Spectre (security vulnerability)#SpectreRSB

In 2002 and 2003, Yukiyasu Tsunoo and colleagues from NEC showed how to attack MISTY and DES symmetric key ciphers, respectively. In 2005, Daniel Bernstein from the University of Illinois, Chicago reported an extraction of an OpenSSL AES key via a cache timing attack, and Colin Percival had a working attack on the OpenSSL RSA key using the Intel processor's cache. In 2013 Yuval Yarom and Katrina Falkner from the University of Adelaide showed how measuring the access time to data lets a nefarious application determine if the information was read from the cache or not. If it was read from the cache the access time would be very short, meaning the data read could contain the private key of encryption algorithms. This technique was used to successfully attack GnuPG, AES and other cryptographic implementations.{{cite conference |author-first1=Yukiyasu |author-last1=Tsunoo |author-first2=Etsuko |author-last2=Tsujihara |author-first3=Kazuhiko |author-last3=Minematsu |author-first4=Hiroshi |author-last4=Miyauchi |title=Cryptanalysis of Block Ciphers Implemented on Computers with Cache |conference=ISITA 2002 |date=January 2002}}{{cite conference |title=Cryptanalysis of DES Implemented on Computers with Cache Cryptanalysis of DES Implemented on Computers with Cache |author-first1=Yukiyasu |author-last1=Tsunoo |author-first2=Teruo |author-last2=Saito |author-first3=Tomoyasu |author-last3=Suzaki |author-first4=Maki |author-last4=Shigeri |author-first5=Hiroshi |author-last5=Miyauchi |conference=Cryptographic Hardware and Embedded Systems, CHES 2003, 5th International Workshop |location=Cologne, Germany |date=2003-09-10 |orig-year=2003-09-10}}{{cite web |url=http://cr.yp.to/antiforgery/cachetiming-20050414.pdf |title=Cache-timing attacks on AES |author-first=Daniel J. |author-last=Bernstein |author-link=Daniel J. Bernstein |date=2005-04-14 |access-date=2018-05-26 |url-status=live |archive-url=https://web.archive.org/web/20180117195730/http://cr.yp.to/antiforgery/cachetiming-20050414.pdf |archive-date=2018-01-17}}{{cite web |author-last=Percival |author-first=Colin |author-link=Colin Percival |date=May 2005 |title=Cache missing for fun and profit |url=http://www.daemonology.net/papers/htt.pdf |url-status=live |archive-url=https://web.archive.org/web/20171012203138/http://www.daemonology.net/papers/htt.pdf |archive-date=2017-10-12 |access-date=2018-05-26 |work=BSDCan '05 |type=Conference presentation slides}} [http://www.daemonology.net/papers/bsdcan05.pdf] {{Webarchive|url=https://web.archive.org/web/20181212155053/http://www.daemonology.net/papers/bsdcan05.pdf|date=2018-12-12}} Superseded by: {{cite web |date=October 2005 |title=Cache missing for fun and profit |url=http://www.daemonology.net/papers/cachemissing.pdf |url-status=live |archive-url=https://web.archive.org/web/20180519215507/https://www.daemonology.net/papers/cachemissing.pdf |archive-date=2018-05-19 |access-date=2018-05-26}}{{cite conference |url=https://www.usenix.org/node/184416 |title=FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack |first1=Yuval |last1=Yarom |first2=Katrina |last2=Falkner |publisher=The University of Adelaide |conference=23rd USENIX Symposium |location=San Diego, California |date=2014-08-24 |orig-year=2014-08-24 |access-date=2018-05-26 |url-status=live |archive-url=https://web.archive.org/web/20180305022116/https://www.usenix.org/node/184416 |archive-date=2018-03-05|isbn=9781931971157 }}{{cite web |url=https://www.youtube.com/watch?v=Fjz4dkU2N3g |title=CacheBleed A Timing Attack on OpenSSL Constant Time RSA |author-first1=Yuval |author-last1=Yarom |author-first2=Daniel |author-last2=Genkin |author-first3=Nadia |author-last3=Heninger |author3-link=Nadia Heninger |work=CHES 2016 |date=2016-09-21 |access-date=2018-01-15 |archive-date=2018-12-12 |archive-url=https://web.archive.org/web/20181212155257/https://www.youtube.com/watch?v=Fjz4dkU2N3g |url-status=live }} (Yuval Yarom referring to the history.) In January 2017, Anders Fogh gave a presentation at the Ruhr University Bochum about automatically finding covert channels, especially on processors with a pipeline used by more than one processor core.{{cite web |author-last=Fogh |author-first=Anders |date=2017-01-12 |title=Covert shotgun: Automatically finding covert channels in SMT |url=https://www.youtube.com/watch?v=oVmPQCT5VkY&t=t119 |url-status=live |archive-url=https://web.archive.org/web/20181212155320/https://www.youtube.com/watch?v=oVmPQCT5VkY&t=t119 |archive-date=2018-12-12 |access-date=2018-01-14 |work=HackPra channel from the Chair of Network and Data Security |publisher=Ruhr University Bochum}} [https://www.youtube.com/watch?v=oVmPQCT5VkY&t=475] {{Webarchive|url=https://web.archive.org/web/20181212155117/https://www.youtube.com/watch?v=oVmPQCT5VkY&t=475|date=2018-12-12}} (Fogh describing a side channel using fashioned listening to a safe while turning its wheel.)

Spectre proper was discovered independently by Jann Horn from Google's Project Zero and Paul Kocher in collaboration with Daniel Genkin, Mike Hamburg, Moritz Lipp, and Yuval Yarom.{{cite web |url=https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ |title=Mozilla Foundation Security Advisory 2018-01 – Speculative execution side-channel attack ("Spectre") |website=Mozilla |access-date=2018-05-26 |url-status=live |archive-url=https://web.archive.org/web/20180516111657/https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ |archive-date=2018-05-16}} It was made public in conjunction with another vulnerability, Meltdown, on 3 January 2018, after the affected hardware vendors had already been made aware of the issue on 1 June 2017.{{cite news |url=https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-worst-cpu-bugs-ever-found-affect-computers-intel-processors-security-flaw |title=Meltdown and Spectre: 'worst ever' CPU bugs affect virtually all computers |author-first=Samuel |author-last=Gibbs |newspaper=The Guardian |date=2018-01-04 |access-date=2018-01-06 |url-status=live |archive-url=https://web.archive.org/web/20180106114401/https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-worst-cpu-bugs-ever-found-affect-computers-intel-processors-security-flaw |archive-date=2018-01-06}} The vulnerability was called Spectre because it was "based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time."{{cite web |url=https://spectreattack.com/ |title=Meltdown and Spectre |website=spectreattack.com |access-date=2018-01-04 |archive-date=2018-01-03 |archive-url=https://web.archive.org/web/20180103221345/https://spectreattack.com/ |url-status=live }}

On 28 January 2018, it was reported that Intel shared news of the Meltdown and Spectre security vulnerabilities with Chinese technology companies, before notifying the U.S. government of the flaws.{{cite web |author-last=Lynley |author-first=Matthew |title=Intel reportedly notified Chinese companies of chip security flaw before the U.S. government |url=https://techcrunch.com/2018/01/28/intel-reportedly-notified-chinese-companies-of-chip-security-flaw-before-the-u-s-government/ |date=2018-01-28 |work=TechCrunch |access-date=2018-01-28 |archive-date=2018-02-16 |archive-url=https://web.archive.org/web/20180216155611/https://techcrunch.com/2018/01/28/intel-reportedly-notified-chinese-companies-of-chip-security-flaw-before-the-u-s-government/ |url-status=live }}

