Speculative Execution CPU vulnerabilities stem from a basic design change that was commonly made to computer chips around ten years ago to make them run faster. Allowing applications running on a computer OS to access data contained in the machine’s privileged CPU memory with a side-channel before they actually needed it (various sources).
Intel said "The flaw could make it possible for hackers to see highly sensitive information like passwords and a computer’s encryption keys, which could be used to access encrypted communications."
Via Google's Project Zero. Posted by Jann Horn, has technical details. page
Variant 1: Bounds check bypass Variant 2: Branch target injection
Variant 2 c/o Project Zero
Variant 1 c/o Project Zero
## Attacking the Kernel
Spectre Attacks: Exploiting Speculative Execution - Kocher, et al. page
To be able to actually use this behavior for an attack, an attacker needs to be able to cause the execution of such a vulnerable code pattern in the targeted context with an out-of-bounds index. A minor variant of this could be to instead use an out-of-bounds read to a function pointer to gain control of execution in the mis-speculated path. We did not investigate this variant further.
## Ideas for further research We believe that our research provides many remaining research topics that we have not yet investigated, and we encourage other public researchers to look into these.
## Ideas for Wiki Security Pod
See Eric Dobbs work on POLA-rized Delegation Chain dynamic diagramming to reveal flow control paths page
Linus Torvalds offers Intel.Read like capabilities-based? page