Jekyll2023-07-07T17:51:26+00:00https://github.com/feed.xmlVimal PatelHere you can find my resume and blogs I have written.What is the meltdown attack?2023-07-06T09:16:00+00:002023-07-06T09:16:00+00:00https://github.com/technical/2023/07/06/meltdown<style>
img.scaled_centered {
display: block;
margin-left: auto;
margin-right: auto;
height: auto;
width: auto;
max-width: 300px;
max-height: 300px;
}
</style>
<p><img src="/pictures/meltdown/meltdown_logo.png" alt="Meltdown logo" class="scaled_centered" /></p>
<h2 id="overview">Overview</h2>
<p>Meltdown is a software attack that exploits the out-of-order execution of modern processors. Let’s first understand what is out-of-order execution.</p>
<h2 id="out-of-orderooo-execution">Out-Of-Order(OOO) execution</h2>
<p>Normally, processors are supposed to execute instructions in a sequence one at a time. But, in 1967 a computer scientist named Tomasulo invented an algorithm that provided processors the capability to execute instruction out-of-order. So, the processor would execute the instruction as soon as its operands are available provided there are enough free resources like registers and execution units.</p>
<h2 id="the-core-of-the-meltdown-attack">The core of the meltdown attack:</h2>
<p>In the light of an OOO execution consider the following sequence of instructions:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">try</span><span class="p">:</span>
<span class="k">raise</span> <span class="nb">Exception</span><span class="p">(</span><span class="s">'dummy exception'</span><span class="p">)</span>
<span class="n">secret</span> <span class="o">=</span> <span class="n">memory</span><span class="p">[</span><span class="n">secret_data_location</span><span class="p">]</span>
<span class="n">catch</span> <span class="nb">Exception</span><span class="p">:</span>
<span class="k">pass</span>
</code></pre></div></div>
<p>Because of the OOO execution, by the time the exception is raised, the processor would already have issued a read from memory location <code class="language-plaintext highlighter-rouge">secret_data_location</code>. Note that the code would not even have permission to read from <code class="language-plaintext highlighter-rouge">secret_data_location</code>. But, it does not matter because that instruction is not supposed to have been executed by the processor because of the exception that just precedes the access. So, the processor can’t just kill the process stating that it tried to access an illegal memory. So, when the exception is raised the side effects of the remaining instructions that follow the <code class="language-plaintext highlighter-rouge">raise Exception('dummy exception')</code> instruction needs to be discarded. But, many of today’s processors only discard the architectural side effects and not the micro-architectural side effects. The micro-architectural state includes the processor’s components like cache which are not exposed to the operating system and the operating system can not control such components. The meltdown attack exploits exactly the fact that micro-architectural side effects of operations that are not executed are not discarded. It does this by changing the micro-architectural state to encode the information from the <code class="language-plaintext highlighter-rouge">secret_data_location</code> and extracting this information from the micro-architectural state afterward.</p>
<h2 id="leaking-a-secret-byte">Leaking a secret byte</h2>
<p>Now, let’s see how can we retrieve a byte of information from a secret location which is not directly accessible to us. Consider the following code:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">try</span><span class="p">:</span>
<span class="k">raise</span> <span class="nb">Exception</span><span class="p">(</span><span class="sb">`dummy exception`</span><span class="p">)</span>
<span class="n">secret</span> <span class="o">=</span> <span class="n">memory</span><span class="p">[</span><span class="n">secret_data_location</span><span class="p">]</span>
<span class="c1"># probe is an array of 256 elements. Make sure that
</span> <span class="c1"># the `probe` is not in cache at this point.
</span> <span class="n">x</span> <span class="o">=</span> <span class="n">probe</span><span class="p">[</span><span class="n">secret</span><span class="p">]</span>
<span class="n">catch</span> <span class="nb">Exception</span><span class="p">:</span>
<span class="k">pass</span>
<span class="c1"># Measure the memory access time for all the 256 elements
# in the probe array. The index of the element which has
# the minimum access time is the value of secret byte.
</span></code></pre></div></div>
<p>As discussed previously the instructions that follow the <code class="language-plaintext highlighter-rouge">raise</code> instruction will get executed because of OOO execution. So, for instance, if the secret byte value is 11, then only the probe[11] will be in the cache(remember we flushed the cache beforehand?) and because of that, its access time will be significantly smaller compared to other items in the probe array. So, we will know that the value of the secret byte was 11.</p>
<p>So, just like this, the meltdown can melt the operating systems boundary between kernel and user space. The attack when reported was so novel and catastrophic that researchers believed the reports to be fake.</p>