So annoying when researchers stumble over your government backdoor. 😞

Chat message I saw was so funny… > users act worried about a low level vulnerability, meanwhile they're giving league of legends a rootkit

One day is not a vacation, that's called sleeping in.

much love to the LowLevelLearning drop in for more intel, that was cool

The Meltdown is, basically, this: you say "CPU, take the value at this memory address I don't own, and treat it as the relative address in my current memory space". CPU retrieves the value you don't own, goes to the address in your address space, and fetches it into the cache. And then drops the result because of the security. But! As a 16-bit value can only have 65k variants, you can check which of the 65k memory values in your address space is in the cache - by trying to retrieve it and measuring the response time. The address of it is the value by that address you don't own.

"As an adult, I don't put stickers on my laptop" Tough but fair - I needed to hear this.

Side channel attacks are a fascinating topic. I remember hearing of one where a specific encryption algorithm was cracked for a specific device, because the device had an LED that would blink when data was being written to memory, which would leak the cryptographic keys to an attacker looking at that LED.

Apple knew about this exploit, it's in M1 and M2 chips.M3 chips had a single bit flag added to the hardware to override the prefetch behaviour on demand... they knew. Chip design takes years to get from inception to production, this was found three or four years ago when M3 was a glimmer in Apple's eye...

Spectre and Meltdown described as "back in the day". Hooooo boy.

"I want on a vacation for a day" is the most American thing ThePrimeagen has ever said.

Oh snap, it’s Low Level Learning! He rocks!

Let's say hypothetically they knew that this "0day" was here, and love that it will force people to prematurely retire M1 machines.

I had someone ask about the stickers on my laptop... I said they're the computer geek version of prison tattoos

It scares me how smart hackers are, and the techniques they have that I would never think to defend against.

You are the PRIME source of tech news. I love coming back to your videos EGEAN and EGEAN

This is totally patchable. Pop the CPU out of the socket and pop a new one in. That was the fix for the Pentium fdiv bug. Apple just has to mail everyone a new CPU. Expensive, for sure. But this is what companies with recalled products do. Oh, soldered in and glued together.... yeah "modern" computing is dumb.

Basically, a side-channel attack is being able to derive information from observing the operation of some system.

Original side-channel issues where (as I recall) first raised as an issue right after virtualization was becoming mainstream in datacenters... about 2003-2004 or there about. At the time VMware and other type-1 hypervisor publishers (most not yet mainstream) were struggling to create methods to protect VMs watching VMs on the same physical machines.... explaining this issue... to non-technical management... was I think one of the most difficult things I have had to do in my 30+ IT career in virtualization/security/infrastructure design work. And what is possible now, is light years more complex, you have only scratched the surface of what the real zero-day exploits are now.

To explain it further, a side channel attack is an attack that doesn't use flaws in something, but observes how it is working. The famous example is the pizzerias near the Pentagon: The pentagon is extremely secure so knowing then they're planning something is (let's say) impossible... But when everybody is working, they eat at the facility, so you see a spike in orders at nearby pizzerias! The spectre/meltdown attacks work by making the CPU think it's gonna load something by for example running a function repeatedly that always returns something. Once it's "trained", you suddenly make the function return something else. The CPU will have already returned the value you repeatedly calculated before, and it has to redo the operation once it sees it's wrong. By timing how long the CPU takes to correct the mistake you're able to understand what it's doing! Spectre/meltdown use this to gather data about what is in cache (for example, doing a simple operation multiple times on parts of memory you can access, then suddenly try to do the same operation on a part of memory you can't access so the CPU does it, realizes it can't, and corrects the mistake while you time it), without actually ever reading the cache. Super cool! Explanation about the actual attack is very simplified because I don't know how it works more in depth than this lol. It's black magic

Pc: vulnerability found and lessons learned in 2016. Apple: well let’s do it in 2024

5:15 Someone had that same battle net update popup happen to them at the end of a no-hit run in Dark Souls and died because of it.

For the memory leak from the cache, an attacker could tell the CPU to return values from memory outside the range of where data is protected because the branching prediction doesn't check the memory space restrictions, therefore you can effectively get some data from the branch prediction outside of its own memory space. The data may be inaccurate because it's only a prediction, but it's still data regardless.

Side channel sounds scary AF, the kinda thing you go into a habbit role of madness to avoid if you're really paranoid.

Cool cameo by LowLevelLearning!

