【BibiGPT】AI 一键总结:【计算机】15分钟读懂英特尔熔断幽灵漏洞-Emory
摘要
视频作者Emman rikerson教授介绍了英特尔处理器的熔断(Meltdown)和幽灵(Spectre)漏洞。这些漏洞利用了现代处理器的推测执行机制,通过侧信道攻击获取敏感信息。视频详细解释了内存、缓存、推测执行和侧信道攻击的基本概念,并展示了如何利用这些漏洞读取其他程序或系统的私密数据。
亮点
- 🛠 内存结构:计算机内存由多个层次组成,包括慢速的大容量存储(如硬盘)和快速的小容量缓存。
- 🕵️♂️ 侧信道攻击:通过观察计算机在处理某些任务时的物理特性(如时间延迟),攻击者可以推断出敏感信息。
- 🚀 推测执行:现代CPU为了提高性能,在等待内存响应时会提前执行可能的指令,这可能导致安全漏洞。
- 🔐 熔断与幽灵漏洞:这些漏洞利用了推测执行机制,使恶意程序能够读取其他程序或系统的私密数据。
- 📚 防范措施:了解这些漏洞的原理有助于采取相应的安全措施,保护系统免受攻击。
#计算机安全 #英特尔漏洞 #侧信道攻击
思考
- 这些漏洞对普通用户有什么影响?
- 如何检测和防止这些漏洞?
- 未来的技术是否会解决这些问题?
视频章节总结
00:00 - ⚠️幽灵与熔断:JS的隐患
JavaScript如果能读取电脑上的任何信息(包括密码和其它程序活动),将非常危险。Spectre和Meltdown攻击正是利用了这种漏洞,无需软件漏洞或欺骗用户即可实现。演讲者Emman Rikerson将简要解释这些漏洞的核心原理。
1:06 - 🤔内存安全漏洞
这段文字主要介绍了计算机内存的工作原理以及Spectre和Meltdown等新型攻击是如何利用内存和推测执行的漏洞。文章首先概述了计算机的组成部分,然后详细解释了内存的层次结构(例如,主存和高速缓存),以及CPU如何访问不同层次的内存。最后,它指出Spectre和Meltdown攻击正是利用了这些内存访问机制和推测执行的特性,从而引发安全问题。
4:12 - ⏳缓存替换与侧信道攻击
计算机缓存(cmemory)的工作机制是复制数据以加快访问速度,但缓存空间有限,需要替换旧数据。这涉及到缓存替换策略,也是研究的重点。侧信道攻击,例如定时攻击,通过观察计算机处理密码的耗时来推断密码,例如猜测密码“Romly hunter two”时,计算机验证不同密码所需的时间差异会泄露信息。
5:14 - ⏱️密码破解计时攻击
密码破解尝试通过逐个字符比对进行。如果匹配速度很快,说明字符不匹配;如果速度变慢,则说明匹配了第一个字符,程序开始检查后续字符。通过观察响应时间差异,攻击者可以推断出密码的开头字符,然后继续猜测后续字符。
6:20 - 🚨旁路攻击漏洞
旁路攻击Spectre和Meltdown利用了现代CPU的三个特性:1. 密码破解算法的时间复杂度被降低到线性而非指数级,这是由于算法的物理实现导致的计时差异泄露信息。2. 投机执行允许CPU提前执行指令,即使依赖于尚未返回的内存数据。3. 即使投机执行的指令被回滚,CPU缓存状态仍会发生变化,泄露信息给攻击者。攻击者利用这些特性,通过访问相邻内存区域(不同应用或虚拟机)的数据,从而获取敏感信息。
9:39 - 🚨旁道缓存攻击
攻击者利用旁道攻击,通过投机执行(speculative execution)读取受害者内存(victim memory)。 他们构造一个超出数组访问范围的读取操作,触发投机执行,让CPU提前访问受害者内存。虽然最终操作会因非法访问而被终止,但CPU在投机执行阶段已将受害者内存数据加载到缓存中。攻击者通过观察缓存变化(例如,访问一个精心设计的“乐器”数组),间接获取受害者内存中的数据,例如密码。
13:48 - 🚨缓存旁路攻击
该攻击的核心在于利用旁路攻击(side-channel attack),特别是缓存(cache)的特性。 投机执行(speculative execution)导致缓存中泄露了信息,即使这些信息随后被回滚,攻击者仍然可以通过访问缓存来获取受害者内存中的数据(例如数字4)。 这种信息泄露跨越了管理边界,攻击者可以以此读取任意内存,例如包含密码等敏感信息的内存,从而造成严重的安全风险。
#BibiGPT https://bibigpt.co
字幕原文
So mentioned, if javasscript could just read anything on your computer, if some tab in your browser just had access to reading all your passwords or knowing what your other programs are doing, that would be pretty bad, wouldn’t it? By computer, I of course mean any type of computer device, including your smart phone. What would be particularly worrying is if this were to happen without exploiting any soft, vulnerable bill in is or without fooling you to do so. And that’s actually the state of affairs right now. We are currently seeing a series of attacks called specter and melta. And what I’m going to call here, the spectra Melton. I want to explain the core of these vulnerabilities to wider audience. So I’m going to skim a lot of the technical contents. So I’m not going to go into some of the necessary technical details to make your application tation possible. But I just wanted to give you the idea of what these vulnerabilities are to. My name is Emman rikerson. I’ M Assistant Professor of computer science at Emory University. Before we get started, I just wanted to give credit where credit this due. These vulnerabilities were found by actually concurrent, separate teams that have done fine work on writing up their details. And I encourage you to look. So let me introduce the three ingredients that we’re going to need to understand these events. The first one is to understand how memory works at a very high level. The second one is to understand speculative execution, your pu. The third one is something called side camera attacks. And actually, spectra and meltdown are the convergence of these new kinds of attacks that are becoming practically worrying, as well as hardware errors that are also worrying. So it’s in this intersection of something that we’re going to need to look out for, for the coming future. So let’s get to it. How does your computer work? Well, let’s take it at a really high level. Very simplified view of your computer. Computer is really a bunch zz of different components that are strung together. These components include things for input, output like your monitor and your keyboard and your mouse. And then there’s a cpu in the middle and that does all the processing. And finally, there’s memory. And I’m counting heart disk or ssds that’s being part of your memory. And really what happens when you’re doing something on compuis that you’re going to load a program from a disk? It’s going to be executed by the cpu. The cpu is going to do a