The "Meltdown" Story: How A Researcher Discovered The "Worst" Flaw In Intel History

Daniel Gruss didn't sleep much the night he hacked his own computer and exposed a flaw in most of the chips made in the past two decades by hardware giant Intel, something we discussed in "Why The Implications Of The Intel "Bug" Are Staggering." And as Reuters describes in fascinating detail, the 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University had just breached the inner sanctum of his computer's CPU and stolen secrets from it.

Until that moment, Gruss and colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's 'kernel' memory, which is meant to be inaccessible to users, was only theoretically possible.

"When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured.
Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result.

"We sat for hours in disbelief until we eliminated any possibility that this result was wrong," said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found".

The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995.

Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices and ARM Holdings, a unit of Japan's Softbank.

Both would enable a hacker to access secret passwords or photos from desktops, laptops, cloud servers or smartphones. It's not known whether criminals have been able to carry out such attacks as neither Meltdown nor Spectre leave any traces in log files.

Intel says it has started providing software and firmware updates to mitigate the security issues. ARM has also said it was working with AMD and Intel on security fixes.

Finding a Fix

The discovery was originally reported by online tech journal The Register. As a result of that report, research on the defect was published a week earlier than the manufacturers had planned, before some had time to work out a complete fix.

The Graz team had already been working on a tool to defend against attempts to steal secrets from kernel memory.

In a paper presented last June they called it KAISER, or Kernel Address Isolation to have Side-channels Effectively Removed.

As the name suggests, KAISER seeks to defend the kernel memory from a so-called side-channel attack that exploits a design feature of modern processors that increases their speed.

This involves processors executing tasks "out-of-order", and not in the sequence received. If the CPU makes the right speculative call, time is saved. Get it wrong and the out-of-order task is cancelled and no time is lost.

Researcher Anders Fogh wrote in a subsequent blog  that it might be possible to abuse so-called speculative execution in order to read kernel memory. He was not able to do so in practice, however.

Responsible Disclosure

Only after the December self-hacking episode did the significance of Graz team's earlier work become clear. It turned out that the KAISER tool presented an effective defense against Meltdown. The team quickly got in touch with Intel and learned that other researchers - inspired in part by Fogh's blog - had made similar discoveries.

They were working under so-called responsible disclosure, where researchers inform affected companies of their findings to give them time to prepare 'patches' to repair flaws they have exposed.

The key players were independent researcher Paul Kocher and the team at a company called Cyberus Technology, said Gruss, while Jann Horn at Google Project Zero came to similar conclusions independently.

"We merged our efforts in mid-December with the team around Paul Kocher and the people from Cyberus Technology to work on two solid publications on Meltdown and Spectre," said Gruss.

Gruss had not even been aware of the work Horn was doing.

"Jann Horn developed all of this independently - that's incredibly impressive," he said. "We developed very similar attacks, but we were a team of 10 researchers."

The wider team said patches for Meltdown, based on KAISER, had been readied for Microsoft and Apple operating systems, as well as for the Linux open-source system.

There is as yet no fix for Spectre, which tricks programmes into leaking their secrets but is viewed as a harder exploit for a hacker to carry out.

Asked which of the two flaws posed the greater challenge, Gruss said: "The immediate problem is Meltdown. After that it is going to be Spectre. Spectre is more difficult to exploit but also to mitigate. So in the long run I'd bet on Spectre."


IH8OBAMA FoggyWorld Fri, 01/05/2018 - 13:22 Permalink

Most of those CPUs are hard wired on the motherboard.  Is everyone supposed to throw away their MB or laptop and go buy a new one when the CPUs have been redesigned to fix this vulnerability?

Sounds like a scam or built in flaw to boost computer/chip sales to me.  Trash your old computer and buy a new one or you are vulnerable!  LOL

In reply to by FoggyWorld

Pinto Currency USisCorrupt Fri, 01/05/2018 - 13:47 Permalink

Google told Intel of this open door in their chips months ago (did they respond 'thanks, that's how we designed them' ?):


Probably not material information.

There are no other security flaws in Intel's chips.  Promising for real this time.

In reply to by USisCorrupt

beemasters serotonindumptruck Fri, 01/05/2018 - 17:30 Permalink

Hmmm... Nobody figured out how the elites control the world till now. Imagine the blackmails by the so=called "Deep State" if they have the access all politicians' personal information.

And this is likely how DC gets controlled by Israel, folks. Information is Power.
On the bright side, this revelation may be the beginning of their end...although with one or two that the researchers know, there maybe other backdoors that they don't.

In reply to by serotonindumptruck

Conscious Reviver Bunga Bunga Fri, 01/05/2018 - 19:52 Permalink

Not so Bunga. 

Read this - Secret 3G Radio in Every Intel vPro CPU Could Steal Your Ideas at Any Time

This is not Meltdown. This is not Spectre. This is another Intel design "feature" that is in reality a spying opportunity. If you buy a dual processor from Intel, you really bought a triple processor. The 3rd processor is the Intel Management Core. It sees all. It is not visible to any operating system. You can shutdown and turn off your device yet it still can run if you have battery or did not unplug your device. You can turn off your router. No problem. It calls home on it's own dedicated 3G connection. It can write to your device. Hello kiddie porn. Check it out. Not science fiction. A designed in 3rd party access for Intel and friends. I had a better link before. I'll look for it. 

