This attack is completely based on
the CPU
's speculative execution (
speculative execution
, also known as speculative execution) mechanism. There are three vulnerabilities, and they cooperate with each other. The so-called predictive execution means that when the code has a branch instruction, before the correct signal arrives, the processor can make a prediction in advance, and enter the branch process in advance for calculation. Branch prediction is a way to implement this mechanism.
The first type of vulnerability is called
Bounds Check Bypass
, also known as
Side-Channel
attack. This kind of attack is mainly through a series of "listening" methods, from the outside of the processor, to obtain the internal information of the processor and the next step. In reality, for example, we can know that the water in the cup is hot water by venting water vapor (without touching the water), which is also a principle side channel attack.
The second vulnerability is called
Branch Target Injection
, which mainly exploits a vulnerability in the indirect branch command mechanism in the branch prediction operator. The difference between direct branching and indirect branching is not discussed. This attack is to exploit this vulnerability and execute specially prepared malicious attack code.
The third vulnerability is called
Rogue Data Cache Load
. Its main method is to solidify
the content in the L1 Cache by performing a specific "prediction" operation,
so as to obtain the execution result (such as the return result of the malicious code in the second vulnerability)
The attack method using the first and second vulnerabilities is called
Spectre
, and the attack method using the third vulnerability is called
Meltdown
. Among them, the first and third types of vulnerabilities can be fixed by software updates, while the second type of vulnerabilities must be fixed by
CPU
microcode (
Microcode
) updates.
For the first attack method,
Intel
's fix was to insert an
LFENCE
instruction. The function of this command is to force the old instructions to be executed in order when a new instruction comes. This makes it difficult for the outside world to know the internal operating state of the processor through bypass inference. Of course, because the command is forced to serialize (at least in part), it will degrade the performance of prediction execution to some extent.
For the second attack method, there are two ways to fix it. The first method is to force a certain frequency to refresh the registers and caches used by indirect branch prediction.
Intel said that all CPU repairs
in the past
5 years have been completed, which is the method used.
Another way to correct this, which is currently being implemented, is to introduce three new mechanisms to solve this problem. One is called Indirect Branch Restricted Prediction (
IBRS
), one is called Single Thread Indirect Branch Predictor (
STIBP
), and the last one is called
Indirect Branch Predictor Barrier (IBPB)
, an indirect branch predictor barrier, which is used to ensure the Behavior is no longer controlled. These three new mechanisms can be added to the current
CPU
by updating the microcode
, and can also suppress the performance loss of future
CPUs due
to speculative execution vulnerabilities.
The correction of the Meltdown
attack is mainly on the operating system, as long as it is ensured that when user mode executes user code, some permission
pages
are not mistakenly mapped to the places that user mode can access.
The OS only needs to support the dual pagetable mechanism of
user
page
and
supervisor page . Of course, after supporting this mechanism, the system performance will be slowed down to a certain extent because the TLB ( Translation Lookaside Buffer ) needs to be refreshed frequently , but Intel promises that the CPU will solve this problem in the future.
As for the specific impact on performance, Microsoft's
Myerson
believes that the first and third vulnerabilities are basically innocuous, and the second has some, and both the system and the microcode must be updated.
For
AMD
, the first attack is also applicable, and the second and third attacks are basically immune because of their different architectures.
Of course, in order to fix intel
's
bugs , microsoft
can do a little bit of negative optimization on
amd
, just waiting for the next patch to solve the problem.