The security of computer systems fundamentally relies on the principle of confidentiality. Confidentiality is typically provided through memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access.
In this talk, we present Meltdown. Meltdown breaks the most fundamental isolation between user applications and the operating system. We show how any program can access system memory, including secrets of other programs and the operating system. To make the attack accessible, we briefly introduce basics on microarchitectural side effects and out-of-order execution on modern processors.
With a behind-the-scenes timeline of our research, we show when and how the combination of these components allowed us to read arbitrary kernel-memory locations including personal data and passwords. We will also discuss how different vendors, i.e., Intel, AMD, and ARM, are affected by the issue and how they responded to these issues.
In a live demo, we show a series of Meltdown attacks, including attacks on a modern smartphone with an ARM processor. Our demo does not only show how to read privileged data or sensitive user input, but also shows novel exploits leveraging Meltdown. We then show how Meltdown is mitigated in software, using our KAISER defense mechanism, which was implemented under different names in all major operating systems.
The last part of our talk will focus on the developments after the disclosure of Meltdown. We will discuss the situation around the patches, Meltdown variants that were presented after the disclosure (e.g. MeltdownPrime), yet undisclosed attacks, including combinations of Meltdown and Spectre and their application in JavaScript, and further proposed mitigations.
We conclude with high level perspectives we as a community and industry should draw to be prepared for the next Meltdown.