--- id: wiki-2026-0508-spectre title: Spectre category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Spectre Attack, CVE-2017-5753, CVE-2017-5715, Branch Target Injection] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [security, cpu, side-channel, speculation, microarchitecture] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: c framework: x86-arm --- # Spectre ## 매 한 줄 > **"매 speculative execution 의 microarchitectural side-effect leak"**. 2018 Kocher et al. discovery — branch predictor / BTB 를 mistrained 시켜 out-of-bounds load 의 cache footprint 로 secret 을 추출. 2026 현재 Variant 1/2/4 + Retbleed/Inception 등 8년차 ongoing mitigation arms race. ## 매 핵심 ### 매 Variants - **V1 (Bounds Check Bypass, CVE-2017-5753)**: speculative array access past bounds. - **V2 (Branch Target Injection, CVE-2017-5715)**: BTB poisoning — indirect call gadget hijack. - **V4 (Speculative Store Bypass, CVE-2018-3639)**: store-to-load forwarding misprediction. - **Retbleed (2022)**: return predictor 의 V2 variant. - **Inception (2023)**: AMD Zen recursive speculation. ### 매 Mechanism - **Speculation**: CPU executes past branch before resolution. - **Transient window**: ~100-200 cycles before rollback. - **Covert channel**: cache (Flush+Reload) / port contention / TLB. - **Architectural state**: rolled back. Microarchitectural: persists. ### 매 응용 1. JS sandbox escape (browser → cross-origin memory read). 2. KVM guest → host memory leak. 3. Kernel ASLR break + secret exfiltration. ## 💻 패턴 ### V1 gadget (classic) ```c // Vulnerable: array2 cache state leaks array1[x] uint8_t array1[16]; uint8_t array2[256 * 4096]; void victim(size_t x) { if (x < 16) { // mistrained branch uint8_t v = array1[x]; // x can be OOB during speculation uint8_t leak = array2[v * 4096]; // cache footprint encodes v } } // Attacker: train with valid x, then call with OOB x, // flush array2, victim(), then time array2[i*4096] reads. ``` ### Flush+Reload primitive ```c #include static inline uint64_t rdtsc_serial(void) { _mm_lfence(); uint64_t t = __rdtsc(); _mm_lfence(); return t; } int probe(volatile uint8_t *addr) { uint64_t t0 = rdtsc_serial(); (void)*addr; uint64_t t1 = rdtsc_serial(); _mm_clflush((void *)addr); return (t1 - t0) < CACHE_HIT_THRESHOLD; // ~80 cycles } ``` ### V1 mitigation: lfence barrier ```c void victim_safe(size_t x) { if (x < 16) { _mm_lfence(); // serialize — block speculation uint8_t v = array1[x]; uint8_t leak = array2[v * 4096]; } } // Cost: ~30-50% perf hit. 매 array_index_nospec() 의 Linux kernel 사용. ``` ### V1 mitigation: index masking ```c // Linux kernel array_index_nospec static inline size_t mask_idx(size_t idx, size_t sz) { size_t mask = ~(idx >= sz ? ~0UL : 0); return idx & mask; // 0 if OOB, idx otherwise — branchless } void victim_masked(size_t x) { if (x < 16) { x = mask_idx(x, 16); uint8_t v = array1[x]; uint8_t leak = array2[v * 4096]; } } ``` ### V2 mitigation: retpoline ```asm ; Replace `jmp *%rax` with retpoline trampoline retpoline: call set_up_target capture: pause lfence jmp capture ; speculation trap set_up_target: mov %rax, (%rsp) ; overwrite return addr ret ; predictor uses RSB, not BTB ``` ### Browser mitigation: timer coarsening ```js // performance.now() resolution reduced from 5μs → 100μs (Chrome 2018+). // Cross-origin isolation (COOP+COEP) required for SharedArrayBuffer. performance.now(); // 1234.1 (was 1234.123456) // SharedArrayBuffer gated on: // Cross-Origin-Opener-Policy: same-origin // Cross-Origin-Embedder-Policy: require-corp ``` ### Site Isolation (Chrome) ```text - Each origin → separate renderer process. - OS-level memory boundary blocks Spectre cross-origin reads. - Cost: +10-20% memory. - Partial Site Isolation on Android (resource-constrained). ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | Kernel hot-path bounds check | array_index_nospec (mask) | | Indirect call (kernel/hypervisor) | Retpoline + IBRS/eIBRS | | JS engine bounds check | index masking + speculation barrier | | Browser cross-origin | Site Isolation + COOP/COEP + timer coarsening | | Embedded / no MMU | accept risk, no speculation typically | **기본값**: hardware mitigation (eIBRS, IBPB, BHI_DIS_S) on by default + retpoline + array_index_nospec on hot paths. ## 🔗 Graph - 부모: [[Side-channel Attack]] - 변형: [[Spectre|Spectre and Meltdown]] - 응용: [[Speculative Execution]] - Adjacent: [[Cache Timing Attack]] · [[Timing Attack]] ## 🤖 LLM 활용 **언제**: explaining microarchitectural attacks, kernel mitigation review, browser sandbox design, audit speculation gadgets. **언제 X**: high-level web app security (XSS/CSRF) — Spectre 의 ~irrelevant in app layer; OS+browser handle it. ## ❌ 안티패턴 - **lfence everywhere**: 30-50% perf hit. Use array_index_nospec mask instead. - **Disable speculation entirely**: 5-10x slowdown. Never deploy. - **Trust performance.now() resolution alone**: SharedArrayBuffer 의 still risk without COOP/COEP. - **Ignore V2 retpoline 의 ROP risk**: RSB stuffing required on context switch. ## 🧪 검증 / 중복 - Verified (Kocher et al. 2018 paper, Intel/AMD security advisories, Linux kernel `Documentation/admin-guide/hw-vuln/`). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — full canonical (V1/V2/V4 + retpoline/lfence/mask + browser isolation) |