haha wow that lowlevel.academy guy seemed pretty cool huh?

Every time I hear the phrase 'speculative excution', I am reminded of what a late friend of mine used to say: "CPU designs should never incorporate speculative execution or branch prediction. They will inevitably lead to security vulnerabilities." He was also a big fan of the ARM architecture, because it did not use to do this thing. He passed away about fifteen years ago, but as it turns out he was right...

Modern day computing is too unsafe lets all go be amish.

people that figure this stuff out are so amazing. like I understand it, after you explain it, and am like "yep I get it," but I could never actually figure it out beforehand or even consider that it exists.

"There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors." (Leon Bambrick)

Weeks ago UEFI, now ARM last year I joked about hardware backdoors this year

My God. I guess time to check off "security vulnerability found in something you worked on" off my bucket list. I was an intern at Arm, on the team that worked on MTE. I did some work around the generation of the tags, and on simulating the overhead they would have in caches and memory. I have such mixed feelings right now. :D This seems like something we could have thought of. Meltdown and Spectre were fresh on our minds and a major topic of discussion in the company. I can imagine an alternate universe where I told my manager (or someone else on the team) "hey, have we thought about if tag mismatches could be a cache side channel?" Yet I don't think we ever discussed anything related to this? At least not in any of the meetings I was in. But hindsight is 20/20. In retrospect, these things always seem obvious. We were mostly focused on minimizing the performance overhead of memory tagging, because we were worried it would get in the way of adoption. We wanted our new optional security features to be supported by hardware manufacturers, who might not be happy with there was too much perf or memory overhead, extra hardware complexity, or cost / die area increase. Though, I guess, despite this new vulnerability, it still delivers on its goals. MTE was supposed to be something that offers substantial security improvements for cheap. A "better than nothing" optional feature which, when enabled, has a good chance of catching some bugs that might not be found otherwise. It is probabilistic: even if it worked perfectly, there is still a small chance a memory bug might go undetected by it (if different allocations happen to be assigned the same tag by chance). It was not meant to be perfect, or any sort of bulletproof defense. Just a way to hopefully catch more bugs in the wild. If a vulnerability makes it less effective, that's still better than every other CPU that does not have something like MTE at all.

I am a (retired) professional programmer. I never wanted my programs to run as fast as possible. I wanted them to run as reliably as possible, i.e. rock-solid reliably. I have seen countless examples of programmers being led astray by the siren song of premature optimization.

Misleading title, there are ARM "chips" that do not have these extension, a lot of them even do not support virtual memory

Every time I hear Speculative Execution is about about a security vulnerability

CPU vulnerabilities usually need relatively low hardware access in order to work. But when I heard you saying somebody managed to exploit it from within V8 (being a web dev) it literally just hit me - We're f**d. JS isn't as much of a toy these days. You can easily manipulate raw binary data in JavaScript. Some more tinkering and this would easily escalate to a sandbox escape and really, really low-level code injection... From within a browser...

You have in my opinion some of the best content over hosted on KZbin. If this existed in 2004 my early programmer self would have had a much easier time learning how to exploit for fun ;).

OK, interesting, but this is a way to defeat a secondary defence. The program still has to contain an exploitable memory corruption in the first place. I think describing it as an unfixable bug is to some extent click-bait.

IA64 had a ton of problems, but I really believe that explicit speculation was a great idea. So many of these attacks would be impossible on Itanium. (Insert joke about them not being attacked because no one used them)

Great breakdown! Not surprised to see that speculative execution is causing vulnerabilities on more than just x86 - really feels like it was only a matter of time before something like this was uncovered. The way it was done, though, is absolutely wild.

V8 engine screams to me : "you can do this on your phone right now"

My jaw dropped when you said it works inside the V8 sandbox. Bless the researchers for finding this.

"EVERY ARM cpu" article shows that it was introduced in arm v8.5

the "hats off" right after talking about a hair cut was accidentally brilliant 😂

The way you explain in these videos even a golden retriever can grok these topics. No pun intended

This reminds me of PAC introduced in iOS 14 that made jailbreaking very difficult. Eventually a couple Chinese researchers found a way to sign the pointers themselves to bypass it, but I still was fascinated enough by it that I did a college presentation on it in my computer architecture class.

Access to leaked tags doesn't ensure exploitation. It simply means that an attacker capable of exploiting a particular memory bug on an affected device wouldn't be thwarted by MTE.

OMG It's amaizing!, when you said they did it in V8 was... OMG, incredible! how many layers of security they get to bypass!

The first sponsorship I’ll click and use in my life 😆 thanks for your awesome content! 💪

Damn this is such a good video, thanks for explanation. I have only recently started learning stuff abt comp architecture and security and this video is still explaining the paper in the most crystal clear way possible that even I understood it.

spec. execution is not only about filling up the cache to be ready, it can actually execute part of the code in different execution units but later either keep or discard the results depending on the path taken

If you can run arbitrary tik tag code on the cpu, you don't need to break the memory tagging, just run whatever arbitrary code you want on the cpu.

