4

I learned today that there were three vulnerabilities reported by Google Project Zero: bounds check bypass, branch target injection and rogue cache data load. Here is the AMD response to them: https://images.idgesg.net/images/article/2018/01/amd-response-to-kernel-bug-100745803-orig.jpg

However, on Wikipedia I see that there are two vulnerabilities, Meltdown, an easy-to-exploit variant affecting Intel and Spectre, a hard-to-exploit variant affecting also AMD.

What is the relationship between these three Google Project Zero research titles and the two Wikipedia pages? Which of these research titles belong to Spectre and which belong to Meltdown?

juhist
  • 273
  • 1
  • 6

2 Answers2

7

If I understand you correctly you ask how the three issues shown by GZP map to the names Meltdown and Spectre. You'll find the answer at the beginning of this post from Google Zero Project:

So far, there are three known variants of the issue:

Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)

Before the issues described here were publicly disclosed, Daniel Gruss, Moritz Lipp, Yuval Yarom, Paul Kocher, Daniel Genkin, Michael Schwarz, Mike Hamburg, Stefan Mangard, Thomas Prescher and Werner Haas also reported them; their [writeups/blogposts/paper drafts] are at:

Spectre (variants 1 and 2)
Meltdown (variant 3)

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

Minimizing risk is a wrong way

The picture you shown tell:

  • Variant one -> Patched
  • Variant three -> Not compatible with AMD processor architecture.

Ok, but

  • Variant two -> near to zero risk.

Care: near to 0 / 0 give an infinite more risk than zero.

If you are ok with near than zero risk, stop reading this! ;-)

Spectre vs Meltdown

Both exploit (or security failure on processor architecture) are based on different feature.

From a lot of time, constructors are creating processor with many cores, and a lot of features for making them work quicker...

From spectre.pdf paper:

More broadly, there are trade-offs between security and performance.

Technicaly:

  • Meltdown exploits side-channel information.

  • Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution

Not same feature... Reading user space memory from side-channel is simplier than reading user space memory by making cpu bug by exploiting speculative execution.

Then, if understanding Meltdown is easier than understanding Spectre, also mitigation against Meltdown is easier then mitigation against Spectre.

F. Hauri - Give Up GitHub
  • 4,597
  • 2
  • 19
  • 32