
Meltdown and Spectre with Matt Godbolt [audio] - mariuz
http://cppcast.com/2018/01/matt-godbolt/
======
jsheard
Matt also posted a YouTube video explaining Meltdown/Spectre, with slides to
make the explanation easier to follow.

[https://www.youtube.com/watch?v=IPhvL3A-e6E](https://www.youtube.com/watch?v=IPhvL3A-e6E)

------
willvarfar
I wish it was more in-depth on e.g. repoline seemed to be a 5 second thing
mentioned at the start. Does it go into a deep dive if you listen to the whole
thing?

~~~
sownkun
Yep

------
jnordwick
I still haven't seen a realistic exploit that recovers secret data without
assistance. Does anybody have a link to anything?

If Specter and Meltdown aren't exploitable through something like JavaScript,
my caring goes down to almost zero.

And all native code proofs of concept seem to rely on data being artificiall
pushed into L1 cache repeatedly. Without this, I'm not ever sure a native code
exploit is really possible.

~~~
dustfinger
The white paper for meltdown suggests that it is possible to derandomize ASLR
in JavaScript. The reference they give is:

Gras, B., Razavi, K., Bosman, E., Bos, H., And Giuffrida, C. ASLR on the Line:
Practical Cache Attacks on the MMU. In NDSS (2017)

You might want to check it out. I intended to over the weekend.

Cheers!

~~~
jnordwick
Yeah, but there are more issues than just layout randomization, such as
forcing data into L1 cache. Even the native code exploits run locally have a
problem with this.

Thanks. I'll look at the paper though to see if this is still some
hypothetical issue or more practical.

~~~
ithkuil
All it takes for data to end up in L1 cache is to access it (even only once)
You don't have to access it in a special way to make it end up in L1. What you
have to do for cache side channel attacks is to force data _out_ of the cache,
you can tell when the some other data gets _in_. This can get quite noisy if
there is a lot of contention to the same cache lines. Also remember that the
information leak is not in the contents of the cached data, but in the
_address_ being cached.

~~~
jnordwick
All I'm still seeing is "No, we still don't have an actual real world exploit
yet, even though we keep saying how easy it is."

------
corysama
The entire podcast series is great. If you have any interest in C++, I highly
recommend subscribing.

~~~
pjmlp
Yes, the guys are great, the guests always interesting and is a good way to
keep up with C++, even for those of us that spend most of our times in other
language eco-systems.

~~~
krylon
As a non-C++ person, I agree wholeheartedly.

Language preferences aside, this is one of the best programming podcasts I
have come across.