On 29 January 2018, Microsoft was reported to have released a Windows update that disabled the problematic Intel Microcode fix—which had, in some cases, caused reboots, system instability, and data loss or corruption—issued earlier by Intel for the Spectre Variant 2 attack.{{cite web |author-last=Tung |author-first=Liam |title=Windows emergency patch: Microsoft's new update kills off Intel's Spectre fix – The out-of-band update disabled Intel's mitigation for the Spectre Variant 2 attack, which Microsoft says can cause data loss on top of unexpected reboots |url=https://www.zdnet.com/article/windows-emergency-patch-microsofts-new-update-kills-off-intels-spectre-fix/ |date=2018-01-29 |work=ZDNet |access-date=2018-01-29 |archive-date=2018-04-04 |archive-url=https://web.archive.org/web/20180404120954/http://www.zdnet.com/article/windows-emergency-patch-microsofts-new-update-kills-off-intels-spectre-fix/ |url-status=live }}{{cite web |author= |title=Update to Disable Mitigation against Spectre, Variant 2 |url=https://support.microsoft.com/en-us/help/4078130/update-to-disable-mitigation-against-spectre-variant-2 |date=2018-01-26 |work=Microsoft |access-date=2018-01-29 |archive-date=2018-03-31 |archive-url=https://web.archive.org/web/20180331084055/https://support.microsoft.com/en-us/help/4078130/update-to-disable-mitigation-against-spectre-variant-2 |url-status=live }} Woody Leonhard of ComputerWorld expressed a concern about installing the new Microsoft patch.{{cite web |author-last=Leonhard |author-first=Woody |title=Windows Surprise Patch KB 4078130: The Hard Way to Disable Spectre 2 |url=https://www.computerworld.com/article/3252025/microsoft-windows/windows-surprise-patch-kb-4078130-the-hard-way-to-disable-spectre-2.html |date=2018-01-29 |work=Computerworld |access-date=2018-01-29 |archive-date=2018-01-29 |archive-url=https://web.archive.org/web/20180129224547/https://www.computerworld.com/article/3252025/microsoft-windows/windows-surprise-patch-kb-4078130-the-hard-way-to-disable-spectre-2.html |url-status=dead }}

Since the disclosure of Spectre and Meltdown in January 2018, much research had been done on vulnerabilities related to speculative execution. On 3 May 2018, eight additional Spectre-class flaws provisionally named Spectre-NG by c't (a German computer magazine) were reported affecting Intel and possibly AMD and ARM processors. Intel reported that they were preparing new patches to mitigate these flaws.

• {{cite magazine |title=Super-GAU für Intel: Weitere Spectre-Lücken im Anflug |language=de |author-first=Jürgen |author-last=Schmidt |journal=c't - magazin für computertechnik |publisher=Heise Online |date=2018-05-03 |url=https://www.heise.de/ct/artikel/Super-GAU-fuer-Intel-Weitere-Spectre-Luecken-im-Anflug-4039134.html |access-date=2018-05-03 |url-status=live |archive-url=https://web.archive.org/web/20180505150707/https://www.heise.de/ct/artikel/Super-GAU-fuer-Intel-Weitere-Spectre-Luecken-im-Anflug-4039134.html |archive-date=2018-05-05}}
• {{cite magazine |title=Exclusive: Spectre-NG – Multiple new Intel CPU flaws revealed, several serious |author-first=Jürgen |author-last=Schmidt |journal=c't - magazin für computertechnik |publisher=Heise Online |date=2018-05-03 |url=https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html |access-date=2018-05-04 |url-status=live |archive-url=https://web.archive.org/web/20180505113543/https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html |archive-date=2018-05-05}}{{cite journal |title=Spectre-NG: Intel-Prozessoren von neuen hochriskanten Sicherheitslücken betroffen, erste Reaktionen von AMD und Intel |language=de |author-first=Martin |author-last=Fischer |journal=c't - magazin für computertechnik |publisher=Heise Online |date=2018-05-03 |url=https://www.heise.de/security/meldung/Spectre-NG-Intel-Prozessoren-von-neuen-hochriskanten-Sicherheitsluecken-betroffen-4039302.html |access-date=2018-05-04 |url-status=live |archive-url=https://web.archive.org/web/20180505131934/https://www.heise.de/security/meldung/Spectre-NG-Intel-Prozessoren-von-neuen-hochriskanten-Sicherheitsluecken-betroffen-4039302.html |archive-date=2018-05-05}}{{cite web |author-last=Tung |author-first=Liam |title=Are 8 new 'Spectre-class' flaws about to be exposed? Intel confirms it's readying fixes |date=2018-05-04 |url=https://www.zdnet.com/article/are-8-new-spectre-class-flaws-about-to-be-exposed/ |website=ZDNet |access-date=2018-03-04 |url-status=live |archive-url=https://web.archive.org/web/20180522152328/https://www.zdnet.com/article/are-8-new-spectre-class-flaws-about-to-be-exposed/ |archive-date=2018-05-22}}{{cite web |title=8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs |date=2018-05-04 |author-first=Mohit |author-last=Kumar |work=The Hacker News |url=https://thehackernews.com/2018/05/intel-spectre-vulnerability.html |access-date=2018-05-05 |url-status=live |archive-url=https://web.archive.org/web/20180505154309/https://thehackernews.com/2018/05/intel-spectre-vulnerability.html |archive-date=2018-05-05}} Affected are all Core i Series processors and Xeon derivates since Nehalem (2010) and Atom-based processors since 2013. Intel postponed their release of microcode updates to 10 July 2018.{{cite web |title=Intel Postpones Patching 'Spectre NG' CPU Flaws |author-first=Lucian |author-last=Armasu |date=2018-05-08 |work=Tom's Hardware |url=https://www.tomshardware.com/news/intel-spectre-ng-cpu-flaws,37018.html |access-date=2018-05-11 |archive-date=2018-05-09 |archive-url=https://web.archive.org/web/20180509045225/https://www.tomshardware.com/news/intel-spectre-ng-cpu-flaws,37018.html |url-status=live }}{{cite web |title=Spectre-NG: Intel verschiebt die ersten Patches – koordinierte Veröffentlichung aufgeschoben |language=de |author-first=Jürgen |author-last=Schmidt |date=2018-05-07 |work=Heise Online |url=https://www.heise.de/security/meldung/Spectre-NG-Intel-verschiebt-die-ersten-Patches-koordinierte-Veroeffentlichung-aufgeschoben-4043790.html |access-date=2018-05-07 |url-status=live |archive-url=https://web.archive.org/web/20180507201057/https://www.heise.de/security/meldung/Spectre-NG-Intel-verschiebt-die-ersten-Patches-koordinierte-Veroeffentlichung-aufgeschoben-4043790.html |archive-date=2018-05-07}}

{{anchor|V3a|V4}}

On 21 May 2018, Intel published information on the first two Spectre-NG class side-channel vulnerabilities {{CVE|2018-3640|link=no}} (Rogue System Register Read, Variant 3a) and {{CVE|2018-3639|link=no}} (Speculative Store Bypass, Variant 4),{{cite web |title=CPU-Sicherheitslücken Spectre-NG: Updates rollen an Update |language=de |author-first=Christof |author-last=Windeck |date=2018-05-21 |work=Heise Security |url=https://www.heise.de/security/meldung/CPU-Sicherheitsluecken-Spectre-NG-Updates-rollen-an-4051900.html |access-date=2018-05-21 |url-status=live |archive-url=https://web.archive.org/web/20180521231256/https://www.heise.de/security/meldung/CPU-Sicherheitsluecken-Spectre-NG-Updates-rollen-an-4051900.html |archive-date=2018-05-21}}{{cite web |title=Side-Channel Vulnerability Variants 3a and 4 |id=Alert (TA18-141A) |date=2018-05-21 |publisher=US-CERT |url=https://www.us-cert.gov/ncas/alerts/TA18-141A |access-date=2018-05-21 |url-status=live |archive-url=https://web.archive.org/web/20180521231825/https://www.us-cert.gov/ncas/alerts/TA18-141A |archive-date=2018-05-21}} also referred to as Intel SA-00115 and HP PSR-2018-0074, respectively.

