Analyzing The Impact Of CPU Vulnerabilities On Computing Systems

Hi guys, good morning everyone. It's uh lovely to see all all of you here today. Uh I've been sure you're having a very been hearing lovely people giving amazing talks. Uh we're going to try our best to match that expectation. So my name is Mohammed Mat Shamali. Please call me Mo. And we both are doing cyber security analytics at this university. And today we're going to be talking about one of the most pivotal attacks in the history is meltdown a spectre and meltdown attack which was uh on every computing modern architecture you can think about. Uh and I I run the cyber security society in my free time and he's also my society member. So guys picture this. The Gulf War just

started right and it's been it's 1991. It's been 5 months and everyone's burning question is that when is the American government going to take the next attack or when is something going to happen? Everyone's, you know, interested in this question. Nobody knows, right? Uh, everyone's trying to dig in. Uh, what do you do to get this information out of the Pentagon or the White House? What do you think is possible? Hire the best social engineer, try to persuade someone after like a drink, you know, after a happy hour or something. Or maybe get like, you know, the best hacker in the world. Unfortunately, none of this works. You know, the solution is very simple to be

honest. And meet Frank. He's a franchise. He's a Domino's franchise over across the whole Washington area. And he discovered a simple pattern. He discovered that before I say what he discovered, he knows exactly when the date of any invasion or anything is going to happen. How does he know this? He observed a simple pattern which says that if you look at this graph at 10:00 the White House ordered 55 pizzas instead of five pizzas and the Pentagon ordered 101 pizzas instead of three pizzas. So he noticed this pattern and he was like hold on a minute this happened once. This happened twice. This happened twice and it it predicted the Iraq invasion, the Panama invasion, then

the Junior invasion perfectly. And he knew this and the Pentagon had no idea. This is what we call side channel attacks. These are something which is like a pattern which is easily recognizable and in this example I'm relating that to pizza. So what are side channel attacks right? S channel attacks doesn't have to be you know the most like you know breaking into some encryption system or something. It's like observing some kind of like pattern which is like frequently happening. So you can use that pattern to you know break into that system right. Uh so there are multiple types of side channel attacks. There are timings, power usage, cash behavior, electromagnetic. The one today we're going to be focusing on is

the transient execution attacks which consist of the spectre and meltdown variant. >> So this is how the it impacted the whole world. >> Can you play the meeting? >> Tech firms are rushing to patch security hole that's affecting billions of computers and smartphones caused by two major flaws in computer chips called meltdown and spectre. They can allow hackers to steal sensitive data like passwords or see what tabs you've open on your device. Researchers say Meltdown affects only chips made by Intel while Spectre exists in almost every computing system. Let's find out what this means for us. >> So as you can see it was affecting the whole world and uh everyone was worried about it and so it was the the global

impact was like every device from iOS, Linux, Windows, Apple, everyone was affected by this and even the cloud infrastructure was not same. Yeah. All of them. So and uh in my opinion the industry tech giants like Intel, AMD, Microsoft should come together and like do the fixes patches on the day zero instead of waiting it and like delay. So we're going to reenact the situation here, right? Uh it's going to be a very simple thing. We're going to reenact how permission checks works, right? So I I want this book. >> Yeah. Show me your ID card. >> Here you go. My ID. >> Okay. Yeah, it's uh Yeah, it's fine. You can have the one.

>> Oh, thank you so much. I need this other book. >> Yeah, took a different type of ID card. >> Uh yeah, I have this one. >> No, it's not. >> Yeah. Well, you can see that's how permission check works. This is on a theoretical level. Uh we think that if there's a permission is accessed, they have access to the information. If it doesn't have permission, it doesn't get access. Right? But on an architectural level, this is not true. We'll look at why. So let's get dive into the actual topic which is the spectre and meltdown. Right? So what is meltdown? And I'm going to give you a uh very easy explanation. You can see this is a user

space and this is the kernel space. Right? Wouldn't it be easier if we could somehow bypass that permission check wall or this wall and get to the operating system? Woof like Houdini, right? It just disappeared. How do we do this? Right? There is a there is uh what do you say? There is something called in order and out of order execution when you write a line of code right the instructions that get in uh executed line by line which is like a bit slow for the CPU but here comes speculative execution guys fixed for everyone it what it does is let's say you have two loops uh in if statement uh the first one is an add operator the second one is

a division operator the add one will be done quickly the division will take some time so the CPU will be like h well I don't want to waste that time waiting for you to solve that problem let me execute everything under your instruction but not commit anything. Right? So it it executes uh it computes this uh answer keeps it in the cache but doesn't commit it. Then when it learns that it made a mistake it uh what do you say uh rolls back but this information that was bypassed the permission check which was bypassed and this was kept in the cash remains in the cash. So hold on to that thought for a minute. you

bypassed the security and you bought some valuable information uh from without checking any permission of that and you store it in the cache. Just think of hold on to the thought. And now unlike meltdown spectre isn't a single attack. It's a whole range of different attacks. It basically works by tricking the uh running program into accessing the data that it shouldn't. It's similar to um meltdown but for example let's say I'm working in the office for past 10 years and after one of my job is to open the door for the delivery guy to everyday come in and go out. So it's been I'm pulling an overnighter one day and it's 3:00 a.m. and I saw the guy. I

didn't think twice. I just opened the gate and after a few minutes I realized it's 3:00 a.m. He should he should not be here at this time. So but during uh this time he uh stole a package and hid it in the washroom and >> he took some package out of the privilege area and kept it somewhere else and >> so uh this package should be uh think as the uh data that is passed to the caching memory without even checking error. It's basically like we in this example if you get more technical that's a very easy example right but it's basically like it's the same thing we there's something called the branch predictor and we give it like for

