2nd/10_Wiki/Topics/Frontend/Spectre.md

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

id	title	category	status	canonical_id	aliases	duplicate_of	source_trust_level	confidence_score	verification_status	tags	raw_sources	last_reinforced	github_commit	tech_stack
wiki-2026-0508-spectre	Spectre	10_Wiki/Topics	verified	self	Spectre Attack CVE-2017-5753 CVE-2017-5715 Branch Target Injection	none	A	0.9	applied	security cpu side-channel speculation microarchitecture		2026-05-10	pending	language framework c x86-arm

Spectre

매 한 줄

"매 speculative execution 의 microarchitectural side-effect leak". 2018 Kocher et al. discovery — branch predictor / BTB 를 mistrained 시켜 out-of-bounds load 의 cache footprint 로 secret 을 추출. 2026 현재 Variant 1/2/4 + Retbleed/Inception 등 8년차 ongoing mitigation arms race.

매 핵심

매 Variants

• V1 (Bounds Check Bypass, CVE-2017-5753): speculative array access past bounds.
• V2 (Branch Target Injection, CVE-2017-5715): BTB poisoning — indirect call gadget hijack.
• V4 (Speculative Store Bypass, CVE-2018-3639): store-to-load forwarding misprediction.
• Retbleed (2022): return predictor 의 V2 variant.
• Inception (2023): AMD Zen recursive speculation.

매 Mechanism

• Speculation: CPU executes past branch before resolution.
• Transient window: ~100-200 cycles before rollback.
• Covert channel: cache (Flush+Reload) / port contention / TLB.
• Architectural state: rolled back. Microarchitectural: persists.

매 응용

1. JS sandbox escape (browser → cross-origin memory read).
2. KVM guest → host memory leak.
3. Kernel ASLR break + secret exfiltration.

💻 패턴

V1 gadget (classic)

// Vulnerable: array2 cache state leaks array1[x]
uint8_t array1[16];
uint8_t array2[256 * 4096];

void victim(size_t x) {
    if (x < 16) {                    // mistrained branch
        uint8_t v = array1[x];       // x can be OOB during speculation
        uint8_t leak = array2[v * 4096]; // cache footprint encodes v
    }
}
// Attacker: train with valid x, then call with OOB x,
// flush array2, victim(), then time array2[i*4096] reads.

Flush+Reload primitive

#include <x86intrin.h>

static inline uint64_t rdtsc_serial(void) {
    _mm_lfence();
    uint64_t t = __rdtsc();
    _mm_lfence();
    return t;
}

int probe(volatile uint8_t *addr) {
    uint64_t t0 = rdtsc_serial();
    (void)*addr;
    uint64_t t1 = rdtsc_serial();
    _mm_clflush((void *)addr);
    return (t1 - t0) < CACHE_HIT_THRESHOLD; // ~80 cycles
}

V1 mitigation: lfence barrier

void victim_safe(size_t x) {
    if (x < 16) {
        _mm_lfence();                // serialize — block speculation
        uint8_t v = array1[x];
        uint8_t leak = array2[v * 4096];
    }
}
// Cost: ~30-50% perf hit. 매 array_index_nospec() 의 Linux kernel 사용.

V1 mitigation: index masking

// Linux kernel array_index_nospec
static inline size_t mask_idx(size_t idx, size_t sz) {
    size_t mask = ~(idx >= sz ? ~0UL : 0);
    return idx & mask;               // 0 if OOB, idx otherwise — branchless
}

void victim_masked(size_t x) {
    if (x < 16) {
        x = mask_idx(x, 16);
        uint8_t v = array1[x];
        uint8_t leak = array2[v * 4096];
    }
}

V2 mitigation: retpoline

; Replace `jmp *%rax` with retpoline trampoline
retpoline:
    call    set_up_target
capture:
    pause
    lfence
    jmp     capture                  ; speculation trap
set_up_target:
    mov     %rax, (%rsp)             ; overwrite return addr
    ret                              ; predictor uses RSB, not BTB

Browser mitigation: timer coarsening

// performance.now() resolution reduced from 5μs → 100μs (Chrome 2018+).
// Cross-origin isolation (COOP+COEP) required for SharedArrayBuffer.
performance.now(); // 1234.1 (was 1234.123456)

// SharedArrayBuffer gated on:
//   Cross-Origin-Opener-Policy: same-origin
//   Cross-Origin-Embedder-Policy: require-corp

Site Isolation (Chrome)

- Each origin → separate renderer process.
- OS-level memory boundary blocks Spectre cross-origin reads.
- Cost: +10-20% memory.
- Partial Site Isolation on Android (resource-constrained).

매 결정 기준

상황	Approach
Kernel hot-path bounds check	array_index_nospec (mask)
Indirect call (kernel/hypervisor)	Retpoline + IBRS/eIBRS
JS engine bounds check	index masking + speculation barrier
Browser cross-origin	Site Isolation + COOP/COEP + timer coarsening
Embedded / no MMU	accept risk, no speculation typically

기본값: hardware mitigation (eIBRS, IBPB, BHI_DIS_S) on by default + retpoline + array_index_nospec on hot paths.

🔗 Graph

• 부모: Side-channel Attack
• 변형: Spectre
• 응용: Speculative Execution
• Adjacent: Cache Timing Attack · Timing Attack

🤖 LLM 활용

언제: explaining microarchitectural attacks, kernel mitigation review, browser sandbox design, audit speculation gadgets. 언제 X: high-level web app security (XSS/CSRF) — Spectre 의 ~irrelevant in app layer; OS+browser handle it.

❌ 안티패턴

• lfence everywhere: 30-50% perf hit. Use array_index_nospec mask instead.
• Disable speculation entirely: 5-10x slowdown. Never deploy.
• Trust performance.now() resolution alone: SharedArrayBuffer 의 still risk without COOP/COEP.
• Ignore V2 retpoline 의 ROP risk: RSB stuffing required on context switch.

🧪 검증 / 중복

• Verified (Kocher et al. 2018 paper, Intel/AMD security advisories, Linux kernel Documentation/admin-guide/hw-vuln/).
• 신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — full canonical (V1/V2/V4 + retpoline/lfence/mask + browser isolation)