Ymir Vigfusson
Рет қаралды 57 М.
Quilt Challenge, No Skills, Just Luck#Funnyfamily #Partygames #Funny
00:32
Family Games Media
Рет қаралды 55 МЛН
The evil clown plays a prank on the angel
00:39
超人夫妇
Рет қаралды 53 МЛН
Chain Game Strong ⛓️
00:21
Anwar Jibawi
Рет қаралды 41 МЛН
Meltdown explained like you're five
3:49
Jad Joubran
Рет қаралды 29 М.
Learn programming faster: make these mistakes.
9:46
Jad Joubran
Рет қаралды 3,5 М.
Spectre Attacks Exploiting Speculative Execution
21:11
IEEE Symposium on Security and Privacy
Рет қаралды 8 М.
Why are Spectre and Meltdown So Dangerous?
7:43
Techquickie
Рет қаралды 1,1 МЛН
Comparing C to machine language
10:02
Ben Eater
Рет қаралды 5 МЛН
Rowhammer attacks explained simply
18:49
Ymir Vigfusson
Рет қаралды 30 М.
CPUs Are Out of Order - Computerphile
15:09
Computerphile
Рет қаралды 188 М.
Fast Inverse Square Root - A Quake III Algorithm
20:08
Nemean
Рет қаралды 5 МЛН
Meltdown and Spectre in 3 Minutes
3:07
Red Hat
Рет қаралды 203 М.
How to learn JavaScript: 7 tips from my 10 year journey
8:31
Jad Joubran
Рет қаралды 52 М.