Spectre / Meltdown Counter Measures
Google Project Zero and a number of researchers have discovered and made available details on two hardware flaws that affect the security of most desktop and mobile devices. Called Meltdown and Spectre, the vulnerabilities use the CPU “speculative execution” to make virtual memory available to unintended processes, possibly leading to data being read by processes not owning it. This is a low-level hardware issue affecting many models of Intel, AMD and ARM CPUs. The issue was reported by Google to the respective processor makers in June last year.
Meltdown and Spectre: What They Are and How to Deal with Them, in InfoQ. Retrieved 2/24/2018. https://www.infoq.com/news/2018/01/meltdown-spectre
Position on the Adoption Curve
Presentations about Spectre / Meltdown Counter Measures
How Performance Optimizations Shatter Security Boundaries
Interviews
How Performance Optimizations Shatter Security Boundaries
What is the focus of your work today?
The work of our Secure Systems group at Graz University of Technology focuses on the secure and efficient implementation of (cryptographic) algorithms, security architectures as well as side-channel and fault attacks. Personally, my main focus is on microarchitectural side-channel attacks on personal computers and mobile devices. We explore the side-effects of hardware implementations, e.g. through the CPU’s cache, that leak sensitive data (cryptographic keys, passwords), or allow to spy on user behavior. On the other hand, we look at possible countermeasures mitigating these attacks.
What’s the motivation for this talk?
With the beginning of the year, two major CPU vulnerabilities have been disclosed to the public. Namely, Meltdown and Spectre – These two vulnerabilities exploit performance optimizations done in hardware and allow to read arbitrary memory and therefore, the memory of the kernel and other applications. By doing so, all security assumptions given by address space isolation and paravirtualized environments and, thus, every security mechanism that builds upon this foundation, are broken. We have seen in the past that almost every performance optimization opens a side-channel that could be exploited. With this talk, I not only want to give an overview about Meltdown and Spectre but also want to show that performance is linked to side-channels and that we should optimize for security in the future as well.