{{anchor|2018-3665}}According to Amazon Germany, Cyberus Technology, SYSGO, and Colin Percival (FreeBSD), Intel revealed details on the third Spectre-NG variant {{CVE|2018-3665|link=no}} (Lazy FP State Restore, Intel SA-00145) on 13 June 2018.{{cite web |author-last=Vaughan-Nichols |author-first=Steven J. |title=Another day, another Intel CPU security hole: Lazy State – Intel has announced that there's yet another CPU security bug in its Core-based microprocessors |url=https://www.zdnet.com/article/another-day-another-intel-cpu-security-hole-lazy-state/ |date=2018-06-13 |work=ZDNet |access-date=2018-06-14 |archive-date=2018-06-14 |archive-url=https://web.archive.org/web/20180614123121/https://www.zdnet.com/article/another-day-another-intel-cpu-security-hole-lazy-state/ |url-status=live }}{{cite web |author-last=Armasu |author-first=Lucian |title=Intel CPUs Affected By Yet Another Speculative Execution Flaw |url=https://www.tomshardware.com/news/intel-processors-lazyfp-speculative-execution,37302.html |date=2018-06-14 |work=Tom's Hardware |access-date=2018-06-14 |archive-date=2018-09-02 |archive-url=https://web.archive.org/web/20180902002056/https://www.tomshardware.com/news/intel-processors-lazyfp-speculative-execution,37302.html |url-status=live }}{{cite web |title=CPU-Bug Spectre-NG Nr. 3: Lazy FP State Restore |language=de |author-first=Christof |author-last=Windeck |date=2018-06-14 |work=Heise Security |url=https://www.heise.de/security/meldung/CPU-Bug-Spectre-NG-Nr-3-Lazy-FP-State-Restore-4078222.html |access-date=2018-06-14 |url-status=live |archive-url=https://web.archive.org/web/20180614200513/https://www.heise.de/security/meldung/CPU-Bug-Spectre-NG-Nr-3-Lazy-FP-State-Restore-4078222.html |archive-date=2018-06-14}}{{cite web |title=Spectre-NG: Harte Kritik von OpenBSD-Entwickler Theo de Raadt |language=de |author-first=Christof |author-last=Windeck |date=2018-06-14 |work=Heise Security |url=https://www.heise.de/security/meldung/Spectre-NG-Harte-Kritik-von-OpenBSD-Entwickler-Theo-de-Raadt-4078903.html |access-date=2018-06-14 |url-status=live |archive-url=https://web.archive.org/web/20180614201355/https://www.heise.de/security/meldung/Spectre-NG-Harte-Kritik-von-OpenBSD-Entwickler-Theo-de-Raadt-4078903.html |archive-date=2018-06-14}} It is also known as Lazy FPU state leak (abbreviated "LazyFP") and "Spectre-NG 3".

{{anchor|2018-3693}}On 10 July 2018, Intel revealed details on another Spectre-NG class vulnerability called "Bounds Check Bypass Store" (BCBS), or "Spectre 1.1" ({{CVE|2018-3693|link=no}}), which was able to write as well as read out of bounds.{{cite web |title=Speculative Execution Branch Prediction Side Channel and Branch Prediction Analysis Method |publisher=Intel |orig-year=2018-01-03 |date=2018-07-10 |id=INTEL-OSS-10002 |url=https://01.org/security/advisories/intel-oss-10002 |access-date=2018-07-15 |url-status=live |archive-url=https://web.archive.org/web/20180714203507/https://01.org/security/advisories/intel-oss-10002 |archive-date=2018-07-14}}{{cite web |title=Analysis of Speculative Execution Side Channels |type=White Paper |version=Revision 4.0 |date=July 2018 |publisher=Intel |id=336983-004 |url=https://software.intel.com/sites/default/files/managed/b9/f9/336983-Intel-Analysis-of-Speculative-Execution-Side-Channels-White-Paper.pdf |access-date=2018-07-15 }}{{cite web |author-last=Schmidt |author-first=Jürgen |date=2018-07-11 |title=Spectre-NG: Intel dokumentiert 'spekulativen Buffer Overflow' |url=https://www.heise.de/security/meldung/Spectre-NG-Intel-dokumentiert-spekulativen-Buffer-Overflow-4108008.html |url-status=live |archive-url=https://web.archive.org/web/20180715085602/https://www.heise.de/security/meldung/Spectre-NG-Intel-dokumentiert-spekulativen-Buffer-Overflow-4108008.html |archive-date=2018-07-15 |access-date=2018-07-15 |work=Heise Security |language=de}} [https://heise.de/-4108008] {{Webarchive|url=https://web.archive.org/web/20240524003109/https://www.heise.de/news/Spectre-NG-Intel-dokumentiert-spekulativen-Buffer-Overflow-4108008.html|date=2024-05-24}}{{cite arXiv |eprint=1807.03757v1|last1=Kiriansky|first1=Vladimir|title=Speculative Buffer Overflows: Attacks and Defenses|last2=Waldspurger|first2=Carl|class=cs.CR|year=2018}} Another variant named "Spectre 1.2" was mentioned as well.

{{anchor|V5|SpectreRSB}}In late July 2018, researchers at the universities of Saarland and California revealed ret2spec (aka "Spectre v5") and SpectreRSB, new types of code execution vulnerabilities using the return stack buffer (RSB).{{cite web |title=ret2spec: Speculative Execution Using Return Stack Buffers |author-first1=Giorgi |author-last1=Maisuradze |author-first2=Christian |author-last2=Rossow |date=July 2018 |publisher=Center for IT-Security, Privacy and Accountability (CISPA), University of Saarland |edition=preliminary version for ACM CCS 2018 |url=https://christian-rossow.de/publications/ret2spec-ccs2018.pdf |access-date=2018-08-01 |url-status=live |archive-url=https://web.archive.org/web/20180801115538/https://christian-rossow.de/publications/ret2spec-ccs2018.pdf |archive-date=2018-08-01}}{{cite arXiv |eprint=1807.07940 |class=cs.CR |last1=Kiriansky |first1=Vladimir |title=Spectre Returns! Speculation Attacks using the Return Stack Buffer |last2=Waldspurger |first2=Carl |last3=Song |first3=Chengyu |last4=Abu-Ghazaleh |first4=Nael |year=2018 }}{{cite web |title=CPU-Lücken ret2spec und SpectreRSB entdeckt |language=de |author-first=Christof |author-last=Windeck |date=2018-07-24 |publisher=Heise Security |url=https://www.heise.de/security/meldung/CPU-Luecken-ret2spec-und-SpectreRSB-entdeckt-4119197.html |access-date=2018-08-01 |url-status=live |archive-url=https://web.archive.org/web/20180801114421/https://www.heise.de/security/meldung/CPU-Luecken-ret2spec-und-SpectreRSB-entdeckt-4119197.html |archive-date=2018-08-01}}

{{anchor|NetSpectre}}At the end of July 2018, researchers at the Graz University of Technology revealed "NetSpectre", a new type of remote attack similar to Spectre v1, but which does not need attacker-controlled code to be run on the target device at all.{{cite web |title=NetSpectre: Read Arbitrary Memory over Network |author-first1=Michael |author-last1=Schwarz |author-first2=Martin |author-last2=Schwarzl |author-first3=Moritz |author-last3=Lipp |author-first4=Daniel |author-last4=Gruss |date=July 2018 |publisher=Graz University of Technology |url=https://misc0110.net/web/files/netspectre.pdf |access-date=2018-07-28 |url-status=live |archive-url=https://web.archive.org/web/20180728064922/https://misc0110.net/web/files/netspectre.pdf |archive-date=2018-07-28}}{{cite web |title=NetSpectre liest RAM via Netzwerk aus |language=de |author-first=Christof |author-last=Windeck |date=2018-07-27 |publisher=Heise Security |url=https://www.heise.de/security/meldung/NetSpectre-liest-RAM-via-Netzwerk-aus-4121831.html |access-date=2018-07-28 |url-status=live |archive-url=https://web.archive.org/web/20180728064929/https://www.heise.de/security/meldung/NetSpectre-liest-RAM-via-Netzwerk-aus-4121831.html |archive-date=2018-07-28}}

On 8 October 2018, Intel was reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its latest processors.{{cite web |author-last=Shilov |author-first=Anton |title=Intel's New Core and Xeon W-3175X Processors: Spectre and Meltdown Security Update |url=https://www.anandtech.com/show/13450/intels-new-core-and-xeon-w-processors-fixes-for-spectre-meltdown |date=2018-10-08 |work=AnandTech |access-date=2018-10-09 |archive-date=2018-10-09 |archive-url=https://web.archive.org/web/20181009051844/https://www.anandtech.com/show/13450/intels-new-core-and-xeon-w-processors-fixes-for-spectre-meltdown |url-status=live }}

In November 2018, five new variants of the attacks were revealed. Researchers attempted to compromise CPU protection mechanisms using code to exploit the CPU pattern history table, branch target buffer, return stack buffer, and branch history table.{{cite news |url=https://www.zdnet.com/article/researchers-discover-seven-new-meltdown-and-spectre-attacks/ |title=Researchers discover seven new Meltdown and Spectre attacks |author-first=Catalin |author-last=Cimpanu |work=ZDNet |date=2018-11-14 |access-date=2018-11-17 |archive-date=2018-11-16 |archive-url=https://web.archive.org/web/20181116183149/https://www.zdnet.com/article/researchers-discover-seven-new-meltdown-and-spectre-attacks/ |url-status=live }}

