Highest Voted 'spectre' Questions

278

votes

3 answers

What is a retpoline and how does it work?

In order to mitigate against kernel or cross-process memory disclosure (the Spectre attack), the Linux kernel1 will be compiled with a new option, -mindirect-branch=thunk-extern introduced to gcc to perform indirect calls through a so-called…

asked Jan 04 '18 at 05:52

BeeOnRope

60,350
16
207
386

19

votes

2 answers

Workaround for Spectre warning MSVC C5040

MSVC just released an update which has added a new warning about some code the compiler will inject to mitigate (apparently some small bit) of Spectre: https://blogs.msdn.microsoft.com/vcblog/2018/01/15/spectre-mitigations-in-msvc/ Here's a little…

c visual-c++ visual-studio-2017 spectre

asked May 17 '18 at 20:22

HostileFork says dont trust SE

32,904
11
98
167

16

votes

1 answer

How to mitigate spectre with GCC and Clang (or LLVM in general)

Microsoft added a convenient /Qspectre to their MSVC compiler (although that seems to only be (trying to) mitigate Spectre v1 at the moment) that they will be updating over time. This is quite nice from a users perspective, just enable that flag and…

security gcc clang spectre

asked Jan 24 '18 at 17:26

FSMaxB

2,280
3
22
41

13

votes

3 answers

How does Spectre attack read the cache it tricked CPU to load?

I understand the part of the paper where they trick the CPU to speculatively load the part of the victim memory into the CPU cache. Part I do not understand is how they retrieve it from cache.

security cpu cpu-architecture spectre side-channel-attacks

asked Jan 05 '18 at 06:50

NoSenseEtAl

28,205
28
128
277

8

votes

3 answers

What are the differences between Meltdown and Spectre?

What are the key differences between recently discovered hardware vulnerabilities Meltdown and Spectre? I know that they both rely on speculative execution, but how does they differ from each other?

caching intel processor speculative-execution spectre

asked Jan 11 '18 at 06:09

Dragonight

1,033
2
10
20

7

votes

1 answer

Is it possible to temporarily suppress Intel CET for a single ret instruction, or otherwise use retpolines with it?

Intel CET (control-flow enforcement technology) consists of two pieces: SS (shadow stack) and IBT (indirect branch tracking). If you need to indirectly branch to somewhere that you can't put an endbr64 for some reason, you can suppress IBT for a…

assembly x86-64 intel spectre

asked Jun 17 '20 at 18:43

Joseph Sible-Reinstate Monica

45,431
5
48
98

6

votes

3 answers

The inner workings of Spectre (v2)

I have done some reading about Spectre v2 and obviously you get the non technical explanations. Peter Cordes has a more in-depth explanation but it doesn't fully address a few details. Note: I have never performed a Spectre v2 attack so I do not…

x86 intel cpu-architecture branch-prediction spectre

asked Feb 05 '19 at 18:49

Lewis Kelsey

4,129
1
32
42

5

votes

1 answer

Why would one use "ret" instead of "call" to call a method?

While reading and learning from open source OSes I stumbled across an extremely complicated way of calling a "method" in assembly. It uses the 'ret' instruction to call a library method doing this: push rbp ; rsp[1] = rbp mov rbp,…

assembly x86-64 osdev spectre

asked Oct 20 '21 at 16:56

RAVN Mateus

560
3
13

5

votes

2 answers

Flush & Reload cache side channel attack

I'm trying to understand the Flush + Reload cache side channel attack. As long as I know, the attack utilize the fact that unprivileged data could be loaded to the cache (when exploiting branch prediction, speculative execution, etc). Then, the…

security caching hardware spectre side-channel-attacks

asked Aug 30 '20 at 11:08

Programmer

119
1
8

5

votes

3 answers

Branch Predictor Entries Invalidation upon program finishes?

I am trying to understand when branch predictor entries are invalidated. Here are the experiments I have done: Code1: start_measure_branch_mispred() while(X times): if(something something): do_useless() …

c performance x86 branch-prediction spectre

asked Dec 02 '19 at 16:38

yzb74714

71
4

4

votes

1 answer

How can I create a spectre gadget in practice?

I'm developing (NASM + GCC targetting ELF64) a PoC that uses a spectre gadget that measures the time to access a set of cache lines (FLUSH+RELOAD). How can I make a reliable spectre gadget? I believe I understand the theory behind the FLUSH+RELOAD…

caching assembly x86 spectre

asked Jun 12 '18 at 13:12

Margaret Bloom

41,768
5
78
124

4

votes

3 answers

Spectre example

In the spectre paper, there is an example which exploits an out of bound array access (Section 1.2). The code is if (x < array1_size) y = array2[ array1[x] * 256 ]; The process is to train the correct path with some valid x values. Then an…

security spectre

asked Jan 06 '18 at 18:03

mahmood

23,197
49
147
242

3

votes

2 answers

Understanding Spectre Vulnerability with Branch Predictor

In spectre vulnerability describing paper, we can see that it talks about this specific vulnerability if (x < array1_size) y = array2[array1[x] * 256]; In spectre vulnerability, according to the paper, they first pass many legal values for x…

linux kernel intel microprocessors spectre

asked Mar 03 '18 at 17:40

mridul_verma

265
1
10

3

votes

0 answers

Qspectre switch dll characteristica

as Microsoft started to update the compiler for Visual Studio (15.5 and 15.6 Prev3 and 4)i was wondering, if there is possibility to check, if a executable was compiled with the /qspectre or the equal /d2guardspecload switch, as it is possible with…

c++ visual-studio visual-c++ spectre

asked Jan 28 '18 at 19:20

Keine-Ahnung

601
1
5
15

2

votes

1 answer

Assembly language (MASM) and Spectre: Variant 2 (CVE-2017-5715) Branch Target Injection

A couple of years ago, I wrote and updated our MASM codebase with this macro below to combat Spectre V2. NOSPEC_JMP MACRO target:REQ PUSH target JMP x86_indirect_thunk ENDM NOSPEC_CALL MACRO…

windows assembly x86 masm spectre

asked Oct 07 '21 at 21:26

vengy

1,548
10
18

Questions tagged [spectre]