Best Analogy I've seen is as follows: "Imagine that you (i.e. a malicious process) want to know whether someone (i.e. a victim process) has checked out a particular library book. The library (i.e. the CPU) refuses to give you access to their records and does not keep a slip inside the front cover. You can only see the record of which books you have checked out. What you do is follow the person of interest into the library whenever they return a book. You then ask the librarian for a copy of the books you want to know whether the person has checked out. If the librarian looks down and says "You are in luck, I have a copy right here!" then you know the person had checked out that book. If the librarian has to go look in the stacks and comes back 5 minutes later with the book, you know that the person didn't check out that book (this time). The way to make the library secure against this kind of attack is to require that all books be reshelved before they can be lent out again, unless the current borrower is requesting an extension. There are many other ways to use the behavior of the librarian and the time it takes to retrieve a book to figure out which books a person is reading." Not mine, don't know original source.

Thanks for getting a video out on this so quickly and pretending not to panic for the camera. Can we see the cut shots where Dr Bagley is shouting "WE'RE ALL DOOMED" and Brady is talking him down from the window ledge.

Summary of the exploit: "Cache me outside... how bout dat?"

This is the best analogy I could come up with for how Spectre works: Imagine you want to know the genre of book a particular person has checked out of the library. However, the library has strict privacy policies, and refuses to give you access to their records, only your own. What you do is reserve a book from every genre that the library carries, and then ask the librarian for the book you reserved of the same genre as the victim's book. The librarian, to save time, immediately begins fulfilling this request, even bringing said book up to the front desk, before finally realizing that the request itself breaches library privacy, and so refuses to return the book to you. Seems like you're out of luck, you don't know the genre of your reserved book behind the desk, so you haven't learned the genre of the victim's book. However, you now begin to request from the librarian every book you reserved one by one. Since these reserved books are properly a part of your records, the librarian happily obliges. For each book you note the librarian takes time to retrieve the book from inside the library, until one suspicious book is requested, which the librarian immediately hands you from behind the desk. That one suspicious book of course is the book requested from earlier, so with it identified and in your possession, you have successfully learned the genre of your victim's book. Now imagine repeating this process multiple times on the same victim using other qualities besides genre: like author, publisher, and so on. Each quality you learn about your victim's book allows you narrow down to the particular book your victim has checked out. Eventually, you will know for certain the identity of your victim's book, all by exploiting your hard working and naive librarian.

The real scandal is that Intel was notified about this over 6 months ago and their CEO dumped millions in stock before announcing this exploit.

I knew you’d post a video about it quickly! This is why I’m a happy subscriber

"Replace CPU hardware" *Straight face* Laughed out loud

So this is extremely low-level and thus hard for my high-level programmer brain to fully grasp, but let me see if I got this straight: if the bounds of a loop are stored in memory, the CPU will try to optimize by running the code in the loop first while waiting for the bounds to be retrieved; if the bounds turn out to be such that the loop shouldn't have been run, the result of the code is discarded. But when a value is taken from memory and used as an array index, those values are cached to speed up future reads, and the cache is not cleared during that "memory undo" process. So if you try to access a memory location you shouldn't be able to inside a loop that "technically" terminates before that point, the access will still happen. And if you use that value as the index of an array you do have access to, it will be cached. At that point, the indexes of your valid array which are cached represent the values of the bytes you tried to access (the iterations of the loop beyond the slow-to-retrieve maximum bounds), so by timing how long it takes to retrieve those array entries, you can determine the values of the unauthorized bytes by interpreting the indexes of the fastest-loading array entries. Is that correct?

Finally someone with knowledge of computer engineering addresses the issue and also points that Meltdown affects Intel specifically.

It looks like AMD hardware is only vulnerable to one of the three variants: the bounds check bypass. Some reports argue that this could be fixed by allowing the OS and the application code to disable speculative execution in certain circumstances. As I understand it the boundary check bypass only allows to exfiltrate data from the same process with the branch target injection being able to reach another process and the meltdown making vulnerable even the kernel. Intel and ARM hardware are afflicted by all three.

Interesting to note that all Raspberry Pi versions are invulnerable because their ARM chips either don't implement speculative branch evaluation (just branch prediction) or they don't implement it in a way that leaves traces in the cache.

replace cpu? with what, a rock?

What infuriates me is that the majority of the headlines are about the slowdown, and not about the vulnerability itself -.-

Literally checked this channel for this last night! You guys are awesome! Keep up the great work!

