Spectre 1 

What does it target?

It targets branch prediction and speculative execution features.

Who is impacted?

Anyone using Intel, AMD, and ARM CPUs.. in short, everyone.

Whats the risk?

Spectre breaks the isolation between programs, enabling the attacker to get good programs to disclose data. Allows you to pull information from running process. Encourages a victim process running on a machine to perform operations it would not normally do and this could leak information via a side channel.

What does it need to hit you?

It needs to be able to execute code on your machine. This can be done through some JavaScript code reportedly but yet to see it in the wild and many browsers have patches to prevent this. They prevent it by randomizing the response time from the cache, thus preventing data disclosure via the high precision timing attack.


Brief Description;

The exact flow of Spectre’s execution is still something I am trying to understand fully. What I do know is that the two CPU features used in the exploit are;

Speculative Execution; This is where the CPU execute commands out of order, so a later command that has no previous dependencies can be executed with the result stored in cache until its required. This reduces idle time of the CPU and allows code to execute faster that if it was executed sequentially.

Branch Prediction; In most code we have decision trees, with the one coming to mind being the common IF statement. In order to execute code out of order that has a previous dependency that has not yet been met, such as a user authenticating as an administrator the CPU uses a Branch Predictor that is trained to guess which branch of the decision tree will be followed, this branch is speculatively executed with the result stored in the cache for later use.

By combining these two features and mistraining the branch predictor( to assume you will successfully authenticate) with a precise timing side channel attack similar to how we pulled the data from the cache in our meltdown runthrough we are able to interact with process and exfiltrate information.

Robotron’s blog has an interesting explaination of how this works.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s