bunch of computations, that those computations involve the memory. It’s going to go back and forth, read it. And finally, it may produce some output and then output my end up in new monitor or through a network. That’s basically what execution on a modern computer looks like. So let’s zoom in on the cpu and the memory. Inside your memory, you actually have the contents of all the different kinds of programs that you’re currently running. This could be the programs you’re running. It could be the data pertaining to them. It’s data pertaining to the operating system that you’re running, like your linings or your windows or your microos s and so forth. And it’s your user data. Memory ry is an amalgam of all these different types of things that could be used as well as storing intermediate computato, expand cpu. Let’s look at memory a little bit more in detail. There’s a look to a memory hurricane set a computer. If we think about memory, it’s actually very helpful to visualize it as just being a long sequence of boxes that you can open. Each box contains bit one bite of information. In our case, there are actually several layers of memory. What I’ve drawn here is something called Vera, which is actually big, but very slow for the cpu to retrieve. If the cpu wants to get some data from it, it has to wait for a while. So what we have are actually several other layers called che memory. So let me draw cast he memory here in front. Suppose I wanted to open one of these boxes, and I request in this vamemory over here that this particular orange box here we opened, well, it’s going to take a while. But whereas if I tried to open up a different box of open up this one, I can actually first ask the really fast cast memory, and that has an exact copy of what I need. Now, the way cmemory is maintained is that when you retrieve something, you often take a copy and put it into the cast he memory. So the next time you might need it, you have it laying around really quickly, put cast he memory small and has be pretty expensive. And so you have to kick something else up. This is actually the subject of much of my research. So this is how caches work. Let’s move on to the next ingredient. What are side channel attacks? Now let me illustrate it with an example. Suppose that you are asking a computer to authenticate, and there’s a particular password that the computer knows is there. This actually has happened on several routers. This is something known as a timing attack, which is a kind of a side channel attack. But I think it illustrates the point. Suppose the password is Romly hunter two. Now what you might do is to start guessing. You say like, well, this is password a and the computer has to run around, check if it matches. It looks at the first character a looks at the first character of the password and sees that its H doesn’t match. So it returns. Now you might guess b. You do the same thing, and we say no. Of course, you could try exponentially many possibilities here and you’ll be out of luck. And that’s why passwords often are good. But in this particular case, as you keep guessing, you guess g, something happens. You guess H. Now what you notice is that it takes a little bit longer for the computer to respond to you. And if that happens, that was because the computer had to look at the letter H, saw that it matched, and then had to look at the subsequent letter and see if there was a match there and there was no match because you guessed the one letter password and the password is actually longer. So now you might actually be pretty confident just by looking at the timing information, that the first characterish so you can move on to H A. You see, it takes just as long as what you guessed initially, and then you would ear hb and so on and so forth, right? This actually makes pastrock gulinear in the length of the pasword, rather than exponential. This is terrible. The site channel here is the timing information. It’s something about the physical implementation of this algorithm, this pasword tecalgorithm that you are exploiting, in this case, the timing differences. So let’s keep that also as an ingredient. The third thing I wanted to tell you about is called speculative execution. Might be looked like something like this from Rick and body. When