Best Analogy I've seen is as follows: "Imagine that you (i.e. a malicious process) want to know whether someone (i.e. a victim process) has checked out a particular library book. The library (i.e. the CPU) refuses to give you access to their records and does not keep a slip inside the front cover. You can only see the record of which books you have checked out. What you do is follow the person of interest into the library whenever they return a book. You then ask the librarian for a copy of the books you want to know whether the person has checked out. If the librarian looks down and says "You are in luck, I have a copy right here!" then you know the person had checked out that book. If the librarian has to go look in the stacks and comes back 5 minutes later with the book, you know that the person didn't check out that book (this time). The way to make the library secure against this kind of attack is to require that all books be reshelved before they can be lent out again, unless the current borrower is requesting an extension. There are many other ways to use the behavior of the librarian and the time it takes to retrieve a book to figure out which books a person is reading." Not mine, don't know original source.

Thanks for getting a video out on this so quickly and pretending not to panic for the camera. Can we see the cut shots where Dr Bagley is shouting "WE'RE ALL DOOMED" and Brady is talking him down from the window ledge.

The real scandal is that Intel was notified about this over 6 months ago and their CEO dumped millions in stock before announcing this exploit.

Summary of the exploit: "Cache me outside... how bout dat?"

So this is extremely low-level and thus hard for my high-level programmer brain to fully grasp, but let me see if I got this straight: if the bounds of a loop are stored in memory, the CPU will try to optimize by running the code in the loop first while waiting for the bounds to be retrieved; if the bounds turn out to be such that the loop shouldn't have been run, the result of the code is discarded. But when a value is taken from memory and used as an array index, those values are cached to speed up future reads, and the cache is not cleared during that "memory undo" process. So if you try to access a memory location you shouldn't be able to inside a loop that "technically" terminates before that point, the access will still happen. And if you use that value as the index of an array you do have access to, it will be cached. At that point, the indexes of your valid array which are cached represent the values of the bytes you tried to access (the iterations of the loop beyond the slow-to-retrieve maximum bounds), so by timing how long it takes to retrieve those array entries, you can determine the values of the unauthorized bytes by interpreting the indexes of the fastest-loading array entries. Is that correct?

replace cpu? with what, a rock?

It looks like AMD hardware is only vulnerable to one of the three variants: the bounds check bypass. Some reports argue that this could be fixed by allowing the OS and the application code to disable speculative execution in certain circumstances. As I understand it the boundary check bypass only allows to exfiltrate data from the same process with the branch target injection being able to reach another process and the meltdown making vulnerable even the kernel. Intel and ARM hardware are afflicted by all three.

This is the best analogy I could come up with for how Spectre works: Imagine you want to know the genre of book a particular person has checked out of the library. However, the library has strict privacy policies, and refuses to give you access to their records, only your own. What you do is reserve a book from every genre that the library carries, and then ask the librarian for the book you reserved of the same genre as the victim's book. The librarian, to save time, immediately begins fulfilling this request, even bringing said book up to the front desk, before finally realizing that the request itself breaches library privacy, and so refuses to return the book to you. Seems like you're out of luck, you don't know the genre of your reserved book behind the desk, so you haven't learned the genre of the victim's book. However, you now begin to request from the librarian every book you reserved one by one. Since these reserved books are properly a part of your records, the librarian happily obliges. For each book you note the librarian takes time to retrieve the book from inside the library, until one suspicious book is requested, which the librarian immediately hands you from behind the desk. That one suspicious book of course is the book requested from earlier, so with it identified and in your possession, you have successfully learned the genre of your victim's book. Now imagine repeating this process multiple times on the same victim using other qualities besides genre: like author, publisher, and so on. Each quality you learn about your victim's book allows you narrow down to the particular book your victim has checked out. Eventually, you will know for certain the identity of your victim's book, all by exploiting your hard working and naive librarian.

"Replace CPU hardware" *Straight face* Laughed out loud

I knew you’d post a video about it quickly! This is why I’m a happy subscriber

What infuriates me is that the majority of the headlines are about the slowdown, and not about the vulnerability itself -.-

Interesting to note that all Raspberry Pi versions are invulnerable because their ARM chips either don't implement speculative branch evaluation (just branch prediction) or they don't implement it in a way that leaves traces in the cache.

