Can someone explain in layman terms how Spectre and Meltdown expose protected data

Question

I'm working on a document about them and I think I understand it general what happens -> by exploiting the CPUs memory caching and speculative execution but I'm a little lost of how protected data is actually exposed.

So if I understand speculative execution correctly in a case of:

if a == true { 
    firstFunction()
} else { 
    secondFunction()
}

the CPU will call both first and second function and run them before it knows the value of a? Is it storing the actual values within those functions or just their memory locations in its cache? And once a is resolved, does it discard anything it obtained from going down the wrong path?

Thanks

Don't think in terms of pseudocode; think in terms of assembler. Consider that something like that will compile to roughly `cmp , 0 ; jne ; jmp ; jmp ; firstFunctionCall: /* set up stack, registers etc, then: */ jmp firstFunction ; jmp after ; secondFunctionCall: /* set up stack, registers etc, then: */ jmp secondFunction ; after: /* ... */` (with `;` used here as a statement separator.) A *lot* of stuff happens at the low levels that pseudocode, or even C, pretty much completely glosses over! — user, Oct 24 '18 at 20:14
I can't think in assembler because I don't know it. : ) Though I think I can follow what you posted I'm still lost at how the protected data is exposed. If at all. — PruitIgoe, Oct 24 '18 at 20:26
If you put an item on the store checkout counter, and the clerk tells you the total before actually ringing it up, you can tell that someone else bought the same thing before you, either right before you or your item is bought all the time... — dandavis, Oct 25 '18 at 17:11

score 4 · Answer 1 · answered Oct 25 '18 at 05:20

Suppose you're shopping, and you can't remember whether you need cereal, but you think you probably do. So, you send an SMS to your partner to check, but while you're waiting, you go to the cereal aisle and pick some. If it turns out that you don't need it, you'll just put it back.

When computers do something similar, that's "speculative execution".

Now, let's suppose that for privacy reasons, only one customer is allowed in the shop at a time, and then the shelves get restocked by a robot when they're done. So, it shouldn't be possible for the next customer to tell what you bought. But, when you put the cereal back, maybe you bumped the ones next to it, so they're not quite in exactly the same place. The restocking robot doesn't do anything about them, since the shelves are still stocked. But an obsessively keen-eyed shopper coming after you might now be able to tell your preferred cereal brand.

score 1 · Accepted Answer · answered Oct 25 '18 at 07:29

I cannot comment due to reputation restriction and so am posting this as answer but more of an expansion to @ThrawnCA's answer. I was under the impression that it gets a bit worse than just next customer's hunches (obviously in reality being the next program). My understanding of Spectre/Meltdown is like this:

A customer enters a store (this time with malicious intent). They ask for a carton of milk and a bottle of whiskey. The clerk (processor) gives them the milk, but buying alcohol requires a valid ID showing the customer is over 18. He says he doesn't have it and that a friend will bring it to him in a bit. The clerk says ok and handles him the bottle anyway. The buyer moves behind some shelves and opens and drinks the bottle before he says the friend got lost and leaves the store (as a malicious program could inspect some memory location before being denied access).

Can someone explain in layman terms how Spectre and Meltdown expose protected data

2 Answers2