your cpu is trying to execute a bunch of instructions, what it will run into is the fact that memory is slow, like we talked about. And so you have a really fast cpu. It has a lot of gigahertz. It’s running around, it’s executing stuff. And what it runs into is that ultimately, your program is going to need some data from memory. So toto memory, and and then you’re just waiting for the response and response takes a wow. So you’re spending a lot of your time just waiting for memory to respond. Now that’s an absurd way of having a cpu go on its business. So 20 years ago, what people came up with was, well, what about if we just make our cpus do specullative execution? What mean by that is that suppose puyour program looks something like this. There’s a branch, there’s an if sentence that depends on memory in some way. And there’s really only two options. Either whatever you’re going to get from memory is going to be zero in this case, or it’s not. So what if you just guess? You think that maybe the most likely thing to happen in this case is that you’re going to get a zero from memory. Now you are waiting here for memory, and you decide to just sprint ahead. You come here, you just execute the instructions that are coming after it, even before you get your response from memory. Huh? Interesting. So if memory ing is zero, you’re actually ahead of the curve. You know what’s going to happen, and you can resume from instruction d onwards. It’s very convenient. Now, if that didn’t happen, if it so happens that the response from memory was that memory was zero, then you actually have to roll back all the changes that you have made. So you have to be very cognizant of not changing the state of the program world, the registers internally so that you can actually go back to the other brands. That is sentence. This is very interesting. Now the flaw that spectra and Melton are exploiting is the fact that actually, when you’re doing speculative execution, the state of the cpu actually looks a little bit different because of cash when it has to add board a branch. Now we actually have all the ingredients needed to explain spectre and meltain at a very high level. Suppose we have our memory here. This is our slow memory. And as we talked about before, what your operating system kernel is doing is that it allocates this memory to different applications or possibly different virtual machines. If you’re living in the cloud, that means that there could be adjacent parts of memory allocated to different victims. I’m pretty much describing spec right now, but the same concepts applied to melta. So there is a part of memory here, what’s we’re called, victim memory, that we want to enumerate. We want to know what it says. It could contain a password that we’re after. And normally, what an operating system tries to do is to make sure that your program, including your JavaScript and a brosser, cannot access somebody else’s memory. There’s isolation between processes. So therefore, it would be an illegal operation to try to read from the red memory the memory on the right. What we’re going to do is that is to exploit the fact that there’s also the fast cacvarier, because we want to read this blue dot over here. There’s a fast cache here in front that has copies of some things in memory. What we’re going to do is the following trick. We’re going to set up an array here. Let’s call it a. It’s a part of memory that we control. It’s small. What we’re going to do is that we’re going to say, like, well, I don’t want to read the two elements that are in array a. I’m going to over extent, I’m going to go out of bi’m going to read what’s at a an element number x where x is way too big. Oh, normally when you would be doing this on your cpu, your cpu or your operating ering system would actually trigger a fault. It would say like, Hey, this is not allowed. I’m going to kill this program. It’s going to perform an illegal operation if you like, but we’re going to do it speculatively. So let’s look at how that plays out. I’m going to set up something called the instrument. It’s another part of memory that we’re keeping out of the cache. We specifically tell this, if you’re not to cache any of it, it’s all in slow memory. It’s consecute oppress memory. And I’ll explain what this