How that Intel CPU security hole works

There’s quite a lot of the buzz in the media already, I’ll try to explain the technical details in simple terms instead.

Picking the password, letter by letter, like in the movies

Modern CPUs are way faster than memory, so they use all sorts of tricks to avoid waiting for bytes to be read or written. One of them is called “speculative execution.”

Imagine you’re waiting for a friend, but you don’t know whether they like tea or wine.

So you run to the store and purchase both, and just return the other one next day. Okay, the example is a bit contrived, but you got the idea.

Similarly, when the CPU needs to read data from memory to decide which part of the program to run, it doesn’t wait, it starts both parts, and when the data finally arrives, picks the “correct” result and throws the other one.

What’s the problem then? Well, imagine your friends’ spouse works near that shop and sees you returning the tea next day? Drinking again you bastards?

With computers, the problem means that any code, any webpage from the Internet can try to access your passwords or private data. Sure, it would get “access denied,” but with speculative execution, it can try questions like “I want to calculate a Complex Thing if your password starts with A, or do nothing, otherwise”, and see if the CPU has some work to clean up!

Of course, that’s not the entire password, and your computer likely has other things to do, like playing music, but repeat that a million times — and bingo! All the keys to the kingdom!

That’s why it’s so severe that Linux and Windows teams are rushing to release huge, complex updates, and both Microsoft and Amazon recently sent letters saying “we’re going to reboot all our cloud servers, millions of them, to apply the patch — please be careful”.

Even considering that they’re going to lose a lot of money as the patch basically kills this optimization, and the servers become like 15% slower.

Because right now every app, every cloud service, can access data from every other app or service nearby.

UPD: if you understand what “mov rdi, [rdi + rcx+0]” means, read this post by Anders Fogh — https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/.

Like what you read? Give Oleksandr Nikitin a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.