22岁程序员如何发现史上最严重的芯片缺陷

2013年，一位名为雅恩·霍恩的青年参加了总理安格拉·默克尔的招待会。在一次由政府举办、旨在鼓励学生从事科研的竞赛中，他和其他64位德国年轻人表现优异。

就霍恩来说，这次竞赛起到了效果。去年夏天，作为一名22岁的谷歌（Google）网络安全研究员，他率先报告了至今为止发现的最严重芯片缺陷。整个行业目前仍未摆脱他的发现带来的影响，从今以后处理器的设计也要进行调整。这让他有违本愿地成为了一位名人。在上周苏黎世的行业会议上，他受到的热烈招待和迫切的问题证明了这一点。

通过对霍恩及其熟人的采访，我们掌握了他凭借坚定的意志和强大的头脑，偶然发现存在超过十年却不为人知的特性和缺陷的全过程。这些问题会让大部分个人计算机、互联网服务器和智能手机暴露于潜在的黑客行为之下。

比霍恩晚几个月找到相同安全漏洞的研究人员，对独立发现问题的他表示了赞叹。奥地利格拉茨科技大学（Graz University of Technology）的团队成员丹尼尔·格鲁斯表示：“我们有几个团队，也知道从哪着手。他是从头做起。”这个团队随后发现了如今被称作Meltdown和Spectre的问题。

去年4月底，当霍恩开始阅读英特尔（Intel Corp.）数千页的处理器手册时，没有想着要发现全球计算机芯片中存在的重大缺陷。他表示，自己当时只是想确定计算机的硬件可以处理他编写的一个需要极大数据运算量的代码。

但位于苏黎世的霍恩就职于Alphabet谷歌（Google）的精英项目Project Zero。这个项目中的成员，都是寻找“零日”漏洞的网络侦探，这些无意的设计瑕疵可能会被黑客利用来入侵计算机系统。

所以他开始仔细研究芯片进行推测执行（speculative execution）的方式，并抓取需求的数据。推测执行是一种加速技术，处理器会试图猜测下一步将使用哪一部分代码，并提前开始执行它们。霍恩表示，手册表明：如果处理器猜错了，那些错误的尝试记录仍会储存在芯片的存储器中。霍恩意识到，既然如此，这些信息可能会暴露在聪明的黑客眼前。

霍恩在回复彭博社问题的邮件中表示：“这时，我意识到我们正在编写的代码模式可能会泄露机密数据。随后，我意识到至少从理论上看，它的影响可能不仅限于我们编写的代码片段。”

这促使他展开了深入调查缺陷的“渐进过程”。霍恩表示，处理器检索信息的细微耗时差异大到何种地步，就可以让入侵者掌握信息的存储位置，这方面的研究，包括格鲁斯和格拉茨科技大学团队的成果，他都很关注。

霍恩与谷歌在苏黎世的另一位年轻研究人员菲利克斯·威廉探讨了这个问题，后者给霍恩提供了他和其他人完成的类似研究。霍恩说，这让他 “豁然开朗”。威廉和其他人测试的技术可以“反向运作”，强迫处理器运行通常情况下不会尝试的新的推测执行。这会欺骗芯片检索特定数据，从而让黑客获取它们。

霍恩表示，无意中发现了这些攻击芯片的办法后，他去请教了谷歌的老员工罗伯特·斯维基，他曾向他借过计算机来测试自己的部分想法。斯维基教他如何以最佳方式通知英特尔、ARM和超微半导体公司（Advanced Micro Devices Inc.）相关缺陷。于是霍恩在6月1日这么做了。

此举引发了这些全球最大的公司对漏洞的匆忙修补。到1月初，当Meltdown和Spectre漏洞公布于世时，大部分功劳都归于霍恩。官方网站的说明和安全补丁列出了超过十位汇报问题的研究人员，霍恩的名字在两项漏洞中都被列在首位。

在离德国北部海岸20英里的老城奥尔登堡（Oldenburg）的Caecilienschule高中，霍恩当时的计算机科学老师沃尔夫冈·赖因费尔特对他的成功并不惊讶。他说：“在我的印象里，雅恩一直都才智过人。”霍恩之前曾发现过学校计算机网络中的安全问题，赖因费尔特坦承这让他瞠目结舌。

霍恩在青少年时期就擅长数学和物理。为了在2013年获得默克尔的接见，他和学校的一个朋友构思了控制双摆运动的办法，这是一个著名的数学难题。两人编写了软件，使用传感器来预测运动，之后利用磁铁来修正意料之外或他们不希望出现的移动。问题的关键在于在混乱之中理出规律。他们在竞赛中得到了第五名，取得了前往柏林的资格，不过这只是霍恩能力的初步展现。