In August 2019, a related speculative execution CPU vulnerability, Spectre SWAPGS ({{CVE|2019-1125|link=no}}), was reported.{{Cite web|url=https://www.bitdefender.com/business/swapgs-attack.html|title=Bitdefender SWAPGS Attack Mitigation Solutions|website=www.bitdefender.com|access-date=2019-08-07|archive-date=2020-03-04 |archive-url=https://web.archive.org/web/20200304215614/https://www.bitdefender.com/business/swapgs-attack.html|url-status=live}}{{Cite web|url=https://chromium.googlesource.com/chromiumos/third_party/kernel/+/refs/tags/v4.19.65/Documentation/admin-guide/hw-vuln/spectre.rst|title=Documentation/admin-guide/hw-vuln/spectre.rst - chromiumos/third_party/kernel - Git at Google|website=chromium.googlesource.com|access-date=2019-08-07|archive-date=2019-08-07 |archive-url=https://web.archive.org/web/20190807125636/https://chromium.googlesource.com/chromiumos/third_party/kernel/%2B/refs/tags/v4.19.65/Documentation/admin-guide/hw-vuln/spectre.rst|url-status=dead}}{{cite news |last=Winder |first=Davey |title=Microsoft Confirms New Windows CPU Attack Vulnerability, Advises All Users To Update Now |url=https://www.forbes.com/sites/daveywinder/2019/08/06/microsoft-confirms-new-windows-cpu-attack-vulnerability--advises-all-users-to-update-now/ |date=6 August 2019 |work=Forbes |access-date=7 August 2019 |archive-date=2019-08-09 |archive-url=https://web.archive.org/web/20190809194524/https://www.forbes.com/sites/daveywinder/2019/08/06/microsoft-confirms-new-windows-cpu-attack-vulnerability--advises-all-users-to-update-now/ |url-status=live }}

In July 2020 a team of researchers from TU Kaiserslautern, Germany published a new Spectre variant called "Spectre-STC" (single-threaded contention). This variant makes use of port contention in shared resources and can be applied even in single-threaded cores. {{cite book |last1=Fadiheh |first1=Mohammad Rahmani |last2=Müller |first2=Johannes |last3=Brinkmann |first3=Raik |last4=Mitra |first4=Subhasish |last5=Stoffel |first5=Dominik |last6=Kunz |first6=Wolfgang |title=2020 57th ACM/IEEE Design Automation Conference (DAC) |chapter=A Formal Approach for Detecting Vulnerabilities to Transient Execution Attacks in Out-of-Order Processors |url=https://ieeexplore.ieee.org/document/9218572 |via=IEEE Xplore |date=2020 |pages=1–6 |publisher=IEEE |doi=10.1109/DAC18072.2020.9218572 |isbn=978-1-7281-1085-1 |s2cid=222297495 |access-date=5 September 2023 |archive-date=2023-07-14 |archive-url=https://web.archive.org/web/20230714193044/https://ieeexplore.ieee.org/document/9218572/ |url-status=live }}

In late April 2021, a related vulnerability was discovered that breaks through the security systems designed to mitigate Spectre through use of the micro-op cache. The vulnerability is known to affect Skylake and later processors from Intel and Zen-based processors from AMD.{{Cite web|url=https://www.cs.virginia.edu/venkat/papers/isca2021a.pdf|title=I See Dead µops: Leaking Secrets via Intel/AMD Micro-Op Caches|website=cs.virginia.edu|access-date=2021-05-05|archive-url=https://web.archive.org/web/20210504193603/https://www.cs.virginia.edu/venkat/papers/isca2021a.pdf|archive-date=2021-05-04}}

In February 2023, a team of researchers at North Carolina State University uncovered a new code execution vulnerability called Spectre-HD, also known as "Spectre SRV" or "Spectre v6". This vulnerability leverages speculative vectorization with selective replay (SRV) technique showing "Leakage from Higher Dimensional Speculation".{{Cite book |last1=Sun |first1=Peng |last2=Gabrielli |first2=Giacomo |last3=Jones |first3=Timothy M. |title=2021 ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA) |chapter=Speculative Vectorisation with Selective Replay |date=June 2021 |chapter-url=https://ieeexplore.ieee.org/document/9499938 |location=Valencia, Spain |publisher=IEEE |pages=223–236 |doi=10.1109/ISCA52012.2021.00026 |isbn=978-1-6654-3333-4 |s2cid=235415645 |access-date=2023-03-11 |archive-date=2023-05-26 |archive-url=https://web.archive.org/web/20230526002721/https://ieeexplore.ieee.org/document/9499938 |url-status=live }}{{Cite arXiv |last1=Karuppanan |first1=Sayinath |last2=Mirbagher Ajorpaz |first2=Samira |date=2 Feb 2023 |title=An Attack on The Speculative Vectorization: Leakage from Higher Dimensional Speculation |class=cs.CR |eprint=2302.01131 }}

Instead of a single easy-to-fix vulnerability, the Spectre white paper describes a whole class{{cite web |title=Reading privileged memory with a side-channel |url=https://googleprojectzero.blogspot.fi/2018/01/reading-privileged-memory-with-side.html |date=2018 |url-status=live |archive-url=https://web.archive.org/web/20180104115801/https://googleprojectzero.blogspot.fi/2018/01/reading-privileged-memory-with-side.html |archive-date=2018-01-04}} of potential vulnerabilities. They are all based on exploiting side effects of speculative execution, a common means of hiding memory latency and so speeding up execution in modern microprocessors. In particular, Spectre centers on branch prediction, which is a special case of speculative execution. Unlike the related Meltdown vulnerability disclosed at the same time, Spectre does not rely on a specific feature of a single processor's memory management and protection system, but is instead a more generalized idea.

The starting point of the white paper is that of a side-channel timing attack{{cite web |title=Mitigations landing for new class of timing attack |url=https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ |date=2018 |url-status=live |archive-url=https://web.archive.org/web/20180104180058/https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ |archive-date=2018-01-04}} applied to the branch prediction machinery of modern microprocessors with speculative execution. While at the architectural level documented in processor data books, any results of misprediction are specified to be discarded after the fact, the resulting speculative execution may still leave side effects, like loaded cache lines. These can then affect the so-called non-functional aspects of the computing environment later on. If such side effects{{snd}} including but not limited to memory access timing{{snd}} are visible to a malicious program, and can be engineered to depend on sensitive data held by the victim process, then these side effects can result in such data becoming discernible. This can happen despite the formal architecture-level security arrangements working as designed; in this case, lower, microarchitecture-level optimizations to code execution can leak information not essential to the correctness of normal program execution.

The Spectre paper explains the attack in four essential steps:

1. First, it shows that branch prediction logic in modern processors can be trained to reliably hit or miss based on the internal workings of a malicious program.
2. It then goes on to show that the subsequent difference between cache hits and misses can be reliably timed, so that what should have been a simple non-functional difference can in fact be subverted into a covert channel which extracts information from an unrelated process's inner workings.
3. Thirdly, the paper synthesizes the results with return-oriented programming exploits and other principles with a simple example program and a JavaScript snippet run under a sandboxing browser; in both cases, the entire address space of the victim process (i.e. the contents of a running program) is shown to be readable by simply exploiting speculative execution of conditional branches in code generated by a stock compiler or the JavaScript machinery present in an existing browser. The basic idea is to search existing code for places where speculation touches upon otherwise inaccessible data, manipulate the processor into a state where speculative execution has to contact that data, and then time the side effect of the processor being faster, if its by-now-prepared prefetch machinery indeed did load a cache line.
4. Finally, the paper concludes by generalizing the attack to any non-functional state of the victim process. It briefly discusses even such highly non-obvious non-functional effects as bus arbitration latency.

Spectre Variant 1, also called Bounds Check Bypass, is an exploit of CPU speculative execution in conditional branches related to memory access bounds. This occurs because the CPU speculatively accesses memory with specific bounds, such as arrays, leading to a bounds bypass (out-of-bounds index access). This speculative execution happens before the CPU validates the bounds check or reverts after a misprediction occurs, resulting in a side-channel leakage. {{cite web |url=https://docs.kernel.org/admin-guide/hw-vuln/spectre.html | title=linux kernel documentation}}

This attack is the result of conditional branch misprediction, which causes a vulnerable processor to speculatively access out-of-bounds data before the access is validated and before any exception arises.

Spectre Variant 2, also called Branch Target Injection, is an exploitation of the CPU's speculative execution of indirect branches, unlike Spectre Variant 1, which is related to conditional branches. This vulnerability arises due to misprediction by the indirect branch predictor.

This vulnerability differs from Variant 1 because indirect branches are branches whose targets are unknown at compile time and need to be resolved dynamically. An attacker can poison the Branch Target Buffer (a buffer that stores the history of previously taken branches), causing the indirect branch predictor to mispredict and redirect execution to locations that the program's control flow would never legitimately reach.