Thanks for the video and book suggestions 👍

Thank you for your vids. Any update on that php vulnerability? Couldn't find further info on the details of it, beyond being related to language/encoding.

Found Ed thru John Hammond, but since John doesn't seem to do vids that aren't just straight ads anymore, I'm excited this is still here to learn from. Thank you, sir!

I suspect we're heading towards a fundamentally unpatchable, ubiquitous and catastrophically effective exploit that forces us to fundamentally re-think chip design. With software moving faster than hardware this has always be inevitable but it's still crazy to think this is probably coming in my lifetime.

Sending my appreciation. Sometimes when searching for work you have a not so wonderful interview for various reasons including just forgetting a term you couldn't recall in a moment. Sometimes a few can affect your mental health especially if not handled with understanding that it has nothing to do with your worth. I had known and worked with assembly. I had known and worked with memory, pointers, understanding buffer overflows, operating systems, and so on building up to a good, extensive software engineering mastery, ethics, and leadership. All of the concepts you mentioned as part of my education. I felt so let down as it seemed no one cared that I knew this stuff and it made me question if I should have specialized in a different path (CE, CS, EE even, physics, etc) when feeling like things weren't working out. I was lifted up as I could follow everything you noted and that I was able to see how worthwhile my time and degree were at my university. I just mean to say I appreciated so much having a reminder when you feel a job struggle to see that you have value and no one can take that away, including in this small way like having an education even if no one is acknowledging it yet. 🙌🏾

Great video and information!

2024 - The year of the backdoor and the vulnerability

Jeez. What's up with all of those serious recent exploits?

I find amazing that the people can speak about such advanced subjects, while I try simple to fit an excess 127 code for a normal overflow fix in a vhdl dsp fpu unit. My God, where do you have the time to read these subjects?

I just assume that all computers are inherently insecure and act accordingly

nice sponsor, heard good things about that dude

The pacman vulnerability has existed for a few years, the big take away from this paper is that they found a pattern to exploit it in other code.

Pretty awesome find by the team

Remember Pointer is the variable holding the address not the address itself, Dope content, massive respect …

Spectre and meltdown did not break the internet.

Spectre broke literally nothing. It was a hype wave that lingered for a couple weeks and went away. Nothing ever was heard about any hacks exploiting it after. I expect the same is going to happen to this bug too.

Love that they’re called gadgets, like in hardness proofs

sick video thanks

it's not every ARM processor, only V9? so title is kinda clickbait

Who would've thought that doing insane things just so you wouldn't have to admit to yourself that Moore's Law has been dead for a lot longer than people imagine would've caused so many security issues?

Will this require a hardware level redesign or can it be fixed with compiler patches?

I think calling speculative execution "execution in the future" is misleading as it conveys they idea of a "front-running thread", which is a very distinct and different thing. The processor simply runs a program and if it needs to make a branch/turn and does not know which way to go, it speculates. To keep a proper program state, this speculative execution cannot do certain things, but once the speculation is confirmed to be correct, the accumulated speculated results can be committed. From the processors perspective running the program, it's just execution current code, just of a speculated branch. There is of course a lagging program-state that represents the validated non-speculative outcomes. It can restart from this state when the speculated code turned out to be the wrong code and resume with the correct code instead. A processor is thus not "executing future code". It might run the wrong code and discard the results, but it's not running ahead of the actual program. That is a lot less mystic and magical to me.

0:09 You know that there's three computers in the term "ARM computer"? First, the obvious "computer". Second, "ARM" stands for "ACORN RISC Machine", "Machine" referring to a computer. Third, "RISC" stands for "Reduced Instruction Set Computer", revealing the third computer. Almost blew my mind when I first realized that XD

Broken arm

Thank you, very distinctive explanation ! Keep up ! Good luck ! I have some different CPU boards (AllWinners family) but luckily they are v6 and v7.

It's a classic side-channel attack, more exactly a timing attack. It's pretty well-known in cryptography. Nice work, in a way. That's hardly a bug, but I suppose the title is more catchy.

Somewhere I read and/or saw John Hennessy and David Patterson. They discussed the limitations of current processor designs, emphasizing that security vulnerabilities like Spectre and Meltdown, as well as diminishing performance returns, stem from reliance on techniques such as speculative execution. They propose a shift towards domain-specific architectures (DSAs) and processors capable of executing high-level language constructs directly. This approach would enhance security, performance, and energy efficiency by reducing the need for complex compiler translations and leveraging the open-source ecosystem for rapid innovation. But then legacy support as we have it now digging back to the 70s would be hard to maintain .. ;)

There's a lot of 'IF's in there. If you can find the right code, if you can find the tag , if you can change it, if... if.. if... Whilst this is a possible route for an attack has anyone actually used this in the real world, not just in the research lab.

Apple: "It's not our Apple Silicon ARM chip, you're using your Macbook wrong"

Assembly code since the 70s here .. and yes, we're still longhaired and play music .. approaching 62 :)

wow, only option now is templeos

it's another "we speculated, rewound and forgot to invalidate the cache" error. When will CPU designer learn to have cache invalidation be the default behavior in case of speculation rewind if there was a cache swap during the speculative block?

