Meltdown and Spectre in 10 mins

Transcript

1. None

2. @thebestie // Karnov Group 2018 Coolest thing ever to happen

   to CPU nerds Best logos associated with a crisis Affect pretty much everyone Worst computer vulnerabilities possibly ever

3. @thebestie // Karnov Group 2018 Allows unprivileged programs to read

   the entire systems memory Meltdown ‘Melts’ existing memory isolation boundaries Virtual Machines are not safe! AWS, Google Cloud and Azure

4. @thebestie // Karnov Group 2018 More limited in scope Spectre

   More complicated, tricky to do, difficult to prevent JavaScript proof of concept can read your entire browser’s memory

5. @thebestie // Karnov Group 2018 Spectre Malicious JavaScript can steal

   all the information in my browser!

6. @thebestie // Karnov Group 2018 What’s at risk? Spectre Your

   cookies and active sessions Entire Gmail inbox Social media accounts PayPal Banks

7. @thebestie // Karnov Group 2018 Update your operating system What

   can I do? Update your browsers Turn on ‘Strict site isolation’ in Chrome Close some tabs and log out

8. Cool story. @thebestie // Karnov Group 2018 How does it

   work?

9. 1 x = get_some_legal_data(); 2 y = get_some_illegal_data(); 3 do_something_with_value(y);

   @thebestie // Karnov Group 2018 This is slow, while the CPU waits it executes 2

10. 1 x = get_some_legal_data(); 2 y = get_some_illegal_data(); 3 do_something_with_value(y);

    @thebestie // Karnov Group 2018 This is illegal but the CPU doesn’t know it yet

11. 1 x = get_some_legal_data(); 2 y = get_some_illegal_data(); 3 do_something_with_value(y);

    @thebestie // Karnov Group 2018 This is where the magic happens

12. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 This is an array I made earlier, I can read/write

13. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 1 1 x = get_some_legal_data(); 2 y = get_some_illegal_data(); 3 my_array[y] = 1; Looks like y was 7

14. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 But that was illegal An exception was raised State is rolled back

15. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 Something was left over . . . When iterating something strange happens

16. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 Something was left over . . . When iterating something strange happens

17. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 Something was left over . . . When iterating something strange happens

18. @thebestie // Karnov Group 2018 0 1 2 3 4

    5 6 7 9 10 The CPU has cached the value of 7 The data is returned much faster

19. @thebestie // Karnov Group 2018 Repeat 1.048.576 times You now

    have 1 MB of data

20. @thebestie // Karnov Group 2018