While Spectre is simpler to exploit with a compiled language such as C or C++ by locally executing machine code, it can also be remotely exploited by code hosted on remote malicious web pages, for example interpreted languages like JavaScript, which run locally using a web browser. The scripted malware would then have access to all the memory mapped to the address space of the running browser.{{cite web |title=Spectre Attack Whitepaper |url=https://spectreattack.com/spectre.pdf |access-date=2018-02-08 |archive-date=2018-01-03 |archive-url=https://web.archive.org/web/20180103225843/https://spectreattack.com/spectre.pdf |url-status=live }}

The exploit using remote JavaScript follows a similar flow to that of a local machine code exploit: flush cache → mistrain branch predictor → timed reads (tracking hit / miss).

The clflush instruction (cache-line flush) cannot be used directly from JavaScript, so ensuring it is used requires another approach. There are several automatic cache eviction policies which the CPU may choose, and the attack relies on being able to force that eviction for the exploit to work. It was found that using a second index on the large array, which was kept several iterations behind the first index, would cause the least recently used (LRU) policy to be used. This allows the exploit to effectively clear the cache just by doing incremental reads on a large dataset. The branch predictor would then be mistrained by iterating over a very large dataset using bitwise operations for setting the index to in-range values, and then using an out-of-bounds address for the final iteration. A high-precision timer would then be required in order to determine if a set of reads led to a cache-hit or a cache-miss. While browsers like Chrome, Firefox, and Tor Browser (based on Firefox) have placed restrictions on the resolution of timers (required in Spectre exploit to determine if cache hit/miss), at the time of authoring the white paper, the Spectre author was able to create a high-precision timer using the web worker feature of HTML5.

Careful coding and analysis of the machine code executed by the just-in-time compilation (JIT) compiler was required to ensure the cache-clearing and exploitive reads were not optimized out.

As of 2018, almost every computer system is affected by Spectre, including desktops, laptops, and mobile devices. Specifically, Spectre has been shown to work on Intel, AMD, ARM-based, and IBM processors.{{cite web |author= |url=https://spectreattack.com/#faq-systems-spectre |title=Meltdown and Spectre-faq-systems-spectre |date=2018 |work=Graz University of Technology |access-date=2018-01-04 |url-status=live |archive-url=https://web.archive.org/web/20180103233556/https://spectreattack.com/#faq-systems-spectre |archive-date=2018-01-03}}{{cite web |author-last1=Busvine |author-first1=Douglas |author-last2=Nellis |author-first2=Stephen |title=Security flaws put virtually all phones, computers at risk |url=https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all-phones-computers-at-risk-idUSKBN1ES1BO |date=2018-01-03 |website=Reuters |publisher=Thomson-Reuters |access-date=2018-01-03 |ref=busvined_nelliss |url-status=live |archive-url=https://web.archive.org/web/20180103232451/https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all-phones-computers-at-risk-idUSKBN1ES1BO |archive-date=2018-01-03}}{{cite web |url=https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/ |title=Potential Impact on Processors in the POWER family |website=IBM |date=2018 |access-date=2018-01-10 |archive-date=2018-04-03 |archive-url=https://web.archive.org/web/20180403044519/https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/ |url-status=live }} Intel responded to the reported security vulnerabilities with an official statement.{{cite web |author= |title=Intel Responds To Security Research Findings |url=https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ |date=2018-01-03 |work=Intel |access-date=2018-01-04 |url-status=live |archive-url=https://web.archive.org/web/20180103211746/https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ |archive-date=2018-01-03}} AMD originally acknowledged vulnerability to one of the Spectre variants (GPZ variant 1), but stated that vulnerability to another (GPZ variant 2) had not been demonstrated on AMD processors, claiming it posed a "near zero risk of exploitation" due to differences in AMD architecture. In an update nine days later, AMD said that "GPZ Variant 2 ... is applicable to AMD processors" and defined upcoming steps to mitigate the threat. Several sources took AMD's news of the vulnerability to GPZ variant 2 as a change from AMD's prior claim, though AMD maintained that their position had not changed.{{cite web |author-last=Novet |author-first=Jordan |title=AMD stock drops 3 percent after the company says its chips are affected by security flaw |url=https://www.cnbc.com/2018/01/11/amd-stock-drops-3-percent-after-the-company-says-its-chips-are-affected-by-security-flaw.html |website=CNBC |access-date=2018-04-07 |date=2018-01-11 |archive-date=2018-04-08 |archive-url=https://web.archive.org/web/20180408073946/https://www.cnbc.com/2018/01/11/amd-stock-drops-3-percent-after-the-company-says-its-chips-are-affected-by-security-flaw.html |url-status=live }}{{cite web |title=AMD Chips Vulnerable to Both Variants of Spectre Security Flaw |url=http://fortune.com/2018/01/11/amd-chips-vulnerable-to-both-variants-of-spectre-security-flaw/ |website=Fortune |access-date=2018-04-07 |archive-date=2018-04-08 |archive-url=https://web.archive.org/web/20180408073710/http://fortune.com/2018/01/11/amd-chips-vulnerable-to-both-variants-of-spectre-security-flaw/ |url-status=live }}

Researchers have indicated that the Spectre vulnerability can possibly affect some Intel, AMD, and ARM processors.{{cite web |title=Who's affected by computer chip security flaw |url=http://chronicle.augusta.com/news/business/2018-01-04/who-s-affected-computer-chip-security-flaw |access-date=2018-01-04 |url-status=dead |archive-url=https://web.archive.org/web/20180104214625/http://chronicle.augusta.com/news/business/2018-01-04/who-s-affected-computer-chip-security-flaw |archive-date=2018-01-04}}{{cite web |url=https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ |title=Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign |work=The Register |date=2018-01-02 |access-date=2018-01-09 |archive-date=2018-04-07 |archive-url=https://web.archive.org/web/20180407091509/http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ |url-status=live }}{{cite web |author= |url=https://spectreattack.com/#faq-systems-spectre |title=Meltdown and Spectre-faq-systems-spectre |date=2018 |work=Graz University of Technology |access-date=2018-01-04 |archive-date=2018-01-03 |archive-url=https://web.archive.org/web/20180103221345/https://spectreattack.com/#faq-systems-spectre |url-status=live }}{{cite web |author-last1=Busvine |author-first1=Douglas |author-last2=Nellis |author-first2=Stephen |title=Security flaws put virtually all phones, computers at risk |url=https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all-phones-computers-at-risk-idUSKBN1ES1BO |date=2018-01-03 |website=Reuters |publisher=Thomson-Reuters |access-date=2018-01-03 |ref=busvined_nelliss |archive-date=2018-04-03 |archive-url=https://web.archive.org/web/20180403211757/https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all-phones-computers-at-risk-idUSKBN1ES1BO |url-status=live }} Specifically, processors with speculative execution are affected with these vulnerabilities.{{cite web |url=https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html |title=Today's CPU vulnerability: what you need to know |access-date=2018-01-09 |archive-date=2018-03-15 |archive-url=https://web.archive.org/web/20180315193514/https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html |url-status=live }}

ARM has reported that the majority of their processors are not vulnerable, and published a list of the specific processors that are affected by the Spectre vulnerability: Cortex-R7, Cortex-R8, Cortex-A8, Cortex-A9, Cortex-A15, Cortex-A17, Cortex-A57, Cortex-A72, Cortex-A73 and ARM Cortex-A75 cores.{{cite web |url=https://developer.arm.com/support/security-update |title=Arm Processor Security Update |publisher=ARM Ltd. |website=ARM Developer |date=2018-01-03 |access-date=2018-01-05 |archive-date=2018-04-04 |archive-url=https://web.archive.org/web/20180404110048/https://developer.arm.com/support/security-update |url-status=live }} Other manufacturers' custom CPU cores implementing the ARM instruction set, such as those found in newer members of the Apple A series processors, have also been reported to be vulnerable.{{Cite news |title=About speculative execution vulnerabilities in ARM-based and Intel CPUs |work=Apple Support |url=https://support.apple.com/en-ca/ht208394 |access-date=2018-07-17 |archive-date=2018-07-17 |archive-url=https://web.archive.org/web/20180717183418/https://support.apple.com/en-ca/ht208394 |url-status=live }} In general, higher-performance CPUs tend to have intensive speculative execution, making them vulnerable to Spectre.{{cite web|title=Spectre Side Channels|url=https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html|publisher=kernel.org|access-date=2020-09-29 |archive-date=2020-10-18 |archive-url=https://web.archive.org/web/20201018082637/https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html|url-status=live}}