I'd imagine your isPointer(value) function would be something like - The HW MMU knows the pages allocated to the virtual memory sandbox the application is in. So the HW cache looks at the upper bits of values in the cache and if they match a virtual page address mapped in that processes virtual memory sandbox, that's pretty likely to be a pointer. I think it'd probably just look a few resent cache page addresses, like a TLB. Scanning through all allocated pages would obviously be a performance loss in a L1 or L2 cache.

Well pointers (that aren't null) tend to be big positive numbers, so I guess every big positive number is a pointer now.

It’s very easy to imagine a looks_like_ptr() function. Only some ARM instructions allow pointer operands. So if you have some data that is the same as an ARM machine code which takes a pointer operand, and the “pointer” looks like a viable virtual address, then the data looks like a pointer.

Icestorm cores are the name for the efficiency cores. The performance cores are called Firestorm cores. Likely a reference to their impact on the thermal envelope of the CPU.

Bitwise math is cool, and more people should know it in programming

Responsible disclosure can also be "seeing active exploit in the wild". A theoretical attack that isn't being actively exploited is lower risk, but active exploits need to alert people so they can defend.

My noob self caught mention of the XOR swap earlier this year and I looked it up and found articles but man was I too stupid to grasp their explanation. That bit magic eludes me.

I love how prime is just as intrigued by xor swap as I was. I found it myself when trying to swap too variables without using an intermediate variable and I wanted to do it in a way that wasn't just using an intermediate behind the scenes. then i quickly looked it up and was glad to see it was a very old algorithm

Honestly! Super cool that you just plugged lowlevelearning into your stream. 👏👏 nice job with your community prime!

Low Level Learning X Prime 🔥🔥🔥🔥🔥

This only works if your Mac is already compromised, it’s an issue with the silicon but if it gets to that point then your machine is already infected.

I forget who said it first, but laptop stickers are the tech equivalent of prison tattoos.

@6:00 spectre works something like this: 1. Allocate Memory Array: The attacker creates a program that allocates a memory array. 2. Condition Branch Predictor: The attacker conditions the CPU's branch predictor to predict that a bounds check will pass. 3. Access Out-of-Bounds Memory: The attacker feeds an out-of-bounds address to the array. 4. False Branch Prediction: The CPU's branch predictor falsely predicts that the bounds check will pass. 5. Speculative Execution: The CPU speculatively executes code, including accessing data from the out-of-bounds address and using it to index another array (the "capture" array) owned by the attacker. This causes that part of the capture array to be put into cache. 6. Branch Misprediction: The CPU eventually realizes the branch prediction was wrong and undoes the speculatively executed code. 7. Cache Side-Channel: The CPU does not undo the cache fetching of the capture array, leaving traces of the speculative execution. 8. Access Time Measurement: The attacker measures access times to the capture array to determine which index corresponds to the data accessed speculatively. 9. Cache Eviction and Repeat: The attacker evicts the cache for the capture array and repeats the process.

looks like a pointer in prefetcher is simply if this address was previously used as a pointer (and that instruction committed ok) then the prefetcher "learns" that information in what you can think of a "hardware table." So, address 0xdead was once accessed as a pointer, then prefetcher allocates a row in that table and remembers this address in case it sees it again in the future. Now there is another problem here: all these uArchitecture optimizations are left as is during context switches (too expensive to clean up everything,) so you could leak information across context too... It's can of worms that shows up with prefetchers and branch predictors

That we still load cryptographic secrets into general purpose hardware with caching and branch prediction &c. Is absolutely insane plus a general backdoor into all current computers. We only use specialized hardware for login and disk encryption, so why not also for all other crypto with universal kernel support and a common little C library? And I mean since 2014 or so, when timing attacks on otherwise unreachable memory were a big topic for the first time?

the M1 chip is just asking its AI cores trained on exabytes of pointer addresses to distinguish between what is a pointer address and what is not

Been watching for a while, absolutely love the streams. Endless fun and tons of info. Thanks!

Man I must be a mad nerd.. because I’m just cracking up at “looks like a pointer code” you’re awesome prime.

It sounds like they're saying since they know the encryption function, the IsPointer function, and if IsPointer has returned true (since they can see if the cache has updated?), they construct a piece of data x that goes in like IsPointer(encrypt(x, key)) and if IsPointer returns true or false that narrows down the possible values of the key.

just want to give a quick shout out to my man *LowLevelLearning* for such a great explanation about side channel hacks

It's a feature: Hangman, you guess a letter, CPU tells you if it's in there or not.

As an adult I have a crazy subs sticker, a remilia sticker and a drawing I made myself stickered all on the side. Only kids wouldn't sticker their computer that's for sure!

The highlight of this video for me is that Low-level learning follows the primeagen!

idc if someone physically has my laptop, I'll consider it compromised. vulnerability discovered or not discovered.