Among other potential exploits, Intel and friends can collect your cryptos whenever they want unless they're in a paper wallet only or in a faraday cage.

A better link.

In reply to by Bunga Bunga

halcyon Conscious Reviver Sat, 01/06/2018 - 00:47 Permalink

You can actually disable the Intel ME. Some mfgs are already shipping comps w/o ME.

You can't disable OoO execution in almost all Intel, AMD and ARM CPUs.

That is why China, India, Russia and EU want to see their own chips in the future.

US tech industry has zero credibility left.

They are just fronts to NSA/NRO/CIA spying programs, all of them, not just Facebook, MSFT, Apple, Amazon and Google.

Good riddance.

I'd trust a China SoC or CPU over anything USA made. At least they are not going to (and can't) extradite me to a black torture site, drone strike me or cut off my SWIFT financial access. USS does all of those daily.

Sorry USA deep state, you blew it. For the whole fucking world.


In reply to by Conscious Reviver

webmatex halcyon Sat, 01/06/2018 - 05:45 Permalink

True that. Just built a new AMD rig i knew about the INTEL thing 4 or 5 years ago.

Came to the same conclusion Chinese are no problem to me and i get a AMD Ryzan 5 1600 6 Core for half the price and the processor can replaced and upgraded until 2021 unlike the fixed Intel crap. Whole rig cost E500.

Made a cloned sdd on the old Win7 machine with all my stuff then converted it to AHCI format removed drive and put it in new pc and booted first time.

Microshift does not support Ryzan on Win7 which is fine as i blocked Windows Update years ago anyway and will not ever deal with them ever again.

My last AMD machine is 10 years old and still running.

Waiting for the chinese alternative to Windozz to arrive and i will buy it just to kill microsoft as i have done with Intel.

The Bitter Windows Widow.

In reply to by halcyon

webmatex webmatex Sat, 01/06/2018 - 07:42 Permalink

And here’s the kicker: AMD has minimal if any exposure and said so, despite Intel saying it is at risk. Even though AMD came up with 64-bit extensions, which Intel licenses, the two firms implemented their 64-bit architectures in completely different ways.

The difference is AMD’s chips don’t do speculative loads if there is the potential for memory access violations. They don’t load data beyond the branch point, so no predicting is done. Intel does the exact opposite. It’s more aggressive in its use of branch prediction and it bit them.…

In reply to by webmatex

napper halcyon Sat, 01/06/2018 - 15:16 Permalink

The irony is that when China tried to acquire Intel chips for its supercomputers, the US govt stopped the sale on grounds of "threat to national security". So China turned to its domestic chip suppliers, and found that not only were the domestic products a lot cheaper, they were also faster and more energy efficient!!



In reply to by halcyon

bluez Conscious Reviver Sat, 01/06/2018 - 14:10 Permalink

You may remember my Deep Core War.

I don't design CPUs so I'm not exactly sure, but my take has always been that this would be due to a bottleneck on the bus between the RAM memory and the CPUs. A CPU will sit waiting for a new instruction from the RAM, which is a long time, so it makes a guess what the RAM will tell it, so it begins processing as if it's guess is correct, which saves a lot of time. Except if the data from the RAM tells it the guess was wrong, it has to dump the computed data and start all over again. But this is significantly faster, on average. It "plays the market". I always thought that, even though it works, there was something hackish and generally bad about this scheme. Guess I was right.

In addition, there is a "north bridge" and a "south bridge" which used to be two discrete chips on the motherboard, but are now "absorbed" into the CPU. The north bridge mediates between the CPU and the fast stuff, like video and RAM, and the south bridge communicates with the slow stuff, like the hard drive and the Internet, and so on. The south bridge has morphed into an entire miniature CPU core, the invisible Deep Core.

Computers are not to be trusted.

In reply to by Conscious Reviver

NidStyles moonshadow Fri, 01/05/2018 - 16:46 Permalink



I like how we are supposed to believe this dopey looking moron was the first person to discover that the most well engineered pieces in the history of humanity have had a flaw that is exactly the same after numerous revisions over 20 years.


I guess everyone forgot that Intel switched up the X86 architecture and reduced the pipeline design to a more ARM like format about 12 years ago when they started developing the "Core" architecture. Meaning the "flaw" was most likely engineered into the platform.

In reply to by moonshadow

a Smudge by an… Dilluminati Sat, 01/06/2018 - 14:30 Permalink

Gee I didn't even think of the retail ramifications of this. That's gonna be freaking huge. I was busy thinking of what this will do to the cloud industry. Monumental impact. M$ and Google can ride this out. Amazon? Amazon loses money anyway so who cares right? But cloud was pretty much their cash cow. If this doesn't impact their valuation then I just don't know what.

I guess Apple is breathing a sigh of relief...

Any speculation on what this will do to facebook & Netflix?


In reply to by Dilluminati