Meltdown & Spectre

What we'll do

January this year, two _earth-shattering_ attacks have been made public: **Meltdown**, also known as #IntelBug, and **Spectre**, touching all platforms. They are possible thanks to speculative execution of code (a very interesting feature of modern CPU architectures) and affect pretty much everybody (a bit of a simplification here but you have a modern CPU, you're affected). Attacks are incredibly widespread since they are unearthed from the very bottom of all tech-stacks: the CPUs. Let's discuss both of them.

Short, one minute read: https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/

As ever, this is going to be reading club, so:

## Reading materials

1. https://meltdownattack.com/meltdown.pdf

2. https://spectreattack.com/spectre.pdf

These are two academic papers discussing both attacks and their discoveries. The site (both meltdownattack.com and spectreattack.com URLs are for one site) also holds nice and easy to digest information about the attacks.

Meltdown: http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html

Google Zero Team announcement: https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html

CERT KB page for the issue: http://www.kb.cert.org/vuls/id/584653

What to bring

Paper or digital copies of reading materials, mainly two papers:

https://spectreattack.com/spectre.pdf

https://meltdownattack.com/meltdown.pdf

Important to know

To be truly secure: change your CPU to one that's not affected. :( Yeah, we know.

Next best thing is to UPDATE YOUR OS. All major OSes have released / will soon release patches.

To be somewhat secure:

Turn on site isolation in Chrome/Chromium.

Turn off SharedArrayBuffer in Firefox.

Don't use browser AND password manager simultaneously (there's a JS exploit already, I hear, didn't verify).

Logos we used are kindly done by Natasha Eibl, https://vividfox.me/. She made them part of the public domain.