It doesn’t require physical, as in touching the processor, access. You need access to the same processor as another process you want to infer information from

It's all about dangling pointers and backdoors.

"I don't put stickers on my laptop; I'm an adult. I like things clean." One moment later: "Raptor Lake, that's a badass name!" I'm with chat on that one, you need stickers on your laptop 🤣

a pointer is usually word aligned, page aligned etc.

Seems that only cryptographic algorithms running on Application Processors are at risk, not Secure Enclave(SE)-backed ones like FileVault on internal SSDs or login passwords. So applications that don't utilize SE, including encrypted Time Machine backups on external drives, are no longer secure until patched.

Apple owes everyone a refund. and maybe some damages.

If you're the processor, it's not hard to "guess" if something is a pointer. First of all, pointers tend to be word-aligned -- if your word is 64 bits long, it means every pointer will be a multiple of 8. Second of all, with Virtual Memory, your pointers don't have absolute memory addresses, but they're all relative to some base (that you, as the MMU, know). So the first guess would be: any word-sized value that's a multiple of 8 and is within this process' virtual page boundaries. Not all integers can be pointers in most architectures. Especially modern ones. This isn't something silly.

The way Mac's encrypt the drives is done via hardware keys. Im going to assume none of that stuff is really exposed to the OS.

Calling Georgia Tech “JIT” is going to show up in my nightmares

Girthy ... lol. Was in a band named "Girth" once. We had side-chain leaking issues too.

Say what you will, it's impressive as hell that this backdoor was only found four years later. On an entirely new architecture that had lots of tech-savvy early adopters, to boot.

Hates stickers on his laptops. Likes things clean and nice. Has giant mustache. He’s an adult.

"As an adult I don't put stickers on my..." woah.. take a step back there grandpa. LOL.

18:20 think I just witnessed the birth of a new meme

Grow to be 6'4" 230 lbs and I assure you no one is stealing your latop from you.M1 Max here. Best machine Ive ever woned. No doubt thee most secure machine ive ever had

LLL was on the ball... super clear and succinct... Fantastic!

As for pointer prediction, I think there are "usual cases". For example, if I am not mistaken, even if an address is 64 bits wide, the hardware uses only 48 to address memory (~256TB), meaning the top 16 bits are always 0 (if not stuffed with other bits for other optimizations by the programmer ... used, for example, in fast map datastructures). Another part of it is that an application's virtual memory range is typically the same. The stack and heap usually fall within the roughly similar regions (despite ASLR / KASLR), which are later translated by the MMU (memory management unit). Another great way to predict if a value is a memory address is to look at the instructions it is operated upon by. If a value has load, store, offset, and "memory-like" calculations performed on it, it is almost certainly an address. Classic access patterns such as virtual-table indirection for runtime-polymorphism use pretty uniform implementations, so that can be another good metric. I think these operations are not as hard to implement as they seem to be. The first can be done with simple bit-masking. After that, you can check if the value lies b/w some VM ranges (the kernel can do this, and given tight hardware-kernel integration on macs, this shouldn't be impossible to achieve). By this point the value is almost certainly an address. And by perhaps checking what previous instructions were executed on this value, you can pretty confident that something is an address. I mean, it made sense to implement it at a hardware/firmware level and spend really expensive silicon realestate for it, so I think it's safe to assume the implementation itself wasn't thaaaaat hard (for smart engineers), and took up fairly small cost in terms up hardware/firmware resources.

If im not wrong, for the isPointer function, you could get the memory segments of the process and then just check if the val that is inside the ptr is < seg.max and > seg.min. Making sure its 8 bit alligned, and a bunch of other stuff to check if its a pointer. Not 100% all the time, but very close to it

Battlenet doing Prime dirty. But still did Zentreya way more dirty.

Although it's beyond my current ability as well, to design a pointer detector, where I detect you barking up the wrong tree is in that you're talking about programming the pointer-detector using code (instructions), while the actual pointer-detector implementations you're pondering, are implemented in logic gates, so there may well be an "is pointer" flag-bit or register or something else physical which can be checked to see if the 64-bit value is a pointer. I realize that's not the same as "looks like" a pointer, but my point is that this is occurring in hardware, not software.

Another useful purpose of XOR: XOR a value with itself equals 0. This sounds trivial, but is used heavily on for instance the Z80 processor in the Game Boy and MSX. Often you need the value 0 to be in register A. In C this would be something like: int a = 0. So, intuitively you’d think: load 0 in register a (ld a, 0) right? Well, that works, but it can be done way more efficient. "ld a, 0" costs 2 bytes and consumes 8 cycles, whereas "xor a" is only 1 byte with 4 cycles. And on a small CPU like the Z80, that’s a massive improvement.

