scishow
How Meltdown and Spectre Make Your Computer Vulnerable
YouTube: | https://youtube.com/watch?v=2exp-NWHp_E |
Previous: | How Kodak Discovered Radioactive Rain |
Next: | Is Sitting Too Close to the TV Really Bad for You? |
Categories
Statistics
View count: | 245,973 |
Likes: | 9,009 |
Comments: | 617 |
Duration: | 06:21 |
Uploaded: | 2018-01-12 |
Last sync: | 2024-10-15 14:15 |
Citation
Citation formatting is not guaranteed to be accurate. | |
MLA Full: | "How Meltdown and Spectre Make Your Computer Vulnerable." YouTube, uploaded by SciShow, 12 January 2018, www.youtube.com/watch?v=2exp-NWHp_E. |
MLA Inline: | (SciShow, 2018) |
APA Full: | SciShow. (2018, January 12). How Meltdown and Spectre Make Your Computer Vulnerable [Video]. YouTube. https://youtube.com/watch?v=2exp-NWHp_E |
APA Inline: | (SciShow, 2018) |
Chicago Full: |
SciShow, "How Meltdown and Spectre Make Your Computer Vulnerable.", January 12, 2018, YouTube, 06:21, https://youtube.com/watch?v=2exp-NWHp_E. |
Another year, another security breach that could expose all of your information. Installing updates might be a good New Year's resolution.
Check out the Crash Course Computer Science series at youtube.com/crashcourse
We're conducting a survey of our viewers! If you have time, please give us feedback: https://www.surveymonkey.com/r/SciShowSurvey2017
Hosted by: Hank Green
----------
Support SciShow by becoming a patron on Patreon: https://www.patreon.com/scishow
----------
Dooblydoo thanks go to the following Patreon supporters: Kelly Landrum Jones, Sam Lutfi, Kevin Knupp, Nicholas Smith, D.A. Noe, alexander wadsworth, سلطا الخليفي, Piya Shedden, KatieMarie Magnone, Scott Satovsky Jr, Bella Nash, Charles Southerland, Bader AlGhamdi, James Harshaw, Patrick Merrithew, Patrick D. Ashmore, Candy, Tim Curwick, charles george, Saul, Mark Terrio-Cameron, Viraansh Bhanushali, Kevin Bealer, Philippe von Bergen, Chris Peters, Justin Lentz
----------
Looking for SciShow elsewhere on the internet?
Facebook: http://www.facebook.com/scishow
Twitter: http://www.twitter.com/scishow
Tumblr: http://scishow.tumblr.com
Instagram: http://instagram.com/thescishow
----------
Sources:
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html
http://homepage.cs.uri.edu/faculty/wolfe/book/Readings/Reading04.htm
https://support.apple.com/en-us/HT208394
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/
http://mashable.com/2018/01/04/spectre-meltdown-explained/#dnSmYeEpymqy
https://meltdownattack.com/
https://www.wired.com/story/meltdown-and-spectre-vulnerability-fix/
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/?mbid=BottomRelatedStories
https://suif.stanford.edu/papers/lam92/subsection3_2_1.html
https://www.usenix.org/legacy/publications/library/proceedings/osdi99/full_papers/chang/chang_html/node4.html
Check out the Crash Course Computer Science series at youtube.com/crashcourse
We're conducting a survey of our viewers! If you have time, please give us feedback: https://www.surveymonkey.com/r/SciShowSurvey2017
Hosted by: Hank Green
----------
Support SciShow by becoming a patron on Patreon: https://www.patreon.com/scishow
----------
Dooblydoo thanks go to the following Patreon supporters: Kelly Landrum Jones, Sam Lutfi, Kevin Knupp, Nicholas Smith, D.A. Noe, alexander wadsworth, سلطا الخليفي, Piya Shedden, KatieMarie Magnone, Scott Satovsky Jr, Bella Nash, Charles Southerland, Bader AlGhamdi, James Harshaw, Patrick Merrithew, Patrick D. Ashmore, Candy, Tim Curwick, charles george, Saul, Mark Terrio-Cameron, Viraansh Bhanushali, Kevin Bealer, Philippe von Bergen, Chris Peters, Justin Lentz
----------
Looking for SciShow elsewhere on the internet?
