Ghosts in a Nutshell presented at BlackHatAsia2019 2019

by Moritz Lipp, Claudio Canella,

Summary : At the beginning of 2018, two severe attacks, called Meltdown and Spectre, have been published. These attacks exploit that the CPU either lazily enforces exceptions or speculates on the outcome of branch predictions or data dependencies. While the results of those computations are never made visible on the architectural level, secret data can still leak on the microarchitectural level and be observed by an attacker.Since then, many different versions of these attacks have been found by various research teams around the world, e.g., Spectre Variant 1, Spectre Variant 2, Variant 4, Meltdown, Foreshadow, Foreshadow-NG, LazyFP. Due to the confusing naming scheme and the large amounts of papers and articles published, it has quickly become difficult to differentiate them all. Additionally, researchers, as well as companies, have proposed various countermeasures to mitigate these attacks, making it even more confusing and difficult to keep a clear overview of the current state.Many of the proposed mitigation techniques involve substantial overhead, basically reducing the processing power of modern CPUs. With all these defences, one question remains: Do they actually work or are they just reducing the performance of our CPUs? Did the operating system implement them correctly? Is everything fixed now or are there even more variants that have so far been overlooked?In this talk, we will discuss all existing variants and introduce a newer, easier to understand naming scheme based on the microarchitectural element the attacks exploit. We will discuss all mitigation techniques proposed so far and classify them based on how they attempt to stop leakage. We will also discuss which of those mitigations work in practice and which ones we were able to circumvent with our experiments. We will present new variants of Meltdown and Spectre attacks that have not been published so far and which we were able to discover due to our systematisation.