Spectre has the potential of having a greater impact on cloud providers than Meltdown. Whereas Meltdown allows unauthorized applications to read from privileged memory to obtain sensitive data from processes running on the same cloud server, Spectre can allow malicious programs to induce a hypervisor to transmit the data to a guest system running on top of it.{{cite web |author-last1=Fox-Brewster |author-first1=Thomas |title=Massive Intel Vulnerabilities Just Landed – And Every PC User On The Planet May Need To Update |url=https://www.forbes.com/sites/thomasbrewster/2018/01/03/intel-meltdown-spectre-vulnerabilities-leave-millions-open-to-cyber-attack/ |date=2018-01-03 |website=Forbes |access-date=2018-01-03 |ref=foxbt |url-status=live |archive-url=https://web.archive.org/web/20180103221558/https://www.forbes.com/sites/thomasbrewster/2018/01/03/intel-meltdown-spectre-vulnerabilities-leave-millions-open-to-cyber-attack/ |archive-date=2018-01-03}}

Since Spectre represents a whole class of attacks, most likely, there cannot be a single patch for it. While work is already being done to address special cases of the vulnerability, the original website devoted to Spectre and Meltdown states, "As [Spectre] is not easy to fix, it will haunt us for a long time." At the same time, according to Dell: "No 'real-world' exploits of these vulnerabilities [i.e., Meltdown and Spectre] have been reported to date [7 February 2018], though researchers have produced proof-of-concepts."{{cite web |url=http://www.dell.com/support/article/us/en/19/sln308587/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-products |title=Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products |date=2018-02-07 |work=Dell |access-date=2018-02-11 |archive-date=2018-01-27 |archive-url=https://web.archive.org/web/20180127004605/http://www.dell.com/support/article/us/en/19/sln308587/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-products |url-status=live }}{{cite web |url=http://www.dell.com/support/contents/us/en/19/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre |title=Meltdown and Spectre Vulnerabilities |date=2018-02-07 |work=Dell |access-date=2018-02-11 |archive-date=2018-03-05 |archive-url=https://web.archive.org/web/20180305000921/http://www.dell.com/support/contents/us/en/19/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre |url-status=live }}

Several procedures to help protect home computers and related devices from the vulnerability have been published. Spectre patches have been reported to significantly slow down performance, especially on older computers; on the eighth generation Core platforms, benchmark performance drops of 2–14 percent have been measured.{{cite web |url=https://www.pcworld.com/article/3245742/components-processors/microsoft-tests-show-spectre-patches-drag-down-performance-on-older-pcs.html |title=Microsoft tests show Spectre patches drag down performance on older PCs |author-last=Hachman |author-first=Mark |date=2018-01-09 |work=PC World |access-date=2018-01-09 |archive-date=2018-02-09 |archive-url=https://web.archive.org/web/20180209120423/https://www.pcworld.com/article/3245742/components-processors/microsoft-tests-show-spectre-patches-drag-down-performance-on-older-pcs.html |url-status=live }}{{cite web |url=https://www.bbc.com/news/technology-42562303 |title=Computer chip scare: What you need to know |date=2018-01-04 |work=BBC News |access-date=2018-01-04 |archive-date=2020-10-11 |archive-url=https://web.archive.org/web/20201011235525/https://www.bbc.com/news/technology-42562303 |url-status=live }}{{Cite news |url=https://www.theverge.com/2018/1/3/16846540/intel-processor-security-flaw-bug-response |title=Intel says processor bug isn't unique to its chips and performance issues are 'workload-dependent' |work=The Verge |access-date=2018-01-04 |archive-date=2018-01-03 |archive-url=https://web.archive.org/web/20180103223052/https://www.theverge.com/2018/1/3/16846540/intel-processor-security-flaw-bug-response |url-status=live }}{{cite news |author-last=Larabel |author-first=Michael |title=Benchmarking AMD FX vs. Intel Sandy/Ivy Bridge CPUs Following Spectre, Meltdown, L1TF, Zombieload |url=https://www.phoronix.com/scan.php?page=article&item=sandy-fx-zombieload&num=1 |date=24 May 2019 |work=Phoronix |access-date=25 May 2019 |archive-date=2019-06-01 |archive-url=https://web.archive.org/web/20190601164746/https://www.phoronix.com/scan.php?page=article&item=sandy-fx-zombieload&num=1 |url-status=live }} On 18 January 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported.

In early January 2018, Chris Hoffman of the website HowToGeek suggested that the fix would require "a complete hardware redesign for CPUs across the board" and noted how, once software fixes were released, benchmarks showed and vendors claimed that some users may notice slowdowns on their computers once patched.{{cite web |url=https://www.howtogeek.com/338269/a-huge-intel-security-hole-could-slow-down-your-pc-soon/ |title=How Will the Meltdown and Spectre Flaws Affect My PC? |website=How-To Geek |date=4 January 2018 |access-date=2018-01-06 |archive-date=2018-01-20 |archive-url=https://web.archive.org/web/20180120014050/https://www.howtogeek.com/338269/a-huge-intel-security-hole-could-slow-down-your-pc-soon/ |url-status=live |first=Chris |last=Hoffman}}

As early as 2018, machine learning has been employed to detect attacks in real time.{{Cite book |last1=Mirbagher-Ajorpaz |first1=Samira |last2=Pokam |first2=Gilles |last3=Mohammadian-Koruyeh |first3=Esmaeil |last4=Garza |first4=Elba |last5=Abu-Ghazaleh |first5=Nael |last6=Jimenez |first6=Daniel A. |title=2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO) |chapter=PerSpectron: Detecting Invariant Footprints of Microarchitectural Attacks with Perceptron |date=1 October 2020 |chapter-url=https://ieeexplore.ieee.org/document/9251956 |location=Athens, Greece |publisher=IEEE |pages=1124–1137 |doi=10.1109/MICRO50266.2020.00093 |isbn=978-1-7281-7383-2 |s2cid=222334633 |access-date=2023-03-13 |archive-date=2022-12-10 |archive-url=https://web.archive.org/web/20221210021124/https://ieeexplore.ieee.org/document/9251956/ |url-status=live }} This has led to an arms race where attackers also employ machine learning to thwart machine learning based detectors, and detectors in turn employ Generative Adversarial Networks to adapt detection techniques.{{Cite book |last1=Mirbagher Ajorpaz |first1=Samira |last2=Moghimi |first2=Daniel |last3=Collins |first3=Jeffrey Neal |last4=Pokam |first4=Gilles |last5=Abu-Ghazaleh |first5=Nael |last6=Tullsen |first6=Dean |title=2022 55th IEEE/ACM International Symposium on Microarchitecture (MICRO) |chapter=EVAX: Towards a Practical, Pro-active & Adaptive Architecture for High Performance & Security |date=1 October 2022 |chapter-url=https://ieeexplore.ieee.org/document/9923878 |location=Chicago, IL, USA |publisher=IEEE |pages=1218–1236 |doi=10.1109/MICRO56248.2022.00085 |isbn=978-1-6654-6272-3 |s2cid=253123810 |access-date=2023-03-13 |archive-date=2022-11-07 |archive-url=https://web.archive.org/web/20221107163258/https://ieeexplore.ieee.org/document/9923878 |url-status=live }}

On 4 January 2018, Google detailed a new technique on their security blog called "Retpoline" (a portmanteau of return and trampoline){{cite web |title=Intel Analysis of Speculative Execution Side Channels |type=White Paper |number=336983–001 |version=Revision 1.0 |date=January 2018 |publisher=Intel |page=5 |url=https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf |access-date=2018-01-11 |url-status=live |archive-url=https://web.archive.org/web/20180501130531/https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf |archive-date=2018-05-01 |quote=second technique introduces the concept of a "return trampoline", also known as "retpoline"}} which can overcome the Spectre vulnerability with a negligible amount of processor overhead. It involves compiler-level steering of indirect branches towards a different target that does not result in a vulnerable speculative out-of-order execution taking place.{{cite web |url=https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html |title=More details about mitigations for the CPU Speculative Execution issue |url-status=live |archive-url=https://web.archive.org/web/20180105022207/https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html |archive-date=2018-01-05}}{{cite web |url=https://tech.slashdot.org/story/18/01/04/2230207/google-says-cpu-patches-cause-negligible-impact-on-performance-with-new-retpoline-technique#comments |title=Google Says CPU Patches Cause 'Negligible Impact On Performance' With New 'Retpoline' Technique |website=tech.slashdot.org |date=4 January 2018 |access-date=2018-01-05 |archive-date=2018-04-08 |archive-url=https://web.archive.org/web/20180408152919/https://tech.slashdot.org/story/18/01/04/2230207/google-says-cpu-patches-cause-negligible-impact-on-performance-with-new-retpoline-technique#comments |url-status=live }} While it was developed for the x86 instruction set, Google engineers believe the technique is transferable to other processors as well.{{cite web |url=https://support.google.com/faqs/answer/7625886 |title=Retpoline: a software construct for preventing branch-target-injection – Google Help |author-first=Paul |author-last=Turner |website=support.google.com |url-status=live |archive-url=https://web.archive.org/web/20180105030824/https://support.google.com/faqs/answer/7625886 |archive-date=2018-01-05}}