James Bond asks his mate "Mr CPU" to go wait for him at a bar. The Criminal Mastermind named "Meltdown" goes into the bar and says "I have a drink for Mr Bond here, anyone want it?" All in the bar take a while, looking around and asking "are you James Bond?", but Mr CPU instantly answers "No, he is not here", then James bond walks in...

It would be awsome if you could make more in depth videos, not only on this topic, maybe including the code explanation

Fantastic job explaining these exploits! Probably the cleanest and to-the-point description I've seen on KZbin so far. You know you're doing good when your viewers can use you as a security news source. 😉

That was fast, I thought it would take you a week or so to discuss it.

Wait! Are you saying my 486DX is unaffected by this? PHEW! And there I was, thinking I would need to upgrade my CPU.

Somehow Scott Manley, the guy who plays Kerbal Space Program, had a much clearer and more detailed explanation that the Computerphile channel.

Best computer science channel on KZbin! 🤓👍

After the end of Moore's Law, it turns out there's no such thing as a free lunch.

What I find surprising about this is that it took this long to discover this flaw. I don’t know much programming, though I do know some, and even less about implementations details and hacks like this. But even I know that CPUs have implemented speculative execution for a long time now. The methods described here seem to me pretty amazingly simple. It surprises me that no one thought of trying to exploit this before now!

Finally, a tech channel for serious IT people! This is my new goto source for serious vulnerbilities and game-changing tech.

"Replace CPU-" *quickly pauses, heart sinks, sense of impending doom looms over me* Please god no...

"Meltdown" (aka "Variant 3") is an Intel issue. Yes, Intel very much wants to confuse the matter, but make no mistake, that's their fuckup. (**see comments)

Great video. Can always count on Computerphile to provide a detailed yet concise explanation which is easy to understand

I enjoy videos where 200 nanoseconds is 'a reasonably long time'

6:55 is when any details Beyond a typical layperson news article start

This glosses over the most interesting part. :) The covert channel is timing how long it takes to read something, which is affected by what is in cache. Speculative execution can change what is cached and so allows the covert channel to exist, in combination with branch prediction making the wrong prediction. The branch prediction can be trained in a few ways, one of which involves the realization that the branching decision is remembered not by instruction location but by only some low bits of the branching instruction. The neat part is that the speculative execution can include a second lookup based on the first value fetched. Multiplication by the cache line size (the size of the chunk of memory that will be read when it is loaded in to cache), and then using that as a second lookup offset, fetches a unique cache line for each original value. This is the trick that allows the original data to be read (by then timing the reads of each possible offset).

KZbin thought I was going to watch this video, but I looked at how long it was and decided not to. Instead, I watched a Numberphile video really carefully, and now I know everything that's said in this video. I don't think that's supposed to happen.

Best under fiveteen minutes video on that topic i have seen do far

The worst part about all of this is it took independent researchers to find this just by chance. Various security agencies have well-funded branches that find bugs like this regularly around the clock all day every day of the year from full hardware exploits to firmware exploits to OS exploits. Hardware ones are less frequent, but still happen especially against embedded devices that don't change regularly. Some older devices are still connected to the internet as well, which is much worse. That includes some hardware that literally controls the backbone of the internet in some regions, some is still ancient and still used simply because it is reliable and If It Works Don't Fix It. (same reason we are still stuck with IPv4!) It's also a hard job to deal with in space hardware because it's feature-progression is considerably slower than main-line hardware. Biggest reason being the new hotness in CPU hardware generally leads to literal hotness in that they run hotter. Much much hotter. (especially branch prediction, which is the parent architectural fault involved in both of these bugs) This is very bad for space because it is stupidly hard to cool things there due to the lack of medium to move the heat in to because space is inert. Only way to get heat away is radiative, which is extremely slow. So you end up needing these complex cryo-cooling systems in CPU-heavy satellites, which limits their maximum operation time quite considerably and increases complexity. (and potential for failure) So this can lead to issues with space hardware if any bugs are found in them as well. All it could take is one hardware exploit to kill the GPS framework and bring modern globalized society to a standstill. (and the smartphone generation) Given how much money gets pumped in to exploitation branches of security agencies, they likely already know a few that could cripple society-wide services. Sometimes if they are really severe, they even announce them. However relationships in the security industry are broken over the whole blanket-spying stuff done by Five Eyes and the like. Many people are taking advantage of it by leaving security agencies and forming their own companies to make some cash. NSA lost loads of people.

