In this blog post, we will look at how technologies introduced to improve CPU performance created security vulnerabilities such as Meltdown and Spectre.
If you are interested in IT news, you may remember the security issues known as “Meltdown” and “Spectre” that occurred some time ago. These two bugs are powerful vulnerabilities that allow information to be stolen without anyone knowing, regardless of the type of target. Traditional attack tools such as viruses and malware are easily detected by antivirus software because they leave traces of their attacks. However, Meltdown and Spectre can access the core of computer programs without leaving any traces. This is due to the principles behind Meltdown and Spectre. In this article, we will explain how modern computers work and the principles behind the Meltdown bug that exploits this.
First, let’s take a look at how computers work. Computers can be broadly divided into CPUs for calculations and RAM for recording. CPU stands for Central Processing Unit, which is responsible for the overall task of calculating and processing data according to instructions. RAM stands for Random Access Memory, which stores a series of commands that the CPU must execute and the intermediate results of calculations. These calculations include program information, ranging from small items such as the health of a player in a game currently being played to large items such as information about the operating system and kernel that are central to the operation of the computer.
When using RAM, the CPU records data through addresses. Computers cannot freely record numbers and letters like we do on a notebook. All records are made in bytes, which are a sequence of eight 0s and 1s. When converted to decimal, only numbers from 0 to 255 can be stored in RAM. When recording characters, each character is converted to a corresponding number and stored. For example, the character string “apple” is converted to 97, 112, 112, 108, and 101 and stored in RAM in order.
RAM was revolutionary in terms of speed when it was first developed, but as computers evolved, faster memory than RAM became necessary. A typical example is cache. Cache has a similar function to RAM, but is a memory space that exists in a separate location. Cache is basically built into the CPU and is much faster than RAM, but has a smaller capacity. The CPU greatly improves processing speed by storing calculation results that are likely to be used frequently while processing instructions in the cache instead of RAM.
Meanwhile, as computer performance improved, the processing speed required by programs also increased, and the CPU could no longer meet the demands of programs using the classic sequential processing method. It had reached its physical limits. Therefore, around the 2000s, CPU manufacturers introduced a new feature called out-of-order execution. Commands are stored sequentially in RAM, but the CPU executes the commands that come first and stores the results. When other commands are needed later, the CPU quickly retrieves the calculation results stored in the cache, improving the overall processing speed.
In that case, if a command executed in advance is later found to be invalid, how does the CPU respond? For example, if the password data for an administrator account stored in RAM is requested, the CPU must stop executing this command. However, in non-sequential execution, the command is executed without checking its validity, and the result data is stored in the cache. If the program requests this result data in the normal way, even if the command has been executed in advance, the request is rejected, but in this structure, an error occurs, and Meltdown exploits this weakness.
Now, let’s look at the structure of a Meltdown attack program. The only thing you need is a stopwatch to measure the time it takes to read the data. First, clear the cache by calculating its capacity. This is to initialize the data in the cache and eliminate any coincidences. Next, obtain the data from a specific address in RAM that contains the important data you want to know (let’s call this data α) and store random data in the same space as the 1000+α address in memory. This command is rejected because it attempts to retrieve data from a protected address (which must be protected because it contains operating system information), but due to non-sequential processing, it is executed before being rejected, and the data at address 1000+α is stored in the cache.
The attacker then reads through the memory and measures the time it takes to read the data at each address. Generally, the access speed is constant, but some addresses are found to read data at a speed that is significantly faster than others. These are the 1000+α addresses that were just calculated and stored. Ultimately, once the addresses stored in the cache are identified, the value of 1000+α can be determined, and the value of α, i.e., important system information, can be found. By repeating this process, it is possible to extract all information important for computer security, including the administrator account password.
The reason why Meltdown is so frightening is that the non-sequential execution technique is a technology applied to all Intel CPUs, and even if it is not Intel, it is also adopted by Qualcomm and Samsung, which mainly produce CPUs for mobile devices. In other words, almost all electronic devices on Earth are exposed to this threat. Intel’s competitor AMD is not exposed to Meltdown because it first checks commands when performing out-of-order execution, but it is exposed to Spectre, a more difficult bug to deal with that attacks vulnerabilities in speculative execution, which is not out-of-order execution. As a result, all CPUs are exposed to the Spectre-Meltdown bug.
Many operating systems, including Windows, have released emergency patches to address these bugs, but since the attacks leave no trace, it is impossible to know whether a computer was attacked before the patch was installed. Furthermore, even after installing the patch, which was not a fundamental solution but merely a way to block non-sequential execution, computer processing speeds slowed down significantly. Since this is a problem with the CPU design, the only solution is to replace the hardware.
So far, we have explained how modern computers work and how Meltdown exploits this. The CPU, which is responsible for computing in computers, has a non-sequential execution function that executes commands in advance, stores them, and retrieves them when necessary, dramatically improving processing speed. However, vulnerabilities arising from this process have led to serious security flaws. There is also a bug called Spectre, but since explaining Spectre requires additional explanation of speculative execution and attack techniques, we will not explain it here. However, Spectre is also a case where a technology introduced to improve CPU performance caused problems. We hope that this will serve as a precedent for thinking deeply about performance improvement in fields other than computers and reviewing whether we are missing anything important.
