How the Spectre and Meltdown Hacks Really Worked


An in-depth look at these dangerous exploitations of microprocessor vulnerabilities and why there might be more of them out there

We’re used to thinking of computer processors as orderly machines that proceed from one simple instruction to the next with complete regularity. But the truth is, that for decades now, they’ve been doing their tasks out of order and just guessing at what should come next. They’re very good at it, of course. So good in fact, that this ability, called speculative execution, has underpinned much of the improvement in computing power during the last 25 years or so. But on 3 January 2018, the world learned that this trick, which had done so much for modern computing, was now one of its greatest vulnerabilities.

Throughout 2017, researchers at Cyberus Technology, Google Project Zero, Graz University of Technology, Rambus, University of Adelaide, and University of Pennsylvania, as well as independent researchers such as cryptographer Paul Kocher, separately worked out attacks that took advantage of speculative execution. Our own group had discovered the original vulnerability behind one of these attacks back in 2016, but we did not put all the pieces together.

These types of attacks, called Meltdown and Spectre, were no ordinary bugs. At the time it was discovered, Meltdown could hack all Intel x86 microprocessors and IBM Power processors, as well as some ARM-based processors. Spectre and its many variations added Advanced Micro Devices (AMD) processors to that list. In other words, nearly the whole world of computing was vulnerable.

And because speculative execution is largely baked into processor hardware, fixing these vulnerabilities has been no easy job. Doing so without causing computing speeds to grind into low gear has made it even harder. In fact, a year on, the job is far from over. Security patches were needed not just from the processor makers but from those further down the supply chain, such as Apple, Dell, Linux, and Microsoft. The first computers powered by chips that are intentionally designed to be resistant to even some of these vulnerabilities arrived only recently.

Spectre and Meltdown are the result of the difference between what software is supposed to do and the processor’s microarchitecture—the details of how it actually does those things. These two classes of hacks have uncovered a way for information to leak out through that difference. And there’s every reason to believe that more ways will be uncovered. We helped find two, Branchscope and SpectreRSB [PDF], last year.

If we’re going to keep the pace of computing improvements going without sacrificing security, we’re going to have to understand how these hardware vulnerabilities happen. And that starts with understanding Spectre and Meltdown. [READ MORE]