Secure Digital Life #49
Recorded on January 23, 2018 at G-Unit Studios in Rhode Island!
Spectre, Meltdown, and AMD
This week: So you want to understand Spectre, Meltdown, and AMD?
This show: Understanding Memory or The Eternal Sunshine of the Spotless Mind
What is memory? In this context it is the allocation of of physical space into some kind of collection of "buffers" or pages.
So, take a big white board and divide it into some squares. (Maybe Russ can do this on skype).
The white board represents the physical memory space and squares represent the "pages" of memory which we can address. So, if each square on the white board is a "page" we can number them from 0 - F or 0 - FF or 0 - FFFF or whatever depending on how far they go.
Within each square we can use all sorts of different schemes to find things or put things there. So if Square 15 (F) is where we are storing things, we may number each bit (offset), byte (count by 8) or something else to represent the distance from the beginning of the square.
The interlude of typedef. Typedef means in any given system, we have some rules and we have to define those rules in our whiteboard model context (this would be how a new programming language gets developed). So say we define something called a "SHORT". SHORT can hold a number from 0 - F which means it is essentially an 4 bit number. If I need this, I have to set aside space for this thing somewhere so block out eight spaces in one of our pages on the white board. That location is where this SHORT is found. So, let's call that location 15, 0000. That is the address of this thing. In a programming language, we could "name" it so SHORT x = 35. That would store the number 35 in that location.
The interlude of Linked Lists. Linked lists mean we use a chain of things so that all these memory locations can be followed to their conclusion since it may not be possible that everything is stored contiguously.
Linked List example
So, when we want to reassemble the list or print it or display or whatever, the link points to the next link until it hits a ! which tells it stop. So, in this case the Linked list looks like this 0>>1>>2>>6>>8>>9>>3>>4>>A>>5>>7 which spells out ALINKEDLIST. So, if we know that page 10 offset 0 is the beginning, we can reproduce this value in some way using the linked list of pointers.
The sweet warm waters of buffer overflows
So, what is a buffer overflow/overrun? Let's use our original SHORT for this one. If you create a SHORT which is named FOO and set FOO == 8, that is fine. 8 is is a 4 bit number. But the biggest number in 4 bits is 15 (F) so what if I do FOO = 16 (0001 0000). OMGOMGOMGOMGOMG. Well, the result is a "buffer overflow" which is also sometimes known as Bedtime for Bonzo or System Crash or Good Night Ms. Calabash wherever you are. Basically, it's not clear what will happen. In most cases, this isn't going to do anything because the system will have error trapping built in to watch for such things and say "I'm sorry Dave but obviously you are really stupid so I am evacuating all the air in Discovery."
Nerd Interlude: Don't forget to mention the first televised buffer overflow which was caused by none other than Mr. Spock in "Wolf in the Fold"
Now, a page buffer overflow can be really exciting. So if each page we defined earlier is say 256 bits long, what if we try to store something there that is 257 bits long? Same story, we don't know what happens but it could be bad.
Stack and Heap Interlude
Hoowee, I think we just did computer science 1 and 2 in 15 minutes! So, before we can go forward we also have to understand stack and heap memory.
When programs are compiled, part of the design is to gather up all the allocations and assign them to locations on our whiteboard. If the application needs more than is possible, the compiler should issue an error or possibly evacuate all the air in the ship. This is called "STACK" memory and refers to assigned addresses like our linked list up earlier. If those are all shorts, then we issued 12 * 4 or 48 bits worth of stack. This is "hooked" or locked so that other things can't use this space while the application is running. If we don't hook it, well, someone else might be able to usurp the space while the program is running and suddenly the value in 1 changes from L to K and it says "A Kinked List".
Heap is the other pages which are out there and can be used "on the fly" while the program is running. So, we can reach out and grab space as the application runs and use it until we have no more. So, for instance:
01 x++; 02 goto 01;
This little instruction keeps adding to one (call 1-800-Enterprise) and ask for Mr. Spock. This is called an endless loop which in the case of the stack will just keep spinning for a LONG time in modern machines.
01 allocate a new SHORT X 02 goto 01
in the second case, we are now allocating new 4 bit X SHORTs off the heap forever. Eventually, you run out of heap memory and voila' another overflow.
All these things lead to unexpected behavior in the system and this is, of course, what hackers thrive on. Explain the ping of death.
Next Time on SDL: Doug writes a long letter to Majel Barrett explaining why that was a really illogical thing to do and we start talking about really nasty things like Stack overflows and the usurpation of linked lists.