Meltdown: Basics, Details, Consequences

Presented at Black Hat USA 2018, Aug. 9, 2018, 5 p.m. (60 minutes).

The security of computer systems fundamentally relies on the principle of confidentiality. Confidentiality is typically provided through memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access.

In this talk, we present Meltdown. Meltdown breaks the most fundamental isolation between user applications and the operating system. We show how any program can access system memory, including secrets of other programs and the operating system. To make the attack accessible, we briefly introduce basics on microarchitectural side effects and out-of-order execution on modern processors.

With a behind-the-scenes timeline of our research, we show when and how the combination of these components allowed us to read arbitrary kernel-memory locations including personal data and passwords. We will also discuss how different vendors, i.e., Intel, AMD, and ARM, are affected by the issue and how they responded to these issues.

In a live demo, we show a series of Meltdown attacks, including attacks on a modern smartphone with an ARM processor. Our demo does not only show how to read privileged data or sensitive user input, but also shows novel exploits leveraging Meltdown. We then show how Meltdown is mitigated in software, using our KAISER defense mechanism, which was implemented under different names in all major operating systems.

The last part of our talk will focus on the developments after the disclosure of Meltdown. We will discuss the situation around the patches, Meltdown variants that were presented after the disclosure (e.g. MeltdownPrime), yet undisclosed attacks, including combinations of Meltdown and Spectre and their application in JavaScript, and further proposed mitigations.

We conclude with high level perspectives we as a community and industry should draw to be prepared for the next Meltdown.


Presenters:

  • Daniel Gruss - Postdoctoral Researcher, Graz University of Technology
    Daniel Gruss (@lavados) is a PostDoc at Graz University of Technology. He finished his PhD with distinction in less than 3 years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel's research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating systems. He implemented the first remote fault attack running in a website, known as Rowhammer.js. He spoke at top international venues, including Black Hat USA 2016, Usenix Security 2015 & 2016, ACM CCS 2016, the Chaos Communication Congress 2015, and many more. His research team was one of the four teams that found the Meltdown and Spectre bugs published in early 2018.
  • Moritz Lipp - University Assistant, Graz University of Technology
    Moritz Lipp is a researcher in information security at Graz University of Technology. He is pursuing his PhD with a strong focus on microarchitectural side-channel attacks on personal computers and mobile devices at the Institute of Applied Information Processing and Communications. His research has been published at top academic conferences and presented on different venues around the world.
  • Michael Schwarz - University Assistant, Graz University of Technology
    Michael Schwarz is an Infosec PhD student at Graz University of Technology with a focus on microarchitectural side-channel attacks and system security. He holds two master's degrees, one in computer science and one in software development with a strong focus on security. He frequently participates in CTFs and has also been a finalist in the European Cyber Security Challenge. He was a speaker at Black Hat Europe 2016 and Black Hat Asia 2017 where he presented his research on microarchitectural side-channel attacks. He authored and co-authored several papers published at international academic conferences and journals, including USENIX Security 2016, NDSS 2017, and NDSS 2018.

Links:

Similar Presentations: