Past Meetup

Meltdown & Spectre

This Meetup is past

21 people went

Location image of event venue

Details

• What we'll do
January this year, two _earth-shattering_ attacks have been made public: **Meltdown**, also known as #IntelBug, and **Spectre**, touching all platforms. They are possible thanks to speculative execution of code (a very interesting feature of modern CPU architectures) and affect pretty much everybody (a bit of a simplification here but you have a modern CPU, you're affected). Attacks are incredibly widespread since they are unearthed from the very bottom of all tech-stacks: the CPUs. Let's discuss both of them.

Short, one minute read: https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/

As ever, this is going to be reading club, so:

## Reading materials

1. https://meltdownattack.com/meltdown.pdf
2. https://spectreattack.com/spectre.pdf

These are two academic papers discussing both attacks and their discoveries. The site (both meltdownattack.com and spectreattack.com URLs are for one site) also holds nice and easy to digest information about the attacks.

Meltdown: http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html
Google Zero Team announcement: https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html
CERT KB page for the issue: http://www.kb.cert.org/vuls/id/584653

• What to bring
Paper or digital copies of reading materials, mainly two papers:

https://spectreattack.com/spectre.pdf
https://meltdownattack.com/meltdown.pdf

• Important to know
To be truly secure: change your CPU to one that's not affected. :( Yeah, we know.
Next best thing is to UPDATE YOUR OS. All major OSes have released / will soon release patches.
To be somewhat secure:
Turn on site isolation in Chrome/Chromium.
Turn off SharedArrayBuffer in Firefox.
Don't use browser AND password manager simultaneously (there's a JS exploit already, I hear, didn't verify).

Logos we used are kindly done by Natasha Eibl, https://vividfox.me/. She made them part of the public domain.