Facebook: http://www.facebook.com/scishow
Twitter: http://www.twitter.com/scishow
Tumblr: http://scishow.tumblr.com
Instagram: http://instagram.com/thescishow
----------
Sources:
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html
http://homepage.cs.uri.edu/faculty/wolfe/book/Readings/Reading04.htm
https://support.apple.com/en-us/HT208394
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/
http://mashable.com/2018/01/04/spectre-meltdown-explained/#dnSmYeEpymqy
https://meltdownattack.com/
https://www.wired.com/story/meltdown-and-spectre-vulnerability-fix/
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/?mbid=BottomRelatedStories
https://suif.stanford.edu/papers/lam92/subsection3_2_1.html
https://www.usenix.org/legacy/publications/library/proceedings/osdi99/full_papers/chang/chang_html/node4.html
By now, you’ve probably heard about Spectre and Meltdown.
And if you haven’t, they might sound like James Bond villains. But they’re actually serious security flaws in one of the key components of most computers,smartphones, and tablets.
If you’ve been struggling to wrap your brain around what they are and how they might affect you, don’t worry — we’ve got you covered with the basics.[ INTRO ]Spectre and Meltdown are different flaws in central processing units, or CPUs. The CPU is like a control center and puts the “compute” in computer. Basically, it carries out instructions to make different programs work.
These instructions can be things like simple math problems, or logic related calculations— like comparing two numbers to check if someone has enough money to buy a plane ticket,and letting that transaction go through. So, if you really boil it down, a CPU is essentially doing a few things over and over again: getting data from some kind of memory storage, executing an instruction, and then sending that new information back to memory. These processes let you open a text file, load an internet browser, or run a game.
Every program depends on the CPU. Now, shuttling information back and forth is one of the slowest parts of the CPU’sjob, so modern CPUs have been designed with different tricks to help them work faster. That way, your programs run faster.
One of these tricks is called speculative execution. Since a program is just a series of instructions, many modern CPUs try to guess what they need to do next, which is called branch prediction. In computer terms, speculative execution means the CPU grabs data and executes a few instructions along the most likely branch.
In your life, this would kind of be like guessing that your partner will want coffee in the morning, so you make an extra cup. If the prediction’s wrong, that branch gets thrown out and the instruction-following process continues down the other one. Like if your partner decides to go caffeine-free, you might dump the extra coffee, and pour some orange juice for them instead.
But if you’re right, they get out the door faster. And if your CPU’s prediction is right, that’s a head start to the next instruction. This brings us to ways this system can go wrong, and become a security problem like with Meltdown and Spectre.
Most programs running on a computer aren’t allowed to access all the data stored in all the memory. Kind of how iTunes can pull up your mp3s, but it can’t read your passwords. That gives some basic security.
But researchers discovered that the way that many CPUs handle speculative execution accidentally offers ways around this. With some clever coding, you can take advantage of the fact that the CPU still does the extra calculations, even though it won’t use the results if it turns out to be wrong about which instructions it was supposed to execute. So even though you can’t directly access the parts of a computer’s memory that youaren’t supposed to see, you can figure out what’s stored in that memory by working backwards from what the CPU does with certain instructions you send it.
To be clear, these vulnerabilities are tricky to exploit. And this is a very simplified explanation. But the point is that, hypothetically, someone could get access to a company’s most sensitive information — passwords, emails, encryption codes, you name it.
According to the researchers who discovered them, Meltdown and Spectre are distinct vulnerabilities,but very similar. Meltdown involves the operating system, the master program that directs all the computer’sactivities, which can access basically all parts of the memory if and when it needs to. In very basic terms, Meltdown breaks the barriers between individual programs and the core of the operating system, so that one program could potentially access way more memory than it should be able to.
