52. Spooked about Spectre

After a brief discussion about cryptocurrency, Chris and Soroush discuss the CPU vulnerabilites that made news recently: Meltdown and Spectre.

• Kodak Debuts Bitcoin Miner as Blockchain Pivot Juices Stock Price
• Coinbase
• Dogecoin Market Cap Hits $1 Billion, to Its Creator’s Dismay
• Chris’s Meltdown & Spectre reading list
• Wired: A Critical Intel Flaw Breaks Basic Security for Most Computers
• Google Project Zero: Reading privileged memory with a side-channel
• Meltdown and Spectre
• Ad blockers
• iMore: Best ad blockers for iOS
• Better
• Adblock Plus
• uBlock Origin
• NoScript
• Apple: About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
• Mitigations for Chrome and Firefox
• A Timing Attack In Action
• Coding Rules (cryptocoding.net)

Some more advanced & background reading on Meltdown and Spectre:

• In-Order vs. Out-of-Order Execution (PDF)
• Branch Prediction (PDF)
• A brief history of branch prediction
• CPU Cache (Wikipedia)
• Understanding Cache Attacks (PDF)
• Memory Protection (Wikipedia)
• Spectre mitigation approach from Google: Retpoline: a software construct for preventing branch-target-injection

Comment from Chris after the show was posted:

Hi, all! I really struggled through my first Spectre explanation in this episode, but if you skip ahead to about 21:20 I think our discussion gets easier to follow. — Chris