Modern processors are very complex and, as such, contain some features that make use of advanced techniques to provide users with faster execution times. One of these features utilizes speculative execution, a technique that utilizes additional memory in order to save time in the long run. Since this may not be a well-known concept outside of lower-level programming, here is a small example to provide context.
In computer programming, several types of constructs provide logical structure to determine the execution path. One group of these constructs can operate different execution paths based upon the state of the system at a given point in time. The state refers to the contents of system registers, environmental values, etc. When the program reaches one such junction, it makes a decision based on a provided condition. To do this, it must reference other parts of memory to check if the condition is true or false. Before the program can proceed, it waits until the check completes and then determines the correct path forward. However, with speculative execution, the program executes the path it thinks would most likely be executed. This happens while the program loads values for the conditional check and comparisons, which can massively speed up the process by potentially eliminating idle time during memory accesses. When the check finishes, the program either continues with the current path or resets to the original check and moves to the correct path.
The Meltdown article provides additional detail into violations of memory boundaries between user-space (think: applications) and kernel-space (think: core functionality set built into your computer’s processor). To do this the authors utilize the ability of a processor to load program instructions on an availability basis. This out-of-order execution loads chunks of a program into memory as processor space frees up, though this does not necessarily happen in order as the name suggests. Once necessary parts of the program are loaded, it can be executed in the order it was designed. When we previously discussed speculative execution we briefly discussed a pre-processing of possible execution paths that might be discarded if incorrect. This runaway process (the technical term is transient instruction) can provide insight into a secret value that allows operating in a privileged environment. This concept is leveraged to provide an attacker with a vehicle to access memory locations in a privileged fashion, which distinguishes it from Spectre. Once attackers access memory locations, they must establish covert channels in order to exfiltrate memory locations, similar to Spectre. Meltdown was issued CVE-2017-5754 for the discovered vulnerability.
The Spectre authors recommend high-level fixes, such as using memory-safe fencing instructions (mfence and lfence), but not more volatile methods such as forcing serialized execution of processes which may destroy memory register values. Chip manufacturers have provided updates that employ these techniques and safeguard against exploitation of speculative execution poisoning and hijacking.
The Meltdown authors recommend the KAISER mitigation which was proposed by Gruss et al. This mitigation provides protection against side-channel attacks targeting weaknesses in Kernel Address Space Layout Randomization (KASLR).
Authored by: Roland Varriale