Amazing find by these researchers! This is the beauty of our community: ppl take time and try new things and find these bugs like this!

awesome content

holy authentication man, just tried to enroll in your arm course and I had to log in like 5 times. Would be worthwhile for you to look into that.

Reminds me of my introduction to Java. How to get rid of most security holes? Bounds checking. References, not pointers. Fantastic I thought. Security built into the virtual machine! But here we are literally decades later and we're still in the C/C++ paradigm. Billions of dollars a year this costs, yet we're unwilling to abandon thinking in terms of pointers and unwilling to make things like runtime bounds checking mandatory.

Because of you I am more interested in assembly language and CPU architecture

This is fundamentally similar to a hash collision exploit, so the solution is the same. Increase the entropy on the memory tags so that the reuse is practically impossible.

It’s NOT in every ARM CPU! Change this clickbait title. 😒

Isn't this the exact thing that happened with Apple Silicon? Or at least very similar?

That is a super cool exploit.

The mere mention of "speculative" and "prediction" already makes my neck hair stand up...

Explanation starts @5:50

Is this the year of exploits?

@LowLevelLearning Just because I'm not sure if I've understood everything correctly. This memory tagging is just an additional security mechanism in ARM processors and not the only one? So this design flaw doesn't make ARM processors less secure than other processor architectures, it just makes them less secure than intended. Correct? Or do ARM processors lack other security mechanisms that other architectures have?

Kinda neat explanation of virtual memory, wish had it when wrote driver for Armv8 MMU. Also not the speculative execution exploit again

Unfixable bug? More like NSA engineered backdoor 😂

The existence of these kinds of bugs reinforces why most of these hardware security features are often not worthwhile. Making all these "secure enclaves" "secure boot" and such are all just waiting to be exploited and broken, and the fixes just make it even more complicated or slow. In the past we had viruses and such but at least that was just software that could be fixed with patches and at most reinstallation. Now we have hardware that will be perpetually flawed, and even closing some of the bugs through microcode updates might not be 100% effective. Now we have to live in fear that something has permanently exploited our systems because the hardware itself is breakable.

Its been a bad few months for security vulnerabilities

Love this guy. Incredibly smart, incredibly articulate. Really impressed. An inspiration to us all.

I bet it has something to do with pointer authentication (control flow).

I remember reading that from Aleph1 back in the day 😯seeing that paper just took me way back!

Every smartphone be quaking

Speculative execution really is a double edged sword. On the one hand it made x86 what it is today (performance wise) but on the other hand introduces a lot of complexity and attack surface. And now ARM is affected too. Although this is not nearly as bad as Spectre/Meltdown.

Apple also have vulnerability on its M series

Dude just invalidated my entire Computer Architecture class. I hate school.

Seriously, the people behind that paper needs to be praised as heroes.

Should've used rust /j

How the hell they find these

This is why I use an abacus. Granted, AR/VR apps are tricky, but no viruses!

despite of your wonderful presentation, why the initial lower case in the title bothers so bad? Thanks for the content

x86, M1, ARM, we're just building a collection of vulnerabilities.

Man, please let RISC-V be somehow safer...

if we know buffer overflows in certain areas are prone to attack, can we just monitor those buffers for hack attempts?

Google: you need to be above 18 years old to view this video. Because this topic is about unsafe.

Speculative execution was a mistake

I mean this was all fixed in the 80's with capability systems, but then C programmers wouldn't have the ability fuck themselves over so here we are... Absolutely no reason for software to have access to pointers. Just... lol man In a system designed... not by a c programmer.... even if the pointers were printed out it wouldn't help because you can't address memory directly via pointers. Its not a thing there are ISA commands for.

The JavaScript V8 engine uses a technique called NaN Boxing and Pointer Tagging which attaches the variable type inside the pointer address

The only time I ever hear about speculative exec is as a security vulnerability😂 Speaking of which, could you do a video on the *benefits* of spec exec? I’m really curious now lol

How is it possibly less intensive to try to predict the future and have it loaded than it is to just do the thing you want to do when you decide to do it? That makes no sense... Sounds like speculative execution is a built in attack vector for anything running on the device, that is meant to have some plausible deniability... Like oops sorry the whole entire system is a giant security vulnerabity... Why don't they hire the people that find this stuff and have them make an OS that doesnt have these problems ffs

Thank you, nice and simple. Not so much about the hack, but rather the details of the limitations of the hardware implementation. We need better hardware developers. Which is to fire the crappy software developers. What a wasted effort, on the part of ARM, in the realm of address security. So remove the tag, remove the interrupt, or remove the look forward. We should quit worrying about speed, and actually do the job that is required. But no, OMG we used 4 bits more than before, we used 3 clock cycles. I believe in perfection before speed or space. Anyway thank you so much for the details that you supplied, I really enjoyed your talk. Keep up the good work.

It seems like this is very similar to PACMAN except that paper breaks pointer authentication code instead of memory tag. Both takes the approach of brute forcing a 16-bit secret by abusing speculation.

Awesome stuff