High level look at the SPECTRE exploit

In early January, two security exploits were revealed, both of which take advantage of ways that processors work to improve their performance. This video looks at the SPECTRE exploit; the other exploit is called MELTDOWN. Rather than speculative execution, it exploits a feature of Intel processor known as “out of order” execution to gain access to protected system memory. MELTDOWN is not covered in this video, however.

 

High level overview of compiling a program into executable instructions

A high level look at the concepts of compilers, interpreters, byte codes and Just-in-Time compilation, as ways of converting our programs into executable programs or machine instructions processed by the CPU.

The first video provided a high level look at computer system architecture.

The second video introduced the concepts of the CPU or processor.

This video introduces the conversion of our high level programs into machine executable code. Note that this video does not cover specifically how App Inventor blocks code is converted into an executable program.

The fourth video, relying on the information covered in the first 3 videos, will explain the ideas behind the SPECTRE exploit.

 

Brief Introduction to Computer System Architecture

App Inventor is a “high level” programming language. That means we create programs without having to know about the underlying operating system or hardware components of our device. The software engineers that create operating system software are “low level” programmers who must be familiar with the details of the hardware.

To understand the SPECTRE and MELTDOWN exploits, we need to have a basic understanding of computer systems – particularly the CPU or processor – and how it operates.

This video is a high level, simplified introduction to the basic elements of a computer system. I emphasize “simplified”! I have an Intel processor manual from a couple of years ago that has over 3,400 pages!

A future video will look at how high level programs are converted into “machine instructions” that are processed by the CPU. After that, we will look at how SPECTRE works to read memory that should be protected.

Be sure to Click Subscribe on Youtube!

In the above video, I did not define “RAM” memory and what it means. RAM means “Random Access Memory”. A typical modern PC has 8 to 16 gigabytes of RAM memory. Many smart phones have 4 to 6 gigabytes of RAM memory. While both RAM and FLASH are types of memory, they are not the same thing.

This short video introduces types of memory used in computers, smart phones and electronic devices including ROM, PROM, EPROM, EEPROM, FLASH, RAM (both DRAM and SRAM), and a brief history of the now very old “magnetic core” memory.

The major difference between ROM, PROM, EPROM, EEPROM/FLASH is that these memories retain their stored values even if power is turned off.

RAM memory, however, loses its content if power is turned off. Some times a battery backup unit is attached to RAM to keep the memory “alive” even if the overall system power is turned off. RAM memory is otherwise fast to use and has become remarkably inexpensive.

“DRAM” means “dynamic RAM” and “SRAM” means “static RAM”.

Most of our devices use DRAM because it is cheaper and each bit takes up less circuit space (than SRAM) so more memory can be packed into a smaller space. The reason it is called “dynamic” RAM is because the memory must be continuously refreshed. Each bit is stored as a tiny capacitive charge. Because the charge slowly bleeds off, the charge must be periodically refreshed – if not, the values stored in memory will gradually fade away (so to speak).

A special circuit continuously reads and then rewrites each bit so that the charge stored at each bit location is refreshed and does not fade away.

 

Intel updates performance impact of SPECTRE and MELTDOWN fixes

Intel is continuing to measure and evaluate the performance impact of their own firmware changes to address the SPECTRE and MELTDOWN exploits. Click on the chart to view the results in full size.

The chart shows Intel’s measurements for certain 6th, 7th and 8th generation Intel processors. The measurements are made using standard “benchmarket” tests that simulate specific usage scenarios. Consequently, these are measurements of performance impacts to these benchmark tests, which may not represent how we use our own computers.

Source: Intel Security Issue Update: Initial Performance Data Results for Client Systems

Separately, Google says they managed to upgrade their cloud servers with their own fixes that had negligible impacts.

While AMD processors appear to not be impacted by the MELTDOWN exploit, AMD did announce that one of the variants of SPECTRE does impact the AMD processors.

This suggests that over the weeks and months to come, future updates may appear that fix new variations of the exploits but also improve performance as better solutions are identified.

The SPECTRE and MELTDOWN research papers

Here is some additional background information about how the SPECTRE and MELTDOWN exploits were discovered, plus a link to the research papers that describe the exploits in detail. The news media inappropriately, albeit understandably, referred to these as “Intel CPU” bugs or defects but they are not specific to Intel nor are they defects.

The exploits take advantage of a basic feature of pipelined architecture CPUs, which is all  high end CPUs now. You can read the research papers that explain the problem in detail at https://spectreattack.com/. Members of Google’s Project Zero Group found the problem; they are continuously doing research seeking new security vulnerabilities. Read their papers if interested in the super details of these security exploits.

The exploit is due to pipelined architecture and speculative and out of order execution, items that have been incorporated into personal computer CPUs for over two decades, to improve performance (make programs run faster).

Understanding the SPECTRE and MELTDOWN papers, at the link, does require an understanding of system and processor architecture.This is a very technical subject and we would not expect most new App Inventor programmers to understand such topics! That said, computer architecture is a fascinating subject if you wish to dive in at some point.

In a future video I hope to introduce computer and processor architecture to help you  understand the issues to see how this problem evolved – and how the exploit is not very obvious either.

I do think this is a big deal for server farms, but, after patches to OS, apps and firmware, probably not a huge deal to most of us running our personal computers.

Many videos demonstrating benchmark performance before and after patching have been posted on Youtube. I just watched one that tested before and then after installing both  Intel firmware patches and the Windows 10 updates and they found negligible performance change across a broad set of benchmarks – except for one test of 4K READ blocks from SSD disk (I think it was).

My current view is most of us will not see noticeable changes but that there are some scenarios, and specifically some server scenarios that may see significant performance issues. As with any other security vulnerability that is discovered, it is important to keep current with software updates, including Android, iOS, Windows, Linux and Mac OS X, plus app updates and so forth.

New drone quadcopter programmable using Scratch #AppInventor #STEM #Drones #CES2018

The ability to code is an important part of literacy and will enable kids to learn about creative problem solving and how to communicate their ideas. Engineers at Ryze have made Tello programmable with Scratch, an MIT-developed coding system that allows kids and teens to learn the basics of programming. Kids can program their Tello to string multiple flips into a single command or create their own flight patterns using MIT Media Lab’s easy-to-use block-based coding interface called Scratch.

Source: Ryze and DJI team to create Tello $99 drone – sUAS News – The Business of Drones

The Scratch programming system came before App Inventor and inspired the “blocks” programming model used in App Inventor.

The “Intel CPU” Exploit – does it affect App Inventor apps? #SPECTRE #MELTDOWN

Yes, but Android has already been updated to deal with it.

What is the “Intel CPU” Exploit? Well, its not just Intel, as first described. The SPECTRE exploit works on processors from many vendors. The MELTDOWN exploit might mostly impact Intel processor (but could affect some others).

What are these exploits and what do they do?

This first video is a high level overview. I hope to add another video going into more details – which means explaining a bit about what goes on inside your computer or smart phone processor and computing system.

There is a typo in a title in the slide set – about half way through the video the title says “What do this exploits actually do?” and of course, that should say, “”What do these exploits actually do?”

Ignore the type “doe” in the FB link below – that’s been fixed on the web site! But the typo in this tittle, in the middle of the video should say “What do THESE exploits actually do?