On 25 January 2018, the current status and possible future considerations in solving the Meltdown and Spectre vulnerabilities were presented.{{cite web |url=https://www.pcworld.com/article/3251171/components-processors/intels-plan-to-fix-meltdown-in-silicon-raises-more-questions-than-answers.html |title=Intel's plan to fix Meltdown in silicon raises more questions than answers – But what silicon?!! Be sure and read the questions Wall Street should have asked. |author-last=Hachman |author-first=Mark |date=2018-01-25 |work=PC World |access-date=2018-01-26 |archive-date=2018-03-12 |archive-url=https://web.archive.org/web/20180312012223/https://www.pcworld.com/article/3251171/components-processors/intels-plan-to-fix-meltdown-in-silicon-raises-more-questions-than-answers.html |url-status=live }}

In March 2018, Intel announced that they had developed hardware fixes for Meltdown and Spectre-V2 only, but not Spectre-V1. The vulnerabilities were mitigated by a new partitioning system that improves process and privilege-level separation.{{Cite web |author-last=Smith |author-first=Ryan |title=Intel Publishes Spectre & Meltdown Hardware Plans: Fixed Gear Later This Year |url=https://www.anandtech.com/show/12533/intel-spectre-meltdown |date=2018-03-15 |work=AnandTech |access-date=2018-03-20 |url-status=live |archive-url=https://web.archive.org/web/20180504075207/https://www.anandtech.com/show/12533/intel-spectre-meltdown |archive-date=2018-05-04}}

On 8 October 2018, Intel is reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its Coffee Lake-R processors and onwards.

On 18 October 2018, MIT researchers suggested a new mitigation approach, called DAWG (Dynamically Allocated Way Guard), which may promise better security without compromising performance.{{cite web |author-last=Fingas |author-first=Jon |title=MIT finds a smarter way to fight Spectre-style CPU attacks – DAWG offers more security without a steep performance hit. |url=https://www.engadget.com/2018/10/18/mit-dawg-fights-spectre-attacks/ |date=18 October 2018 |work=engadget.com |access-date=18 October 2018 |archive-date=2018-10-19 |archive-url=https://web.archive.org/web/20181019002253/https://www.engadget.com/2018/10/18/mit-dawg-fights-spectre-attacks/ |url-status=live }}

On 16 April 2019, researchers from UC San Diego and University of Virginia proposed Context-Sensitive Fencing, a microcode-based defense mechanism that surgically injects fences into the dynamic execution stream, protecting against a number of Spectre variants at just 8% degradation in performance.{{cite web |author-last=Taram |author-first=Mohammadkazem |title=Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization. |url=https://www.cs.virginia.edu/~av6ds/papers/asplos2019.pdf |date=16 April 2019 |access-date=2019-07-21 |archive-date=2024-05-24 |archive-url=https://web.archive.org/web/20240524003122/https://www.cs.virginia.edu/~av6ds/papers/asplos2019.pdf |url-status=live }}

On 26 November 2021, researchers from Texas A&M University and Intel showed that Spectre attack (and other family of transient attacks) cannot be detected by typical antivirus or anti-malware software currently available, before they leak data. Especially, they show that it is easy to generate evasive versions of these attacks to build malware instead of their generic gadgets to bypass current antivirus applications. It was shown that this is due to the fact that these attacks can leak data using transient instructions that never get committed during a very short transient window and so are not visible from architecture layer (software) before leakage, but they are visible in microarchitecture layer (hardware). Additionally, software is limited to monitor four Hardware Performance Counters (HPCs) every 100 ns, which makes it difficult and almost impossible to collect information about malicious activity correlated with these attacks from software using antivirus applications before they can leak data.

On 20 October 2022, researchers from North Carolina State University, UC San Diego and Intel announced that they were able to design the first detection technology that can detect transient attacks before leakage in the microarchitecture layer (hardware). This was accomplished by building the first machine learning accelerator for security, designed to be built in Intel chips. This technology has a fast speed of sampling activity of transient instructions every 1ns and making predictions every 10 nanoseconds, allowing detection of transient attacks such as Spectre and Meltdown before data leakage occurs, and it automatically enables counter measurements in the chip. This technology is also equipped with adversarial training, making it immune to large category of adversarial and evasive versions of Spectre attack.

When Intel announced that Spectre mitigation can be switched on as a "security feature" instead of being an always-on bugfix, Linux creator Linus Torvalds called the patches "complete and utter garbage".{{cite mailing list |url=https://marc.info/?l=linux-kernel&m=151657056730709&w=2 |title=Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation |access-date=2018-05-22 |date=2018-01-21 |mailing-list=linux-kernel |author-first=Linus |author-last=Torvalds |author-link=Linus Torvalds |via=marc.info |archive-date=2018-12-12 |archive-url=https://web.archive.org/web/20181212155319/https://marc.info/?l=linux-kernel&m=151657056730709&w=2 |url-status=live }}[https://lwn.net/Articles/743019/ IBRS patch series] {{Webarchive|url=https://web.archive.org/web/20180119235031/https://lwn.net/Articles/743019/ |date=2018-01-19 }}, Intel, 2018-01-04. Ingo Molnár then suggested the use of function tracing machinery in the Linux kernel to fix Spectre without Indirect Branch Restricted Speculation (IBRS) microcode support. This would, as a result, only have a performance impact on processors based on Intel Skylake and newer architecture.{{Cite news |last1=Claburn |first1=Thomas |last2=Hall |first2=Kat |date=2018-01-22 |title='WHAT THE F*CK IS GOING ON?' Linus Torvalds explodes at Intel spinning Spectre fix as a security feature |language=en |work=The Register |url=https://www.theregister.com/2018/01/22/intel_spectre_fix_linux/ |access-date=2023-07-22 |archive-date=2023-07-22 |archive-url=https://web.archive.org/web/20230722000940/https://www.theregister.com/2018/01/22/intel_spectre_fix_linux/ |url-status=live }}[https://lkml.org/lkml/2018/1/23/25 Molnar suggesting to use function tracing] {{Webarchive|url=https://web.archive.org/web/20180125195151/https://lkml.org/lkml/2018/1/23/25 |date=2018-01-25 }}, [https://lkml.org/lkml/2018/1/23/105 Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation] {{Webarchive|url=https://web.archive.org/web/20180124195650/https://lkml.org/lkml/2018/1/23/105 |date=2018-01-24 }}, Ingo Molnar, 2018-01-23. This ftrace and retpoline-based machinery was incorporated into Linux 4.15 of January 2018.{{cite web |title=Linux 4.15 |url=https://kernelnewbies.org/Linux_4.15 |website=KernelNewbies |access-date=2020-07-09 |archive-date=2020-07-17 |archive-url=https://web.archive.org/web/20200717050236/https://kernelnewbies.org/Linux_4.15 |url-status=live }} The Linux kernel provides a sysfs interface to enumerate the current status of the system regarding Spectre in /sys/devices/system/cpu/vulnerabilities/

On 2 March 2019, Microsoft is reported to have released an important Windows 10 (v1809) software mitigation to the Spectre v2 CPU vulnerability.{{cite news |author-last=Cimnpanu |author-first=Catalin |title=Microsoft rolls out Google's Retpoline Spectre mitigation to Windows 10 users - KB4482887, released today, enables Google's Retpoline mitigation in the Windows 10 kernel (only for v1809 users). |url=https://www.zdnet.com/article/microsoft-rolls-out-googles-retpoline-spectre-mitigation-to-windows-10-users/ |date=2 March 2019 |work=ZDNet |access-date=2 March 2019 |archive-date=2019-03-02 |archive-url=https://web.archive.org/web/20190302210923/https://www.zdnet.com/article/microsoft-rolls-out-googles-retpoline-spectre-mitigation-to-windows-10-users/ |url-status=live }}

{{outdated section|date=February 2019}}

Several procedures to help protect home computers and related devices from the vulnerability have been published.{{cite news |author-last1=Metz |author-first1=Cade |author-last2=Chen |author-first2=Brian X. |title=What You Need to Do Because of Flaws in Computer Chips |url=https://www.nytimes.com/2018/01/04/technology/meltdown-spectre-questions.html |date=2018-01-04 |work=The New York Times |access-date=2018-01-05 |archive-date=2018-01-06 |archive-url=https://web.archive.org/web/20180106155009/https://www.nytimes.com/2018/01/04/technology/meltdown-spectre-questions.html |url-status=live }}{{cite web |author-last=Pressman |author-first=Aaron |title=Why Your Web Browser May Be Most Vulnerable to Spectre and What to Do About It |url=http://fortune.com/2018/01/05/spectre-safari-chrome-firefox-internet-explorer/ |date=2018-01-05 |work=Fortune |access-date=2018-01-05 |archive-date=2018-01-10 |archive-url=https://web.archive.org/web/20180110161156/http://fortune.com/2018/01/05/spectre-safari-chrome-firefox-internet-explorer/ |url-status=live }}{{cite web |author-last=Chacos |author-first=Brad |title=How to protect your PC from the major Meltdown and Spectre CPU flaws |url=https://www.pcworld.com/article/3245810/security/how-to-protect-your-pc-meltdown-spectre-cpu-flaws.html |date=2018-01-04 |work=PC World |access-date=2018-01-04 |url-status=live |archive-url=https://web.archive.org/web/20180104231745/https://www.pcworld.com/article/3245810/security/how-to-protect-your-pc-meltdown-spectre-cpu-flaws.html |archive-date=2018-01-04}}{{cite web |author-last=Elliot |author-first=Matt |title=Security – How to protect your PC against the Intel chip flaw – Here are the steps to take to keep your Windows laptop or PC safe from Meltdown and Spectre. |url=https://www.cnet.com/how-to/how-to-protect-your-pc-against-the-intel-chip-flaw/ |date=2018-01-04 |work=CNET |access-date=2018-01-04 |url-status=live |archive-url=https://web.archive.org/web/20180104225045/https://www.cnet.com/how-to/how-to-protect-your-pc-against-the-intel-chip-flaw/ |archive-date=2018-01-04}}

Initial mitigation efforts were not entirely without incident. At first, Spectre patches were reported to significantly slow down performance, especially on older computers. On the eighth generation Core platforms, benchmark performance drops of 2–14 percent were measured. On 18 January 2018, unwanted reboots were reported even for newer Intel chips.{{cite web |author-last=Tung |author-first=Liam |title=Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch – Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs. |url=https://www.zdnet.com/article/meltdown-spectre-intel-says-newer-chips-also-hit-by-unwanted-reboots-after-patch/ |date=2018-01-18 |work=ZDNet |access-date=2018-01-18 |archive-date=2018-01-20 |archive-url=https://web.archive.org/web/20180120213941/http://www.zdnet.com/article/meltdown-spectre-intel-says-newer-chips-also-hit-by-unwanted-reboots-after-patch/ |url-status=live }}

Since exploitation of Spectre through JavaScript embedded in websites is possible,{{cite web |author-first1=Paul |author-last1=Kocher |author-link1=Paul Carl Kocher |author-first2=Daniel |author-last2=Genkin |author-first3=Daniel |author-last3=Gruss |author-first4=Werner |author-last4=Haas |author-first5=Mike |author-last5=Hamburg |author-first6=Moritz |author-last6=Lipp |author-first7=Stefan |author-last7=Mangard |author-first8=Thomas |author-last8=Prescher |author-first9=Michael |author-last9=Schwarz |author-first10=Yuval |author-last10=Yarom |title=Spectre Attacks: Exploiting Speculative Execution |url=https://spectreattack.com/spectre.pdf |date=2018 |url-status=live |archive-url=https://web.archive.org/web/20180103225843/https://spectreattack.com/spectre.pdf |archive-date=2018-01-03}} it was planned to include mitigations against the attack by default in Chrome 64. Chrome 63 users could manually mitigate the attack by enabling the site isolation feature (chrome://flags#enable-site-per-process).{{cite web |url=https://support.google.com/faqs/answer/7622138#chrome |title=Google's Mitigations Against CPU Speculative Execution Attack Methods |website=support.google.com |archive-url=https://web.archive.org/web/20180103231642/https://support.google.com/faqs/answer/7622138#chrome |archive-date=2018-01-03 |url-status=live |access-date=2018-01-04}}

As of Firefox 57.0.4, Mozilla was reducing the resolution of JavaScript timers to help prevent timing attacks, with additional work on time-fuzzing techniques planned for future releases.{{cite web |url=https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ |title=Mitigations landing for new class of timing attack |website=Mozilla Security Blog |date=3 January 2018 |access-date=2018-01-04 |url-status=live |archive-url=https://web.archive.org/web/20180104003111/https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ |archive-date=2018-01-04}}

On January 15, 2018, Microsoft introduced mitigation for Spectre in Visual Studio. This can be applied by using the /Qspectre switch. A developer would need to download and install the appropriate libraries using the Visual Studio installer.{{Cite web|date=2018-01-16|title=Spectre mitigations in MSVC|url=https://devblogs.microsoft.com/cppblog/spectre-mitigations-in-msvc/|access-date=2021-01-18|website=C++ Team Blog|language=en-US|archive-date=2024-05-24 |archive-url=https://web.archive.org/web/20240524003105/https://devblogs.microsoft.com/cppblog/spectre-mitigations-in-msvc/|url-status=live}}

{{incomplete list|date=January 2024}}

• ARM:{{Cite web |title=Advisory TFV-6 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) |url=https://trustedfirmware-a.readthedocs.io/en/latest/security_advisories/security-advisory-tfv-6.html |website=Trusted Firmware-A 2.10.0 documentation |date=2018-06-07 |access-date=2024-01-23 |archive-date=2024-01-23 |archive-url=https://web.archive.org/web/20240123154717/https://trustedfirmware-a.readthedocs.io/en/latest/security_advisories/security-advisory-tfv-6.html |url-status=live }}
• A55
• A53
• A32
• A7
• A5

• x86:
• Intel Atom N270 / N280
• i486 and older

• Row hammer
• SPOILER (security vulnerability)
• Speculative execution CPU vulnerabilities

{{Reflist|refs=

{{cite web |title=An Update on AMD Processor Security |url=https://www.amd.com/en/corporate/speculative-execution |date=2018 |work=Advanced Micro Devices |access-date=2018-01-04 |url-status=live |archive-url=https://web.archive.org/web/20180104014617/https://www.amd.com/en/corporate/speculative-execution |archive-date=2018-01-04}}

}}

• {{cite web |author-first1=Paul |author-last1=Kocher |author-link1=Paul Carl Kocher |author-first2=Daniel |author-last2=Genkin |author-first3=Daniel |author-last3=Gruss |author-first4=Werner |author-last4=Haas |author-first5=Mike |author-last5=Hamburg |author-first6=Moritz |author-last6=Lipp |author-first7=Stefan |author-last7=Mangard |author-first8=Thomas |author-last8=Prescher |author-first9=Michael |author-last9=Schwarz |author-first10=Yuval |author-last10=Yarom |title=Spectre Attacks: Exploiting Speculative Execution |url=https://spectreattack.com/spectre.pdf |date=2018 |url-status=live |archive-url=https://web.archive.org/web/20180103225843/https://spectreattack.com/spectre.pdf |archive-date=2018-01-03}}
• {{cite web |url=https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=287305 |title=WRITEUP (59.9 KB) – Project Zero – Monorail |website=bugs.chromium.org}}
• {{cite arXiv |eprint=1811.05441v3 |class=cs.CR |last1=Kiriansky |first1=Vladimir |title=A Systematic Evaluation of Transient Execution Attacks and Defenses |last2=Waldspurger |first2=Carl |last3=Schwarz |first3=Michael |last4=Lipp |first4=Moritz |last5=von Berg |first5=Benjamin |last6=Ortner |first6=Philipp |last7=Piessens |first7=Frank |last8=Evtyushkin |first8=Dmitry |last9=Gruss |first9=Daniel |year=2018 }}

• [https://spectreattack.com Website detailing the Meltdown and Spectre vulnerabilities, hosted by Graz University of Technology]
• [https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html Google Project Zero write-up]
• [https://www.grc.com/inspectre.htm Meltdown/Spectre Checker] Gibson Research Corporation
• [https://github.com/speed47/spectre-meltdown-checker Spectre & Meltdown vulnerability/mitigation checker for Linux]

{{Speculative execution exploits}}

{{Hacking in the 2010s}}

{{Portal bar|Business and economics}}

Category:Transient execution CPU vulnerabilities

Category:2018 in computing

Category:X86 memory management