Speculative Execution CPU Vulnerability

Speculative Execution CPU vulnerabilities stem from a basic design change that was commonly made to computer chips around ten years ago to make them run faster. Allowing applications running on a computer OS to access data contained in the machine’s privileged CPU memory with a side-channel before they actually needed it (various sources).

Intel said "The flaw could make it possible for hackers to see highly sensitive information like passwords and a computer’s encryption keys, which could be used to access encrypted communications."

Via Google's Project Zero. Posted by Jann Horn, has technical details. page

Variant 1: Bounds check bypass Variant 2: Branch target injection

Variant 2 c/o Project Zero

Variant 1 c/o Project Zero

## Attacking the Kernel

Spectre Attacks: Exploiting Speculative Execution - Kocher, et al. page

To be able to actually use this behavior for an attack, an attacker needs to be able to cause the execution of such a vulnerable code pattern in the targeted context with an out-of-bounds index. A minor variant of this could be to instead use an out-of-bounds read to a function pointer to gain control of execution in the mis-speculated path. We did not investigate this variant further.

## Ideas for further research We believe that our research provides many remaining research topics that we have not yet investigated, and we encourage other public researchers to look into these.

We developed a successful variant 1 attack against the JIT engine built into the Linux kernel. It would be interesting to see whether attacks against more advanced JIT engines with less control over the system are also practical - in particular, JavaScript engines.

## Ideas for Wiki Security Pod

See Eric Dobbs work on POLA-rized Delegation Chain dynamic diagramming to reveal flow control paths page

Linus Torvalds offers Intel.Read like capabilities-based? page