马里奥·海德里希是柏林网络安全咨询公司Cure53的创始人。他在2014年中期第一次注意到霍恩。那时，霍恩还不到20岁，就已经在针对如何绕开阻止恶意代码感染用户计算机的核心安全功能，发表有趣的推文。Cure53一直在研究类似的方法，所以海德里希给霍恩发了条信息，不久以后，他就邀请霍恩加入Cure53的小团队。

海德里希很快发现霍恩还是波鸿鲁尔大学（Ruhr University Bochum）的本科生，而海德里希也在那里做博士后研究。最终，他成为了霍恩本科毕业论文的导师，而霍恩与Cure53签约成为了承包人。

网络安全专家布莱恩特·扎德甘和安全信息初创公司Cyph的总裁赖安·莱斯特在2016年与霍恩共同提交了一项专利。扎德甘通过Cure53，邀请霍恩审核Cyph的服务，检查容易被黑客入侵的地方。他的发现最终成为了专利的一部分，而这一部分无比重要，以至于扎德甘认为霍恩的功劳足以让他成为发明者之一。他们开发的工具可以确保即使Cyph的主服务器被入侵，个人用户的数据也安全无虞。

扎德甘表示：“雅恩的特长在于他可以发现有趣的响应，那些计算机运转的有趣模式，他像是觉得‘这里有些奇怪’，然后他就会去深度挖掘。这就是他大脑的魔力。如果有些东西看起来有一点点毛病，他就会深入研究，找到它的运作机制。这就像是找到了母体错误一样。”

不久以后，Cure53的深度测试者就开始讨论所谓的“雅恩效应”——这位年轻的黑客不断开发极具创造力的攻击。海德里希表示，Meltdown和Spectre只是霍恩聪明才智的两个例子。“他不只是昙花一现。这就是他做的事情。”

在Cure53待了两年，完成了本科项目后，霍恩被谷歌招募，进入Project Zero。当霍恩要求海德里希为这份工作写封推荐信时，他感到喜忧参半。他说：“谷歌是霍恩的梦想，我们不会试图阻止他去那里。但让他离开确实很痛苦。”

霍恩如今已是明星，至少在网络安全领域如此。在漏洞公布后一周的1月11日，他在苏黎世的会议上，面对座无虚席的礼堂，展示了Spectre 和Meltdown的发现，并获得了同行研究者的响亮掌声。

剪着西瓜头、皮肤白皙、身材瘦削的霍恩操着带有德国口音的英语，向他的同行展示理论上的攻击模式。对于目前尚不清楚的事情，他口风很紧。霍恩对听众表示，在通知英特尔后，他与该公司几个月没有联系，直到这家芯片商在12月初给他电话，告诉他其他安全研究人员也报告了同样的漏洞。谷歌发言人亚伦·施泰因则有不同的说法：“雅恩在报告了这个问题之后，和Project Zero与英特尔保持了定期联系。”

就处理器的另一个设计特性也可能易于受到攻击的问题，一名同行向他询问，而霍恩用短暂而真诚的笑容回答道：“我对此感到疑惑，但我还没有深入调查。”（财富中文网）

 译者：严匡正

In 2013, a teenager named Jann Horn attended a reception in Berlin hosted by Chancellor Angela Merkel. He and 64 other young Germans had done well in a government-run competition designed to encourage students to pursue scientific research.

In Horn’s case, it worked. Last summer, as a 22-year-old Google cybersecurity researcher, he was first to report the biggest chip vulnerabilities ever discovered. The industry is still reeling from his findings, and processors will be designed differently from now on. That’s made him a reluctant celebrity, evidenced by the rousing reception and eager questions he received at an industry conference in Zurich last week.

Interviews with Horn and people who know him show how a combination of dogged determination and a powerful mind helped him stumble upon features and flaws that have been around for over a decade but had gone undetected, leaving most personal computers, internet servers and smartphones exposed to potential hacking.

Other researchers who found the same security holes months after Horn are amazed he worked alone. “We were several teams, and we had clues where to start. He was working from scratch,” said Daniel Gruss, part of a team at Graz University of Technology in Austria that later uncovered what are now known as Meltdown and Spectre.

Horn wasn’t looking to discover a major vulnerability in the world’s computer chips when, in late April, he began reading Intel Corp. processor manuals that are thousands of pages long. He said he simply wanted to make sure the computer hardware could handle a particularly intensive bit of number-crunching code he’d created.

But Zurich-based Horn works at Project Zero, an elite unit of Alphabet Inc.’s Google, made up of cybersleuths who hunt for “zero day” vulnerabilities, unintended design flaws that can be exploited by hackers to break into computer systems.

So he started looking closely at how chips handle speculative execution — a speed-enhancing technique where the processor tries to guess what part of code it will be required to execute next and starts performing those steps ahead of time — and fetching the required data. Horn said the manuals stated that if the processor guessed wrong, the data from those misguided forays would still be stored in the chip’s memory. Horn realized that, once there, the information might be exposed by a clever hacker.