It “melts down” those security barriers, hence the name. Pretty much every Intel processor put out since 1995, plus some put out by companies called Qualcomm and ARM, is vulnerable to Meltdown — no matter what your operating system is. So whether you’re a PC or Mac or Linux user, you’re most likely affected.
And Spectre involves a couple ways that the separation between programs can be broken,so an attacker could potentially use one program to peek into the memory used by another. It’s named after speculative execution, the process that makes these flaws possible. It’s harder to exploit, but also a harder problem to fix, so researchers also say it’ll“haunt” us for longer.
So far, we think Spectre affects processors made by Intel, Qualcomm, ARM, and AMD, which means all computers, smartphones, and tablets that have them are vulnerable. And that’s a heckin’ ton of machines. At first, computer scientists thought the only way around either security flaw would be to physically replace all the exploitable CPUs, but it turns out there are some things we can do without going that far.
Meltdown can be guarded against with software updates, called patches, that limit memory-sharingbetween different programs and parts of the operating system. Spectre is trickier. It may require actual hardware upgrades to totally eliminate, but tech companies are doing what they can in the meantime with software.
Microsoft, Apple, Google, and Linux have all been releasing software patches to try and minimize security risks. And Intel is publishing updates to its firmware, the permanent read-only software that lives on their processors. We don’t know of any security attacks that used Meltdown or Spectre yet, but now the ins and outs of how they work are more public.
So double-check that your operating system and browser are up to date, and that your antivirus software is, too. That’ll help keep any unwanted programs from running and possibly exploiting these flaws. And if you’ve heard that these updates are going to slow down your computer a bunch,don’t worry.
Yes, limiting how different parts of a computer share memory can affect its performance, becausethat’s why speculative execution makes things faster. But there’s a good chance you won’t notice the difference. Programs that need a lot of CPU power, like ones that render videos, will be more affected than others.
But the latest testing suggests that for typical users, there shouldn’t be a huge change. So there’s no excuse! Download those updates for your phone or laptop that you’ve been putting off!
Between WannaCry and Equifax, computer security breaches were in the headlines a lot in 2017. Two weeks in, it looks like 2018 might shape up to be more of the same. But no matter what happens, we’ll keep learning, and keep you updated too.
Thanks for watching this episode of SciShow News. If you want to learn more about computers, from hardware to artificial intelligence,you can check out the Crash Course Computer Science series at youtube.com/crashcourse.[ Outro]
And if you haven’t, they might sound like James Bond villains. But they’re actually serious security flaws in one of the key components of most computers,smartphones, and tablets.
If you’ve been struggling to wrap your brain around what they are and how they might affect you, don’t worry — we’ve got you covered with the basics.[ INTRO ]Spectre and Meltdown are different flaws in central processing units, or CPUs. The CPU is like a control center and puts the “compute” in computer. Basically, it carries out instructions to make different programs work.
These instructions can be things like simple math problems, or logic related calculations— like comparing two numbers to check if someone has enough money to buy a plane ticket,and letting that transaction go through. So, if you really boil it down, a CPU is essentially doing a few things over and over again: getting data from some kind of memory storage, executing an instruction, and then sending that new information back to memory. These processes let you open a text file, load an internet browser, or run a game.
Every program depends on the CPU. Now, shuttling information back and forth is one of the slowest parts of the CPU’sjob, so modern CPUs have been designed with different tricks to help them work faster. That way, your programs run faster.
One of these tricks is called speculative execution. Since a program is just a series of instructions, many modern CPUs try to guess what they need to do next, which is called branch prediction. In computer terms, speculative execution means the CPU grabs data and executes a few instructions along the most likely branch.