Finally someone with knowledge of computer engineering addresses the issue and also points that Meltdown affects Intel specifically.

It would be awsome if you could make more in depth videos, not only on this topic, maybe including the code explanation

That was fast, I thought it would take you a week or so to discuss it.

"Meltdown" (aka "Variant 3") is an Intel issue. Yes, Intel very much wants to confuse the matter, but make no mistake, that's their fuckup. (**see comments)

Literally checked this channel for this last night! You guys are awesome! Keep up the great work!

Wait! Are you saying my 486DX is unaffected by this? PHEW! And there I was, thinking I would need to upgrade my CPU.

Somehow Scott Manley, the guy who plays Kerbal Space Program, had a much clearer and more detailed explanation that the Computerphile channel.

What I find surprising about this is that it took this long to discover this flaw. I don’t know much programming, though I do know some, and even less about implementations details and hacks like this. But even I know that CPUs have implemented speculative execution for a long time now. The methods described here seem to me pretty amazingly simple. It surprises me that no one thought of trying to exploit this before now!

Fantastic job explaining these exploits! Probably the cleanest and to-the-point description I've seen on KZbin so far. You know you're doing good when your viewers can use you as a security news source. 😉

6:55 is when any details Beyond a typical layperson news article start

Finally, a tech channel for serious IT people! This is my new goto source for serious vulnerbilities and game-changing tech.

After the end of Moore's Law, it turns out there's no such thing as a free lunch.

Great video. Can always count on Computerphile to provide a detailed yet concise explanation which is easy to understand

All your systems are belong to us.

This glosses over the most interesting part. :) The covert channel is timing how long it takes to read something, which is affected by what is in cache. Speculative execution can change what is cached and so allows the covert channel to exist, in combination with branch prediction making the wrong prediction. The branch prediction can be trained in a few ways, one of which involves the realization that the branching decision is remembered not by instruction location but by only some low bits of the branching instruction. The neat part is that the speculative execution can include a second lookup based on the first value fetched. Multiplication by the cache line size (the size of the chunk of memory that will be read when it is loaded in to cache), and then using that as a second lookup offset, fetches a unique cache line for each original value. This is the trick that allows the original data to be read (by then timing the reads of each possible offset).

"Replace CPU-" *quickly pauses, heart sinks, sense of impending doom looms over me* Please god no...

James Bond asks his mate "Mr CPU" to go wait for him at a bar. The Criminal Mastermind named "Meltdown" goes into the bar and says "I have a drink for Mr Bond here, anyone want it?" All in the bar take a while, looking around and asking "are you James Bond?", but Mr CPU instantly answers "No, he is not here", then James bond walks in...

Best computer science channel on KZbin! 🤓👍

Great explanation, thanks!

Timely

It's not easy to explain such a thing without going into details too deeply, yet staying meaningful. I think made a great job, as always, here in computerphile. (The cache access time could have been a bit more emphasized, though.) But PLEASE, PLEASE USE A TRIPOD! It would be such a quality leap for these videos!

Best under fiveteen minutes video on that topic i have seen do far

Always look forward to watching Computerfile's break down of the newest and greatest security vunribility. Another great video guys! PS: from what I have gathered, it's a vunribility where all the correct things have to be under the exact right circumstances for it to occur. I have yet to see any real real-world examples or instances where this attack has or can be used besides some whitepaper's example code. In other words, I'm not phased by this nor do I care about the risks it brings.

I seen this coming from the moment I began experimenting with parallel programming techniques. Having developed a lot of creative uses of Semaphores to get around the pitfalls of out of order execution, I will be incredibly happy when we start to see processors that don't pretend to know better than the programmer what order their instructions should be executed. I should never have to suspect memory barriers I drop into my code aren't actually doing anything but you would be surprised just how often modern processors completely ignore their presence.