“At this point, I realized that the code pattern we were working on might potentially leak secret data,” Horn said in emailed responses to Bloomberg questions. “I then realized that this could — at least in theory — affect more than just the code snippet we were working on.”

That started what he called a “gradual process” of further investigation that led to the vulnerabilities. Horn said he was aware of other research, including from Gruss and the team at Graz, on how tiny differences in the time it takes a processor to retrieve information could let attackers learn where information is stored.

Horn discussed this with another young researcher at Google in Zurich, Felix Wilhelm, who pointed Horn to similar research he and others had done. This led Horn to what he called “a big aha moment.” The techniques Wilhelm and others were testing could be “inverted” to force the processor to run new speculative executions that it wouldn’t ordinarily try. This would trick the chip into retrieving specific data that could be accessed by hackers.

Having come across these ways to attack chips, Horn said he consulted with Robert Swiecki, an older Google colleague whose computer he had borrowed to test some of his ideas. Swiecki advised him how best to tell Intel, ARM Holdings Plc. and Advanced Micro Devices Inc. about the flaws, which Horn did on June 1.

That set off a scramble by the world’s largest technology companies to patch the security holes. By early January, when Meltdown and Spectre were announced to the world, most of the credit went to Horn. The official online hub for descriptions and security patches lists more than ten researchers who reported the problems, and Horn is listed on top for both vulnerabilities.

Wolfgang Reinfeldt, Horn’s high school computer-science teacher at the Caecilienschule in the medieval city of Oldenburg about 20 miles from Germany’s north coast, isn’t surprised by his success. “Jann was in my experience always an outstanding mind,” he said. Horn found security problems with the school’s computer network that Reinfeldt admits left him speechless.

As a teenager he excelled at mathematics and physics. To reach the Merkel reception in 2013, he and a school friend conceived a way to control the movement of a double pendulum, a well-known mathematical conundrum. The two wrote software that used sensors to predict the movement, then used magnets to correct any unexpected or undesired movement. The key was to make order out of chaos. The pair placed fifth in the competition that took them to Berlin, but it was an early indicator of Horn’s ability.

Mario Heiderich, founder of Berlin-based cybersecurity consultancy Cure53, first noticed Horn in mid-2014. Not yet 20, Horn had posted intriguing tweets on a way to bypass a key security feature designed to prevent malicious code from infecting a user’s computer. Cure53 had been working on similar methods, so Heiderich shot Horn a message, and before long they were discussing whether Horn would like to join Cure53’s small team.

Heiderich soon discovered that Horn was still an undergraduate at the Ruhr University Bochum, where Heiderich was doing post-doctoral research. Ultimately, he became Horn’s undergraduate thesis supervisor, and Horn signed on at Cure53 as a contractor.

Cybersecurity specialist Bryant Zadegan and Ryan Lester, head of secure messaging startup Cyph, submitted a patent application alongside Horn in 2016. Zadegan had asked Horn, through Cure53, to audit Cyph’s service to check for hacking vulnerabilities. His findings ended up as part of the patent and proved so significant that Zadegan felt Horn more than merited credit as one of the inventors. The tool they built would ensure that, even if Cyph’s main servers were hacked, individual user data were not exposed.

“Jann’s skill set is that he would find an interesting response, some interesting pattern in how the computer works, and he’s just like ‘There’s something weird going on’ and he will dig,” Zadegan said. “That’s the magic of his brain. If something just seems a little bit amiss, he will dig further and find how something works. It’s like finding the glitch in the Matrix.”

Before long, Cure53’s penetration testers were talking about what they called “the Jann effect” — the young hacker consistently came up with extremely creative attacks. Meltdown and Spectre are just two examples of Horn’s brilliance, according to Heiderich. “He’s not a one-hit wonder. This is what he does.”

After two years at Cure53 and completing his undergraduate program, Horn was recruited by Google to work on Project Zero. It was a bittersweet day for Heiderich when Horn asked him to write a recommendation letter for the job. “Google was his dream, and we didn’t try to prevent him from going there,” he said. “But it was painful to let him go.”

Horn is now a star, at least in cybersecurity circles. He received resounding applause from fellow researchers when he presented his Spectre and Meltdown findings to a packed auditorium at a conference in Zurich on Jan. 11, a week after the attacks became public.

With bowl-cut brown hair, light skin and a thin build, Horn walked his fellow researchers through the theoretical attacks in English with a German accent. He gave little away that wasn’t already known. Horn told the crowd that after informing Intel, he had no contact with the company for months until the chipmaker called him in early December to say other security researchers had also reported the same vulnerabilities. Aaron Stein, a Google spokesman, has a different account though: “Jann and Project Zero were in touch with Intel regularly after Jann reported the issue.”

When a fellow researcher asked him about another possible aspect of processor design that might be vulnerable to attack, Horn said, with a brief-but-telling smile: “I’ve been wondering about it but I have not looked into it.”