Spectre, explained as if computer were banks

You too can get what Spectre is, and you really should.

Spectre, explained as if computer were banks /img/spectre-and-meltdown.jpg

I just saw on Twitter a thread by Professor Clay Shirky that gives a good, simple explanation of what Spectre is and why it is dangerous (which I believe to be valid, in a broad sense, also for the other big computer threat of the moment, Meltdown (1)). With Prof. Shirky’s permission, I reformatted the whole thread and now publish it here, so that it is fully readable, and useful, even outside Twitter (emphasis in the text below is mine).

Professor Clay Shirky: I’m going to try explaining the Spectre attack with an analogy: imagine a bank with safe deposit boxes. Every client has an ID card, and can request the contents of various boxes, which they can then take out of the vault.

The bank is concerned about security. People have to show ID, and can’t walk out of the vault with stuff that isn’t theirs. However, the vault is enormous, and the clients impatient. There are also many clerks. To speed things up, sometimes the clerks guess which boxes you want.

To enable this predictive fetching, they don’t check whether you need the contents till after they’ve fetched it. Sometimes these guesses pan out, sometimes not, but no big deal. If they bring something you don’t need, you can just leave it there.

So here’s the bug. The bank’s protocol for checking ID, and for making sure you don’t walk out with other people’s stuff, are both good. However, the security for fetching safe deposit boxes is bad, because it is optimized for speed.

Once your ID checks out, the clerks trust you, just for a moment. If you show ID and ask for one of your boxes, #117254, you’ll get it. But if you show ID and ask for #440587, you’ll get to see the contents of someone else’s box instead.

And you can do this again and again, asking to see the contents of boxes that aren’t yours. You can’t alter the contents, but you can know what they are. Over many iterations, you can learn the entire contents of the vault.

So the bank is the CPU (2), your requests are a program, the clerks are processes, and the deposit boxes are memory. A trusted program can ask process to fetch chunks of memory it has no right to. To enable fetching, checks on whether data is valid for a process only come later.

As many people have noted, this is craziest with cloud computing, where your virtual server shares actual hardware with many other users. If you can run Spectre on that hardware (if you can show ID in that bank), you can see data from other users. (Gigabytes of it, from many users.)

And if someone else runs Spectre on that hardware, of course, they can see your data. This is just fishing. You can’t easily target a particular person or firm. But it is driftnet fishing – an industrial-scale attack on large collections of data.

And Spectre is not a trivial side-effect: high-speed pre-fetching is how substantially all modern CPUs work.

Notes by Marco:

  1. as I said, the assumption that the analogy in this post is also valid as a broad introduction to Meltdown is only mine. It could be completely wrong, I’m NO ICT security expert! If I’m wrong, please let me know
  2. CPU means “Central Processing Unit”, that is the integrated circuit inside every computer, laptop, tablet, smartphone… that does all the actual job of executing software programs. If I understand correctly, most of the CPUs around today are affected by Spectre and/or Meltdown