In your life, this would kind of be like guessing that your partner will want coffee in the morning, so you make an extra cup. If the prediction’s wrong, that branch gets thrown out and the instruction-following process continues down the other one. Like if your partner decides to go caffeine-free, you might dump the extra coffee, and pour some orange juice for them instead.
But if you’re right, they get out the door faster. And if your CPU’s prediction is right, that’s a head start to the next instruction. This brings us to ways this system can go wrong, and become a security problem like with Meltdown and Spectre.
Most programs running on a computer aren’t allowed to access all the data stored in all the memory. Kind of how iTunes can pull up your mp3s, but it can’t read your passwords. That gives some basic security.
But researchers discovered that the way that many CPUs handle speculative execution accidentally offers ways around this. With some clever coding, you can take advantage of the fact that the CPU still does the extra calculations, even though it won’t use the results if it turns out to be wrong about which instructions it was supposed to execute. So even though you can’t directly access the parts of a computer’s memory that youaren’t supposed to see, you can figure out what’s stored in that memory by working backwards from what the CPU does with certain instructions you send it.
To be clear, these vulnerabilities are tricky to exploit. And this is a very simplified explanation. But the point is that, hypothetically, someone could get access to a company’s most sensitive information — passwords, emails, encryption codes, you name it.
According to the researchers who discovered them, Meltdown and Spectre are distinct vulnerabilities,but very similar. Meltdown involves the operating system, the master program that directs all the computer’sactivities, which can access basically all parts of the memory if and when it needs to. In very basic terms, Meltdown breaks the barriers between individual programs and the core of the operating system, so that one program could potentially access way more memory than it should be able to.
It “melts down” those security barriers, hence the name. Pretty much every Intel processor put out since 1995, plus some put out by companies called Qualcomm and ARM, is vulnerable to Meltdown — no matter what your operating system is. So whether you’re a PC or Mac or Linux user, you’re most likely affected.
And Spectre involves a couple ways that the separation between programs can be broken,so an attacker could potentially use one program to peek into the memory used by another. It’s named after speculative execution, the process that makes these flaws possible. It’s harder to exploit, but also a harder problem to fix, so researchers also say it’ll“haunt” us for longer.
So far, we think Spectre affects processors made by Intel, Qualcomm, ARM, and AMD, which means all computers, smartphones, and tablets that have them are vulnerable. And that’s a heckin’ ton of machines. At first, computer scientists thought the only way around either security flaw would be to physically replace all the exploitable CPUs, but it turns out there are some things we can do without going that far.
Meltdown can be guarded against with software updates, called patches, that limit memory-sharingbetween different programs and parts of the operating system. Spectre is trickier. It may require actual hardware upgrades to totally eliminate, but tech companies are doing what they can in the meantime with software.
Microsoft, Apple, Google, and Linux have all been releasing software patches to try and minimize security risks. And Intel is publishing updates to its firmware, the permanent read-only software that lives on their processors. We don’t know of any security attacks that used Meltdown or Spectre yet, but now the ins and outs of how they work are more public.
So double-check that your operating system and browser are up to date, and that your antivirus software is, too. That’ll help keep any unwanted programs from running and possibly exploiting these flaws. And if you’ve heard that these updates are going to slow down your computer a bunch,don’t worry.
Yes, limiting how different parts of a computer share memory can affect its performance, becausethat’s why speculative execution makes things faster. But there’s a good chance you won’t notice the difference. Programs that need a lot of CPU power, like ones that render videos, will be more affected than others.
But the latest testing suggests that for typical users, there shouldn’t be a huge change. So there’s no excuse! Download those updates for your phone or laptop that you’ve been putting off!
Between WannaCry and Equifax, computer security breaches were in the headlines a lot in 2017. Two weeks in, it looks like 2018 might shape up to be more of the same. But no matter what happens, we’ll keep learning, and keep you updated too.
Thanks for watching this episode of SciShow News. If you want to learn more about computers, from hardware to artificial intelligence,you can check out the Crash Course Computer Science series at youtube.com/crashcourse.[ Outro]