Reading Kernel Memory from User Space
Date discovered : January 2018;
Affected hardware : Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors
Let's assume the following lines of code:
Normally, we would expect the CPU to execute these lines of code one after the other, but that's not the case. Most modern CPUs will execute these lines of code at the same time. This is what we call: out-of-order execution, which allows the CPU to run much faster by minimizing the idle time. This has been made possible by Robert Tomasulo's algorithm back in 1967.
Here is how you can trigger Meltdown.
The attacker will start by trying to read a character at a private address.
By looking at this simple memory diagram we can see that from index A to index B is where the memory stores the data for your program, but beyond or before that, there is data that you don't have access to and the CPU is in charge to make sure that you don't have access to this information.
| ... | 0x42 | 0xca | 0xfe | 0xba | ... | 0xbe | 0x41 | 0x41 | ... |
|---|---|---|---|---|---|---|---|---|---|
| ... | A-1 | A | A+1 | A+2 | ... | B | B+1 | B+2 | ... |
When the attacker runs this code, the CPU will notice that the program does not have access to index memory 1337 and will throw an exception: segmentation fault (SEGFAULT). Even though the program throws an exception, the calculation has already been made by the CPU. What the researchers have discovered is that even though we don't have access to that secret memory area, it's result is saved in the CPU Cache. Now, the only job for an attacker is to guess the value of secret_character.
As a reminder, although the line of code throws an exception, the attacker is able to exploit the concept of out-of-order execution and run a few lines of code at the same time.
So, in this example:
line number 9 is called an transient instruction , which is an instruction executed out-of-order leaving major side effects. So the attackers takes advantage of this and write a few lines of code that allows them to guess the value of secret_character. The way they will do it is by using a well known time based attack.
Here's how it works:
The attacker will create a buffer containing all the possible bytes. And then they will prob the array using the value of secret_character. Which means they will access every single element and measure the time it takes to get the result. Let's say it takes:
30ms to access dictionary[secret_character],
30ms to access dictionary[secret_character+1],
...
3ms to access dictionary[secret_character+0x41],
This means dictionary[secret_character+0x41] was already in the CPU cache that's why it was read much faster. This means that the value of secret_character is 0x41 ('A'). That's how the attacker was able to guess the value of one secret byte at posiiton B+1.Then they will repeat this for the next value of the input read_byte_at_index(1338), read_byte_at_index(1339) and so on. Basically allowing the attacker to read the entire memory on the computer, which is normally protected by the CPU.
As you can see, Meltdown literally melts down the security boundaries in the CPU. That's how it got it's name. It is very powerful because it allows the attacker to access protected memory that belongs to a completly different process.
[1] https://meltdownattack.com/meltdown.pdf
[2] https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
[3] https://www.youtube.com/watch?v=I5mRwzVvFGE
[4] https://en.wikipedia.org/wiki/Tomasulo_algorithm
[5] https://meltdownattack.com/
Silaghi Fineas - Florin.