example in this example we run a program we run this port statement 1 million times and we say a equals to this a equals to this eventually it will be like oh a is definitely equal to this so it just skips the time by uh predicting all the time that oh a equals to this because it's more efficient right so once what happens is after the 1 million and one time we will say a equal do something else but he'll be in the false notion that a equals to this and he'll execute that temporarily getting the information out of the what you say privilege area without checking the permission check if it's allowed to go

there or not puts in the cache and and then after that like hold on a minute this is not supposed to be accessed okay let's roll back let's not give the user this information but it keeps it in the cache again just like meltdown spectre also does the same gets it out of the system without any permission checks put into the cache and then I'll explain what happens later but That's basically what this permission getting the information not keeping it there. >> So it's the job of LU to keep the clash the cache memory clean of the processor. So it aims at to keep the most frequent access data in the cache and by removing

the least used least used data out of the cache. So it works by tracking usage. Basically tracks the thing that is accessed by the user more time and tries to keep that uh data in the cache while uh and also it moves the data to the front of the list so it can be accessed by the processor much faster than compared to other data. Basically like when we moved everything we removed the sensitive information kept in the cache. This replacement policy wasn't there. This was the fail safe which was like oh we'll get rid of that sensitive information from the cash later on. Uh but that later on you know unfortunately we people have evolved and it realized

that we have enough time to use this to use some kind of uh like for example timing attack to find the sensitive information get it out before this replacement policy throws it out of the cache. So because of this the LRU was there as a fail safe but it did not work as intended because you know humans are likes to you know somehow find that exploit you know let's get in there right but yeah so let's dive into the CPU itself so for example I want to print the value five so I will ask my CPU caching uh and the value was not in the CPU so it got cache miss in this case then the CPU

will do request the RAM to for the value I then the RAM will respondse with the value file. Now the value I stored is in the cache itself. So the next time I call the value of I it's a cachet in this case. So I get data much more quickly because there was no RAM access and the previous one because the RAM access occurred it was slow as compared to the much faster one caches. So as we can see uh it's the memory latency chart. Uh if the cache is hit then the data is retrieved under 100 CPU cycles as compared to the cache miss. It takes around 750 to 1,000 cycles to just to

retrieve the data from the memory to the cache memory. So if you look at this this clearly you can see that this is a cash hit and that's a cash miss and this was enough information for uh what do you say uh side channel time it t to figure out what type of information is in the cache and not in the >> yes so this is the different type of classification that are under spectre and meltdown as you can see these are a lot it's on variation ongoing it's unfortunate but it keeps evolving it keep finding new new variations to you know keep exploiting this attack surface. So why did this happen guys? In the end

of the day, we don't want to blame the consumers. We don't want to blame the manufacturer, right? But let me ask you this question, right? If I asked you, would you buy a slow computer? Would you buy a fast computer? You're going to say you want to buy a fast computer, right? But if I list that question with saying, do you want a slow secure computer or do you want a fast and you know slow computer? You would say, well, let's blame the manufacturer. You need to give me a fast and secure computer. Right? So the manufacturers put in a position where they don't have enough Intel to like you know generate some kind of

secure system uh where they they are forced to find some kind of you know workaround. So all of this AMD you know all the Intel you know fund companies right all of them decided let's use speculative execution increase the what do you say percentage for example from 3 to 30% which is a huge improvement in performance and keep using the strategy unfortunately the you fail then you know we are here where we are right now so it's because of psychology of speed and cost and you know more the more fast it is the more money you can make as a manufacturer right and there was a fail safe like we spoke about but it was not

good enough the replacement policy was an encryption of Yeah. >> So these are some counter measures that were u given by CPU vendors to fix the uh spectre and meltdown for the spectre. The CPU vendors provides fixes that uh fix the vulnerability inspector meltdown execution mechanism and they use a technique called repol line to that's a compiler technique that prevents misprediction from any indirect branch and it reduce the spectre risk uh spectra style attacks and for the melown it's they use the technique called KPTI stand for kernel page table isolation and it's in this technique it isolates the kernel memory from the user space memory And another example was that it they also gave the micro cut update for the

CPU to block the meltdown exploit from occurring. So yeah for the hardware this is some considerations for the what is it the CPU designers you know obviously they're not here in the room with us but uh they could use some kind of techniques like gas randomization scatter mirage techniques these are techniques to make the pattern of like what do you say the mapping lines that we're trying to find uh more unpredictable by adding some kind of noise or something uh by making it more unpredictable the cache line and like you know moving it to different cache lines we can make the pattern very unpredictable that the timing attack will be useless. So uh yeah this

is this is the technique scatter mage and cash randomization here. So there should be a fine tune balance between performance and security. As Moses Sham has told you after the vendors has applied the patches for the spectre meltdown there was like up to 20 to 30% slower with the patches and with the new system was impacted by let's say between 5 and 10%. Reason was the patches as I told you the main one was was KPGI as it requires to uh reload the memory during the kernel is accessed. So, so the main lesson learned from this should be there should be a fine line between performance and security and there uh the vendors or the creators of

the processor should consider uh like re-evaluation design priorities and like they should build the processor from ground up scratch. So they can introduce security things more as compared to the just more raw speed and there should be a continence with uh vigilance of this as this was for like uh left unnoticed for decades. So in conclusion, spectum meltdown was a pivotal moment for of all of us in the cyber landscape and this prompted reevaluation of the design priorities and reinforce multi-layer security strategies to safeguard against evolving cyber threats. >> Well, thank you guys so much for listening to us. You guys have any questions? Thank you so much guys. Thank you for your time.