Mitigating Spectre v1 Attacks in C++

Briefly, nearly all modern CPUs implement some form of speculative execution:

The problem remains that, no matter what CPU advances occur in the future, software must be made secure on the hardware that we currently use.

Example Issue 1088305: Hyperthreading disabled when Linux terminal is launched on Chrome OS. page

YOUTUBE q2pq30JYoDc The minute the Terminal app is open, four of the cores are immediately disabled.

At the very least it should be possible for programmers to eliminate Spectre variant 1 vulnerabilities once they are discovered.

However the only way offered by the C++ standard to prevent a Spectre variant 1 vulnerability is to ensure that untrusted inputs never exist in the same address space as secret data. For many applications this is not possible.

Crucially, although an incorrect speculative execution cannot perform I/O or write to main memory, its behavior can still be observed indirectly via a variety of side channels.

C++ programmers will have to apply manual hardening when needed inside these unprotected functions, so we also propose a fine-grained mitigation API at the level of individual branches and variables. (is this Capabilities-based Security, IDK}

This comes at a substantial performance cost, so we expect implementations to provide this as a separate build mode. (For example, MSVC, GCC, and Clang have all implemented such a mode.)

All of the APIs introduced in this document take the form of attributes, since they don't affect the observable behavior of the abstract machine. paper


Also see

Mitigating exfiltration in JavaScript Observable Membrane

Mitigating exfiltration in Golang/NodeJS Private Data Objects