A Christmas Carol - The Spectres of the Past, Present, and Future
27.04.2019 , i7
Sprache: English

With the beginning of last year, two major security vulnerabilities have been disclosed: Meltdown and Spectre. While mitigations in software and hardware have been rolled out right away, new variants have been continuously released in the following months. With all those confusing names, how can you possibly still have a clear overview of all those vulnerabilities (SpectreV1, SpectreV2, Meltdown, Spectre-NG, SpectreRSB, L1TF, Foreshadow, ...)? With this talk, we present a novel classification that will ease the naming complexity of the current jungle of variants. Along with all different attacks, we will give an overview of all proposed mitigations and show how an attacker still can mount an attack despite the presence of implemented countermeasures. Furthermore, we will present new variants of the Meltdown attack, exploiting different parts of the CPU.


At the beginning of last year, two major security vulnerabilities have been disclosed to the public.
Meltdown and Spectre exploit critical vulnerabilities in modern processors, allowing attackers to read arbitrary data currently processed on the computer without any permissions or privileges.
While mitigations in software and hardware have been proposed and rolled out right away, new variants of Spectre and Meltdown attacks have been published frequently in the following months.

Spectre v1? Spectre v2? Meltdown? Spectre-NG? SpectreRSB? L1TF? Foreshadow? - With all those names and variants, how can you possibly have still a clear overview of those vulnerabilities?
With all those operating systems, compiler, and microcode updates, is my system really protected?

In our talk, we present a novel classification of Spectre and Meltdown attacks and propose a new naming scheme to ease the naming complexity of the current jungle of variants.
Furthermore, we give an overview of all proposed mitigations and show that an attacker can still mount an attack despite the presence of implemented countermeasures.
Finally, we show new variants of the Meltdown attack, exploiting different parts of the CPU.

Michael Schwarz is an Infosec PhD candidate at Graz University of Technology with a focus on microarchitectural side-channel attacks and system security. He holds two master's degrees, one in computer science and one in software development with a strong focus on security. He frequently participates in CTFs and has also been a finalist in the European Cyber Security Challenge. He was a speaker at Black Hat Europe 2016, Black Hat Asia 2017 & 2018, and Black Hat US 2018, where he presented his research on microarchitectural side-channel attacks. He authored and co-authored several papers published at international academic conferences and journals, including USENIX Security 2016 & 2018, NDSS 2017, 2018 & 2019, IEEE S&P 2018 & 2019. He was part of one of the four research teams that found the Meltdown and Spectre bugs published in early 2018.

I am an PhD student at in the Secure Systems group at the Institute of Applied Information Processing and Communications at Graz University of Technology. I am the founder of pwmt.org, an open-source community creating functional and simplistic applications and libraries. I am interested in microarchitectural side-channel attacks and apiculture.

Daniel Gruss (@lavados) is an Assistant Professor at Graz University
of Technology. He finished his PhD with distinction in less than 3
years and received a series of awards for his dissertation.
He has been involved in teaching operating system undergraduate
courses since 2010, and he received the TU Graz award for excellence
in teaching 2017/18. Daniel's research focuses on software-based
side-channel attacks that exploit timing differences in hardware and
operating systems. He implemented the first remote fault attack
running in a website, known as Rowhammer.js. He frequently speaks at
top international venues, such as Black Hat, Usenix Security, IEEE
S&P, ACM CCS, Chaos Communication Congress, and others. His research
team was one of the teams that found the Meltdown and Spectre bugs
published in early 2018.

Claudio Canella is an InfoSec PhD Student and University Assistant at Graz University of Technology. His research focuses on microarchitectural side-channel attacks and system security