It's not easy to explain such a thing without going into details too deeply, yet staying meaningful. I think made a great job, as always, here in computerphile. (The cache access time could have been a bit more emphasized, though.) But PLEASE, PLEASE USE A TRIPOD! It would be such a quality leap for these videos!

Always look forward to watching Computerfile's break down of the newest and greatest security vunribility. Another great video guys! PS: from what I have gathered, it's a vunribility where all the correct things have to be under the exact right circumstances for it to occur. I have yet to see any real real-world examples or instances where this attack has or can be used besides some whitepaper's example code. In other words, I'm not phased by this nor do I care about the risks it brings.

The title needs to be better. Before I knew what spectre & meltdown were I had no desire to watch this video. Then I watched The WAN Show and now I want to.

I like how; while under development, the patch that was applied by Linux devs was given the name "Forcefully Unmap Complete Kernel With Interrupt Trampolines", it was changed for the actual release of the patch because of the same reason as why I like the name... spell out the first letter of each word xD

Great explanation, thanks!

4:48 Dr Bagley is creating an 'off by one' error. In most languages that array would contain 17 items, not 16. Thanks for the buffer overflow, dr Heartbleed.

As bad as this exploit is, i'm not too worried. As far as the regular folks are concerned, I find it far more likely that they are going to have random other software related exploits whether it be trojan's, keyloggers, phising scams. Plenty of other things for them to fall for, rather than getting a more complicated program on their computer which does this slow data extraction which may or may not be useful, given that the implementer has to know what they are looking for before they can even make use of data. This issue should likely be quite simple to fix for Javascript/code from the web, as the code is compiled by the browser, you could just alter the JS compilation/VM process to break any cache coherence thus resulting in speculative execution not working for higher level code.

Very informative and technical. Just what the doctor ordered. 10/10

All your systems are belong to us.

I seen this coming from the moment I began experimenting with parallel programming techniques. Having developed a lot of creative uses of Semaphores to get around the pitfalls of out of order execution, I will be incredibly happy when we start to see processors that don't pretend to know better than the programmer what order their instructions should be executed. I should never have to suspect memory barriers I drop into my code aren't actually doing anything but you would be surprised just how often modern processors completely ignore their presence.

too lazy to do my own research on this topic, since I know computerphile will do a better job. Finally it is here, and im not disappointed

Good high-level explanation, I encourage people interested to read the papers published and do some research about branch prediction. For starters, Tomasulo's algorithm was one of the first OOO execution designs that many processors are still based off of. It's old, so it's easier to comprehend then today's massively complicated schemes, but will still give you a taste of what happens at the h/w level.

Excellent video. Very informative and interesting. I just knew Computerphile would cover this.

Expected a deeper explanation, considering this is computerphile

Steve Bagley Thumbs up for mentioning the BSDs. Their developers haven't been a part of the embargoed information, even though they run a pretty significant part of the Internet's backends...

Raspberry Pi's blog did an awesome job explaining this. (Mainly because they actually showed (pseudo-)code)

Wow, very fast content reaction to current "Computerphile" topics. Great! By the way: does CERT list hardware which is considered "secure" in terms of Spectre and Meltdown?

Cool, this is from the university of Nottingham, same place that makes those awesome Periodic Videos about chemistry and elements!

Yeah just let me crack open my iMac and replace the CPU that should be pretty easy

Bring Dr Pound. He explains things in a much better manner. Easy to follow along.

Super fast :) Most media is not ready yet to explain it well.

Very good explanation, thanks guys!

Great explanation many thanks

The science behind the exploits is very interesting.

And to make it clear, the Meltdown bug, which has the highest likelihood of speed degradation, does not effect AMD CPUs.

I cant think of anything I wouldnt rather do instead of computer security. What a nightmare ... constantly a new battle you will inevitably lose

Reminds me of that Computerphile video about the exploit of cache memory byway of specific SQL queries.

Love the juxtaposition of Hawaiian shirt and grey sky. Very informative as always.

Cool, that's actually pretty easy to understand.

There has been talk about this for some time (for years), so I'm not sure why this is suddenly seen as a huge problem now. Though I gather nobody knew exactly how to exploit this vulnerability before, and that someone finally decided to make a proof-of-concept.