Yeah just let me crack open my iMac and replace the CPU that should be pretty easy

The worst part about all of this is it took independent researchers to find this just by chance. Various security agencies have well-funded branches that find bugs like this regularly around the clock all day every day of the year from full hardware exploits to firmware exploits to OS exploits. Hardware ones are less frequent, but still happen especially against embedded devices that don't change regularly. Some older devices are still connected to the internet as well, which is much worse. That includes some hardware that literally controls the backbone of the internet in some regions, some is still ancient and still used simply because it is reliable and If It Works Don't Fix It. (same reason we are still stuck with IPv4!) It's also a hard job to deal with in space hardware because it's feature-progression is considerably slower than main-line hardware. Biggest reason being the new hotness in CPU hardware generally leads to literal hotness in that they run hotter. Much much hotter. (especially branch prediction, which is the parent architectural fault involved in both of these bugs) This is very bad for space because it is stupidly hard to cool things there due to the lack of medium to move the heat in to because space is inert. Only way to get heat away is radiative, which is extremely slow. So you end up needing these complex cryo-cooling systems in CPU-heavy satellites, which limits their maximum operation time quite considerably and increases complexity. (and potential for failure) So this can lead to issues with space hardware if any bugs are found in them as well. All it could take is one hardware exploit to kill the GPS framework and bring modern globalized society to a standstill. (and the smartphone generation) Given how much money gets pumped in to exploitation branches of security agencies, they likely already know a few that could cripple society-wide services. Sometimes if they are really severe, they even announce them. However relationships in the security industry are broken over the whole blanket-spying stuff done by Five Eyes and the like. Many people are taking advantage of it by leaving security agencies and forming their own companies to make some cash. NSA lost loads of people.

Good high-level explanation, I encourage people interested to read the papers published and do some research about branch prediction. For starters, Tomasulo's algorithm was one of the first OOO execution designs that many processors are still based off of. It's old, so it's easier to comprehend then today's massively complicated schemes, but will still give you a taste of what happens at the h/w level.

As bad as this exploit is, i'm not too worried. As far as the regular folks are concerned, I find it far more likely that they are going to have random other software related exploits whether it be trojan's, keyloggers, phising scams. Plenty of other things for them to fall for, rather than getting a more complicated program on their computer which does this slow data extraction which may or may not be useful, given that the implementer has to know what they are looking for before they can even make use of data. This issue should likely be quite simple to fix for Javascript/code from the web, as the code is compiled by the browser, you could just alter the JS compilation/VM process to break any cache coherence thus resulting in speculative execution not working for higher level code.

Excellent video. Very informative and interesting. I just knew Computerphile would cover this.

Raspberry Pi's blog did an awesome job explaining this. (Mainly because they actually showed (pseudo-)code)

Very informative and technical. Just what the doctor ordered. 10/10

I like how; while under development, the patch that was applied by Linux devs was given the name "Forcefully Unmap Complete Kernel With Interrupt Trampolines", it was changed for the actual release of the patch because of the same reason as why I like the name... spell out the first letter of each word xD

too lazy to do my own research on this topic, since I know computerphile will do a better job. Finally it is here, and im not disappointed

Reminds me of that Computerphile video about the exploit of cache memory byway of specific SQL queries.

The title needs to be better. Before I knew what spectre & meltdown were I had no desire to watch this video. Then I watched The WAN Show and now I want to.

4:48 Dr Bagley is creating an 'off by one' error. In most languages that array would contain 17 items, not 16. Thanks for the buffer overflow, dr Heartbleed.

Expected a deeper explanation, considering this is computerphile

Steve Bagley Thumbs up for mentioning the BSDs. Their developers haven't been a part of the embargoed information, even though they run a pretty significant part of the Internet's backends...

KZbin thought I was going to watch this video, but I looked at how long it was and decided not to. Instead, I watched a Numberphile video really carefully, and now I know everything that's said in this video. I don't think that's supposed to happen.

I enjoy videos where 200 nanoseconds is 'a reasonably long time'

And to make it clear, the Meltdown bug, which has the highest likelihood of speed degradation, does not effect AMD CPUs.

The science behind the exploits is very interesting.

Cool, this is from the university of Nottingham, same place that makes those awesome Periodic Videos about chemistry and elements!

