In this blog post, I'll describe the innerworkings of the two exploits in an intuitive manner. They both rely on leaking little bits of information many times to form a full picture.
Meltdown works by causing CPUs to preload data, then stashing it away before the CPU realizes that it made an illegal action. Two components of Meltdown are CPU superscaling and caches. Before we continue, let's take a moment to describe these.
Modern CPUs are multi-taskers -- they're always executing multiple instructions in parallel. As it's executing instruction A, it might start on instruction B. This feature is called superscaling.
Additionally, modern CPUs have what's known as cache. Cache is a small chunk of memory that's super tiny, but also super fast. If some memory address is accessed very frequently, the CPU will keep it close by in cache.
The Meltdown exploit begins when a user accesses secret data that they don't have access to. This data is loaded into the CPU before the CPU realizes it shouldn't have. The CPU handles this by finishing the current workload, panicking, and wiping the secret data.
Meltdown abuses the situation, again, by stashing the secret data before its wiped. Specifically, it accesses the memory address specified by the secret data.
After the CPU panic, the secret data may be retrieved by checking which memory address is cached. One method is to use time based checks.
Vulnerable pseudo-code is provided below.
a = secret_data b = array[ a ]
The sad thing is the exploit goes further. Say secret_data is reading from memory. Vulnerable Intel CPUs perform permission checks after loading data, so Meltdown can read kernel memory.
Which CPUs are vulnerable? Most Intel chips, including a few ARM chips are. As a case study, AMD isn't vulnerable because they don't perform superscaling in certain situations, including the one Meltdown specifically targets.
Spectre works very similarly to Meltdown. The main implementation difference is that it targets a different CPU optimization: branch prediction.
Branch prediction is an extension of superscaling. Let's say the CPU is looking ahead for the next instruction, and it comes across a conditional statement, like an if. The CPU doesn't know if the conditional code will run or not, because previous code is still running. Thanks superscaling.
To deal with this, the CPU will predict if the conditional code will run or not. This is called branch prediction. If when the previous code finishes, the CPU finds it guessed incorrectly, it will reset itself to before the conditional. Like a save point.
Here is where the Spectre exploit occurs. Let's say we have this vulnerable pseudo-code:
if ( x < 2 ): x = array1[ array2[ x ] ]
Let's assume the attacker controls the value x. The attacker first trains the branch predictor to guess that the if body runs, possibly though giving valid x multiple times. Then, the attacker can pass in any value of x, and thanks to branch prediction, the if body will still run.
Hence, the attacker can set x such that array2 reads from any arbitrary address of memory. Let's call this value the "secret data". The rest proceeds like Meltdown, in that the secret data is stashed away.
Which CPUs are vulnerable to Spectre? Sadly, most are vulnerable, including Intel, Samsung, AMD, and Qualcomm. On the bright side, Spectre doesn't suffer from permission issues like Meltdown, meaning kernel memory is safe.