Meltdown attack and Spectre attack的区别

Meltdown attack and Spectre attack的区别

Meltdown和Spectre常一并提起，两者有相同之处，但差异也是很明显的。记录下来做个笔记吧。

两者都运用了speculation execution技术，但是Meltdown偏向于Out of order（OOO），而Spectre偏向于 Branch prediction。

[b]《Spectre Attacks: Exploiting Speculative Execution》[/b]

Meltdown is distinct from Spectre Attacks in two main ways. First, unlike Spectre,

Meltdown does not use branch prediction for achieving speculative execution. Instead, it relies on the observation that when an instruction causes a trap, following instructions that were executed out-of-order are aborted.

Second, Meltdown exploits a privilege escalation vulnerability specific to Intel processors, due to which speculatively executed instructions can bypass memory protection. Combining these issues, Meltdown accesses kernel memory from user space. This access causes a trap, but before the trap is issued, the code that follows the access leaks the contents of the accessed memory through a cache channel.

可见Meltdown依赖于intel的CPU设计漏洞，即在OOO时，会忽略对memory的权限检查。

而spectre则依赖于如下的现象：

The Branch Target Buffer (BTB) keeps a mapping from addresses of recently executed branch instructions to destination addresses [26]. Processors can uses the BTB to predict future code addresses even before decoding the branch instructions。

For conditional branches, recording the target address is not sufficient for predicting the outcome of the branch. To predict whether a conditional branch is taken or not, the processor maintains a record of recent branches outcomes.

即branch predictor会记录历史痕迹，并以此作为下次prediction的依据。且这些历史痕迹是CPU的作用域，而不是进程的作用域。所以attacker进程在在自己的地址空间内充分欺骗branch predictor后（比如jmp至特定的地址）；再触发victim进程执行类似的操作（jmp至特定的地址），虽然在retire阶段会回滚此类操作，但是访问memory的痕迹已经遗留在cache中了。后期通过side-channel可以读取数据。

在attacker进程地址空间中，此特定地址的内容对 attacker 而言无意义；但是在victim进程地址空间中，此地址的内容可以是指令，此指令一般是读取memory，从而可用于泄露数据至cache中。

所以meltdown主要作用于intel CPU；而对于spectre，由于modem cpu普遍采用branch prediction技术提高performance，所以作用范围更广。