Spectre
Spectre is a 2018 attack that abuses branch prediction and speculative execution to read memory the attacker shouldn’t be able to touch. It was disclosed January 2018 alongside Meltdown. From ECE459 L07.
Why?
A mispredicted branch still runs: the CPU speculatively executes down the wrong path and only rolls back the architectural state when it figures out the mistake. Cache state is not rolled back. If the wrong-path code touches a secret and uses it to index a probe array, the secret leaks through the cache even though the instructions never officially ran.
Mechanism (variant 1, bounds-check bypass). The victim has code like if (i < array1_len) y = array2[array1[i] * 64]. The attacker first calls it with valid i to train the predictor into “taken”, then calls it with i out of bounds. The CPU speculatively reads past the bounds, uses the out-of-bounds byte to index array2, and pulls one line of array2 into the cache; timing array2 reveals the byte.
Mechanism (variant 2, branch target injection). The attacker poisons the indirect-branch predictor so a victim’s indirect jump speculates into gadget code of the attacker’s choice. That gadget reads a secret and leaks it through the cache the same way.
Fix. Much harder than Meltdown because the underlying feature (speculation) is load-bearing for performance. Mitigations include compiler barriers like lfence after bounds checks, retpolines for indirect branches, and hardware features like IBRS/IBPB; all cost performance.