Meltdown. How to leak any data from any PC built after 1998
This article is popular-style, only basic IT knowledge is required
|Time to read||~15 minutes|
Before we start today, there is one very important piece of information:
Everything what I describe here is real, working, and exploitable if you do not patch your OS (you should already get automatic updates from your vendor, if not – continue reading, you will be surprised how easy is to steal all your sensitive data!)
Imagine you step by a huge library that stores a lot of information in numbered desk drawers. Of course you are not entitled to view all data, some of them are highly sensitive and there is a guard that will not let you in.
Oh, here is the guard in question, so let us ask them nicely if they can let us in!
"Hello, Guard. I need data from drawers 16, 20 and 24"
"Mhmm, mhmm...", the Guard grumbles searching through catalog, "You cannot access any of those!"
"Okay, and how about 66?"
"You cannot access it either!", they answer, before even looking at catalog.
"Thanks, nice talking to you" and you politely get out, having one very important knowledge gained.
So, actually what have you learned?
The chest drawer 66 was recently used, because the Guard did not have even have to check whether you were authorized or not! That fact was already remembered.
We will call such drawers "warm" in opposed to "cold" 16, 20 and 24.
Now imagine you are in charge of optimizing advanced factory. There is one, very wise guy who operates conveyor. He takes enveloped orders, reads, executes them and finally sends back the results to those who had requested them.
You quickly discover that the process can be optimized. We can actually pre-fetch envelopes when they are not yet needed, just to speed up the process. There is even better optimization – we can put another wise guy side by side, and they will be reading envelopes sequentially.
Where is then the catch?
What if order number 9 ask "Do not execute order 10! Skip it and go to order 12". Yeah, but the guy alongside has already started executing order 10. He has to undo results, and start working on order 12.
This optimization called "out-of-order execution", has substantially improved the speed of your PC. After all, in the worst case some orders have to be discarded. Nevertheless, we can see huge boost to computing power without raising CPU clock.
So let us introduce "an Evil Eve" who wants to read the secret number stored in the drawer 77. She places two enveloped next to each other:
"Order 92: please, divide seven by zero"
"Order 93: please, put the content of desk drawer 77 (secret number) into the desk drawer 100 plus the secret number"
The operation is not possible as Evil Eve do not have an access to the drawers number 77 or above 100, nevertheless the trial makes the drawer "warm" which she will use later.
Both "wise conveyor belt operators" start working in parallel on orders 92 and 93. First one mumbles "divide by zero, divide by zero..." while the second one is sending a runner to the library.
By the time the runner accessed the library, the first "wise conveyor operator" finally came to the following conclusion:
"Damn, we cannot divide by zero! Stop processing and revert your task, Mr. second!"
"Okay sir, I am sending another runner to the library to undo the request"
After that, Evil Eve goes to the library and asks security Guard sequentially about the content of drawers starting from 100. She waits patiently for the security Guard to scours through catalog just to find out that it makes much faster for them to answer "no access" to one specific drawer (suppose it was a drawer number 116).
"Oh, you already know I have no access to desk drawer 116? Thank you very much, kind sir".
Knowing the number N at and subtracting 100 from it the Evil Eve immediately knows what the secret data was.
She can now repeat the whole process to get all the data from all desk drawers in your computer’s memory...
... with the actual speed of more than 500 kb/s she can learn all the secrets from your PC.
Oh, by the way: we can actually combine order 92 and 93. The wise "conveyor operator" will tell us that we could not execute it at all, as we do not have access to desk drawer 77. But still the desk drawer 116 remains warm...