doesn’t, just a little bit. But when I say instrument, you could imagine it being actually something like a keyboard. That’s how I’ll think about it. It’s different notes and let’s see how that plays up. Suppose the code that you’re executing is the following. It’s a branch. It’s an if sentence that just asks for something absurd. The world is flat. If the world is flat, we’re going to do the following instruction. Now, normally, what your cpu would be doing would be to completely ignore what’s going on after the sprbecause. It’s waiting for the computations from memory exis to figure out the world is flat. And then it just dumps things out that because of speculative execution, there’s a chance that what’s inside this branis going to be executed. So it actually looks at it speculatively. It’s going to do speculative execution of the subsequent instruction. And in our case, when we’re hacking it, we’re going to run the following instruction. We’re going to try to access the part memory that lies at instrument of a of x. Whoa, that’s a mouthful. Let’s have a look at what that means. Suppose that what we’re after is this part of victim memory, that blue dot here, and it contains the letter four, the number four. We don’t know this, but we want to find this out. That’s what the attacks are about. So what we’re going to do is to look at how speculative execution deals with the following thing. The fact that it says for and the fact that the cpu is now executing this instruction without actually executing it means that it’s going to say like, Oh, okay, I’m supposed to look at a of x, okay? I don’t know that it’s out of phyet because that’s the role of the kernel. I will find this out later. If this was actually was going to get triggered, the konel will kill the program because it’s rememory. It shouldn’t. But as a speculative execution engine, I’m just going to look ahead into the memory and see what’s there. And I see that it’s actually the letter four or the number four or the g as a note, if you like, my musical analysis. And I’m going to take that, and I’m going to look up in the instrument array at location four or note g, I’m going to play it. And what that does, and this is the crucial part about this attack, is that it brings that part of the instrument array into cash. That’s where your tiny attack comes into play. So now the final part of this attack is that you’re not going to go through and retrieve every node in your instrument. You could have played the zero note, and it’s slow. First one, it’s slow, but once you reach the fourth note, it’s really fast. It’s coming from fast memory. Why? Because when the speculative execution happened for the code, it rolled back all of the registers that it did not roll back the cash axis. There’s leakage of information from the fact that there was speculation happening, that speculation happened across administrative boundaries. And consequently, you’re not a situation where you can actually find out that your victim memory contained the letter or number four. And of course, we can now extend this yellow range and make it really big, maybe a 156 spides or even bigger because caches are actually a little bit trickier. You need to bigger block. That’s technical details. This is the crux of the spectre meltdown attack. So if we look at the actual code that’s provided by, you know there’s you’ll see something very similar to what a just ant explained for specter and something little bit more different, but still the same core idea for build. And as I promised you, I asked, well, what if Java could read something from arbitrary memory? Well, as it turns out, you can simulate the exact ts in set of instructions, generous, which means that you not have a web site we want to and in could try to read parts of knal memory. This is bad because it contains private information, including your passions. And so the the authors, these, the facts have actually demonstrated them, for instance, stored passgers in process. It’s pretty bad. But I’ll leave that to other people to explain the consequences of this attack and how you’re going to react to it. And I just want to leave you with a set of eelse where you can learn more about these very interesting sets of attacks. The authis, that fun. Thank you very much.