Battle net requiring a launcher to sit between me and my game is the real performance issue.

Reminder that Ainz actually cast Sharknado. The Overlord author is whimsical.

A14, M1, M2 and M3. Yes they are all vulnerable.

Looks like a pointer? Maybe it's checks if it looks like a valid memory address which code could point to?

When you picked up your System76 laptop, I about vomited. I used to own one, felt like overpriced piece of white-label junk (cheap plastic laptop with added branding and a significant markup). I remember reaching out to S76 support for a replacement charger, and they quoted me something ridiculous like $200. A little too "premium" for me, tbh.

Shared device contexts also apply to browser windows. That is, if you have multiple tabs open, and one of them is hammering cache, it can sniff your encryption information via JS. This can happen not only via malicious sites but also ads. I'd link the research paper but.. yeah. KZbin spam filters and all that.

Values tend to not use the full range of what numbers have to offer. Take uint64. Most uint64s would fit into uint32...and most 32s into 16s. For signed ints you would have that 1 significant bit for the minus then lots of zeros so 100000011 is probably -3 000000011 is probably 3 101101011 is probably a pointer

Simple: you read from your own memory but the adress depends on a hidden forbidden byte from not allowed memory. Then the read into your own memory doesn't actally happen but then you actually read your own memory and one block of memory will be read way faster.

What an awesome explanation by LLL

One thing to note is that the XOR trick (17:38 - 20:57) doesn't work if both operands are the same variable (or accessing the same memory location). a ⊕ a is always 0, which gets assigned back to a. Since both operands are now 0, a would always end up being 0 instead of its original value like it would be with a true swap. It seems odd to swap a variable with itself, but could be concern if you implement this with a function that takes two pointers and then pass the same pointer to both arguments. Here's an example in C. #include void xor_swap(int *a, int *b) { *a ^= *b; *b ^= *a; *a ^= *b; } int main(void) { int x = 5; int y = 7; printf("Before swaps: x=%d y=%d ", x, y); xor_swap(&x, &y); printf("Swapped x with y: x=%d y=%d ", x, y); xor_swap(&x, &x); printf("Swapped x with x: x=%d y=%d ", x, y); return 0; } It prints the following: Before swaps: x=5 y=7 Swapped x with y: x=7 y=5 Swapped x with x: x=0 y=5

The attacker doesn't have to have access to the machine. I think it was mentioned that the attack can be launched from within a web browser

See we kept telling you all NOTHING is safe lol. They just found a low level backdoor into Linux too. Windows is not lonely at all in this manner roflol. Funny thing is Windows 12 is rumored to be much more like Linux and its compartmented design.

Finally someone realizes how moronic and childish stickers on laptops are. Wondering how long it would be before someone actually realized it's stupid.

All M2-MaX owners. Shall we start a Class Action to demand a M3 chip upgrade 😶‍🌫

When governments think building a backdoor into encryption is a "good idea" .

If it looks like a pointer and quacks like a pointer, it's probably a security issue.

Thank you for the "how would I code that" part

Love Low Level Learning

internal ssd encryption/decryption is not done on the cpu but in the secure enclave.

2:00 for real, I always cringe when I see people with stickers on their laptops...

18:26 Michael Scott summoned!

I’m just commenting to support the Chanel

Funny, Apple is having a hard time getting people to upgrade from M1 and M2 laptops. Interesting timing for the announcement heading into Q2. lol

Sounds like the same issues the apple has previously in their t2 security chips. They were also not able to be patched.

Vulnerability != Exploit ;)

1:53 *proceed to tell how much he loves rust and dye his hair blue*

5:14 It looks like Blizzard hired Luke Skywalker on the update department, to use the Force. 😆

See.. I'm a Foilhat and I can't be objective on that parts, but for some reason, it's for years ALWAYS a Mechanic like this, which doesn't wants me to believe anymore to the "Skill Issue"-Theory. "0x24000 Segment Overflow" are the Magic Words here (since iPhone 3 btw!). To still thinking, it's not for the Secret Services, is the real Conspiricy Theory

17:24 This bit about XOR memory was brilliant. Earned you my subscription. Thank you for the insight!

As I understand how the information is leaked, everyone is allowed to see what addresses are cached, and by making data "look" like an address the DMP will treat the value like an address and grab that "address" making it incidentally public

Mans just insulted laptop stickers. Bad take bro.