3

From the brief research that I have done both Meltdown and Spectre were primarily found by the same person (Jann Horn (Google Project Zero)). How are such exploits normally noticed/found?

Joe
  • 2,734
  • 2
  • 12
  • 22
Karan Shishoo
  • 185
  • 6
  • 1
    I consider your question as too broad. This is similar broad as asking how a hunter usually finds and kills some animal: lots of experience to know how and where to look, the right tools and also some luck. – Steffen Ullrich Jan 05 '18 at 06:44
  • 1
    As @SteffenUllrich said its a mixture of factors. In this case its likely either the researchers had been heavily studying CPU architectures or one of them had an "epiphany moment" over the feasibility of this occurring. – Hector Jan 05 '18 at 08:02
  • GPZ know more about intel's spy program compared to the average researcher. – Overmind Jan 05 '18 at 08:30

2 Answers2

8

I think you might be confusing the terms exploit and vulnerability.

A vulnerability is a "hole" in the security, caused by a bug or poor implementation. They are detected by security researchers (white hat hackers), crackers (black hat hackers) or people in between (grey hat hackers). Those people are trying to break into the systems to either provide information about the vulnerabilities and ways to fix (patch) them, or to use these vulnerabilities for various purposes. Finding vulnerabilities is a very complicated process, requiring very high skills, and it often involves operating pretty much at the machine code level. The researcher runs pieces of code, while reading the contents of system memory with a debugger, trying to get the system to behave differently than it is expected (or designed) to. For example - a bug may allow a process to read an area of memory it is not supposed to read, as in case of recent vulnerabilities.

An exploit is a piece of software making use of the vulnerability. It's a lockpick of the IT world. Exploits are written by hackers (white, grey or black hats) to either demonstrate how a vulnerability can be used (such exploits are called PoC - Proof of Concept), or to use the vulnerability for gaining access to the system. Exploits are written for the detected vulnerabilities.

Jakub
  • 840
  • 7
  • 11
5

While Jakub's answer addresses the question in general, here is something about Meltdown in particular. Reuters just published an article about the discovery: How a researcher hacked his own computer and found 'worst' chip flaw

Basically, the discovery, as usual in science, required multiple steps.

  • The underlying principles, the side-channel attack, has been known for decades. In particular, there are other side-channel attacks on CPUs, for example row hammer, first described in 2014.
  • Joanna Rutkowska‏ writes that in 2010, she and Rafał Wojtczuk tried to use speculative executiont to trick a processor into accessing priviledged memory. However, they never published their work because they had no working attacks.
  • Building on that, in July 2017 Anders Fogh wrote a blog post speculating (pun intended) how speculative execution and side-channel attacks could be combined to read kernel memory from user mode code. However, he did not manage to implement a working exploint. His post builds on (and cites) publications on CPU side-channel attacks from 2016. Incidentally, Fogh also performed research on row hammer.
  • Multiple researchers tried to build on Fogh's work, and managed to produce working exploits by the end of 2017.
  • The working exploits in turn provided more insight into the real risks and potential of these vulnerabilities.
sleske
  • 1,622
  • 12
  • 22