Love the shirt

Super fast :) Most media is not ready yet to explain it well.

Bring Dr Pound. He explains things in a much better manner. Easy to follow along.

I cant think of anything I wouldnt rather do instead of computer security. What a nightmare ... constantly a new battle you will inevitably lose

Very good explanation, thanks guys!

Thanks for the explanation.

I was hoping you would make a video on this!

Thank you!

Wow, very fast content reaction to current "Computerphile" topics. Great! By the way: does CERT list hardware which is considered "secure" in terms of Spectre and Meltdown?

Great explanation many thanks

There has been talk about this for some time (for years), so I'm not sure why this is suddenly seen as a huge problem now. Though I gather nobody knew exactly how to exploit this vulnerability before, and that someone finally decided to make a proof-of-concept.

Love the juxtaposition of Hawaiian shirt and grey sky. Very informative as always.

Also, where is the stock-pile they pull from w/ the old printer paper, haha?! Love it.

A big thumbs up! BTW, could you please add subtitle functionality in the videos?

Cool, that's actually pretty easy to understand.

This guy reminds me of the adoring fan from Oblivion.

Would you be able to get information from another virtual server if they both lived on the same host?

Very timely. Good job. :)

Nice Amiga 1000 there in the background! :)

From the "Cloud Perspective", the dom0 (hypervisor), could squash these instruction set requests from domX to prevent flaws... just a thought.

2:14 as i understand it the original google engineer had POC working in javascript the first day and was listing his https tabs open in firefox... best estimates are it can get out about 1k bits per second

Great video!

Wow. There's something like 20 years worth of processors which are vulnerable to this family of exploits. Wasn't the Pentium Pro Intel's first out-of-order processor? That came out in the mid-to-late 1990s, so we're in pretty hot water with this lot.

Could we get the source code for that program that exploits itself? I’m really interested to see how it works myself.

Anyone have a link to the code Steve is walking through?

They never introduce themselves or say hello, they just start talking lol

Nice explanation thx PS Not related to this video but was a bit disappointed you didn't cover the root bug on mac os a month or so ago :) Where you could go to settings and use root as a user name on the password prompt

I find the term "favorite operating system of the month" so funny. 3:11

‘Mac oss.’ I see an Amiga 1000 in the background.

Replace Intel x86 with Motorola 68000.

This is such a deep level exploit I am wondering if finding this was the result of a google AI system built to do one thing and then stumbling onto a way to break through its own limitations.

spectre would work (almost) everywhere 1. cache hit / cache miss 2. row hit / row miss those who have seen specific video about it and know about it from beginning know what I refer to, others should be better off not knowing.

“Modern CPUs” - this works in CPUs from 1995. This has been around since very long time.

soo.. would it be possible to get ahold of the test code shown in the video? i'd like to compile and see for myself.

Nice analysis

Excelent explanation

What about all those lovely ThinkPads that are out there they will all have to be replaced? The 2nd hand market could be quite exciting soon!

this really helped, thanks

I understand how you can read the prefetched piece of memory that exceeds the array size check, but a prefetcher doesn't prefetch the entire memory. How is it that you can read everything instead of just the first bits after the end of your own program space?

Why must every computer vulnerability have a “scary” name and fancy logo?

I think it's worth emphasising that Meltdown is specific to Intel's architecture*. The ability to execute code before the security check is a huge deal and I don;t think its fair to tar AMD, ARM etc. with that brush. Meltdown is caused by a broken security model whereas Spectre is a consequence of out-of-order designs. (* potentially Apple's custom ARM cores too)

Could older CPU technology be (more) advantageous when dealing with this "threat", or is it a generation gap exploit?

This is one of those things where you read about it and it seems like such a glaring security problem. how many people read about out of order execution and never connected the dots like this. this one really sucks ass because the temporary fix is basically going to be to remove some level of optimization

The problem is in the MOB. Those guys never knew what was goin on until it was too late.

I've been reading very mixed opinions on the likely effect on Intel CPU performance. I'd love to hear a detailed and unbiased explanation of this. Also, does this mean consumers should avoid buying new computers until the next generation of redesigned CPUs?