2:14 as i understand it the original google engineer had POC working in javascript the first day and was listing his https tabs open in firefox... best estimates are it can get out about 1k bits per second

spectre would work (almost) everywhere 1. cache hit / cache miss 2. row hit / row miss those who have seen specific video about it and know about it from beginning know what I refer to, others should be better off not knowing.

Everyone is forgetting one vital thing: Your home computer is not important enough to be hacked with this kind of vulnerability. Auto updates off. No worries.

Thanks for the explanation.

Also, where is the stock-pile they pull from w/ the old printer paper, haha?! Love it.

A big thumbs up! BTW, could you please add subtitle functionality in the videos?

Thank you!

Hello from July 2024. Processors have been getting their low-level ***es kicked this year. This video regularly remains relevant.

Wow. There's something like 20 years worth of processors which are vulnerable to this family of exploits. Wasn't the Pentium Pro Intel's first out-of-order processor? That came out in the mid-to-late 1990s, so we're in pretty hot water with this lot.

Nice explanation thx PS Not related to this video but was a bit disappointed you didn't cover the root bug on mac os a month or so ago :) Where you could go to settings and use root as a user name on the password prompt

Timely

They never introduce themselves or say hello, they just start talking lol

I think it's worth emphasising that Meltdown is specific to Intel's architecture*. The ability to execute code before the security check is a huge deal and I don;t think its fair to tar AMD, ARM etc. with that brush. Meltdown is caused by a broken security model whereas Spectre is a consequence of out-of-order designs. (* potentially Apple's custom ARM cores too)

I was hoping you would make a video on this!

“Modern CPUs” - this works in CPUs from 1995. This has been around since very long time.

Love the shirt

Would you be able to get information from another virtual server if they both lived on the same host?

So, the way to solve this would be to throw out cache lines that were read in by speculatively executed code, right? Does the branch predictor set any flags that could be used as a trigger for an interrupt handling such a thing? So long as you are not using a real-time operating system the slight delay should be virtually undetectable. If the CPU had to be redesigned, the branch predictor may simply need his own dedicated cache lines for backup storage.

so basically it's like reading a file out of a temp folder

10:15 So does "array 1 [x]" gets stored in cache or "array 2 [array 1 [x] * 512]"?

Very timely. Good job. :)

The problem is in the MOB. Those guys never knew what was goin on until it was too late.

From the "Cloud Perspective", the dom0 (hypervisor), could squash these instruction set requests from domX to prevent flaws... just a thought.

It has been over three years now, do you know which, if any CPUs have "fixed" this problem?

Great video!

I've been reading very mixed opinions on the likely effect on Intel CPU performance. I'd love to hear a detailed and unbiased explanation of this. Also, does this mean consumers should avoid buying new computers until the next generation of redesigned CPUs?

Nice analysis

Excelent explanation

By causing a failed speculative branch to access a privileged address beyond the end of an array, the cache is populated by values that should not be available to the execution context. These values can be accessed immediately after the failed speculative portion of the branch causes the cache to get populated. The failed speculation does not cause the cache line to become invalid, or to be marked as privileged. A subsequent access to the privileged address returns cached data that does not have a privilege flag because it was first accessed via a failed speculation. By measuring how long the loop iteration took, the presence of this privileged data that has not been tagged properly can be determined, thus avoiding a privilege violation for accessing it.

I understand how you can read the prefetched piece of memory that exceeds the array size check, but a prefetcher doesn't prefetch the entire memory. How is it that you can read everything instead of just the first bits after the end of your own program space?

I don't see why CPU flaws need their own logos.

Anyone have a link to the code Steve is walking through?

What about all those lovely ThinkPads that are out there they will all have to be replaced? The 2nd hand market could be quite exciting soon!

Nice Amiga 1000 there in the background! :)

this really helped, thanks

This didn't have to happen. This was completely a result of our processors having become so complicated that the right hand doesn't know what the left hand is doing. In this case, the "right hand" was the cache memory team and the "left hand" was the speculative execution team. The speculative execution engine failed to truly unwind ALL effects of an aborted speculative execution, and that got exploited by clever people. The key to designing a secure system is to KEEP IT SIMPLE. Keep it simple enough that you can tell just by looking that it's secure. Make it so you can "know it in your bones." Once you let your working arena get so complicated that you can't keep up with everything (all the time), then you've got little hope of guaranteeing secure operation. We crossed that valley many, many years ago.

Who is going to make the replacement CPU, where do I request one and who will pay for the cost of the replacement?