Spectre; Meltdown

Project Zero from Google
Spectre Attacks: Exploiting Speculative Execution (Graz); My Narrow Fix
Meltdown (Evanston) Intel specific; My notes; Another nexus (Good FAQ)
Intel Analysis of Speculative Execution Side Channels
I find Intel’s exploit descriptions easiest to understand.

Proposed fix by Google: Retpoline: a software construct for preventing branch-target-injection8j09kk7l

Early Popular Disclosure

Miscellaneous Pointers

(Things I had to look up to understand the exploits)
BPF JIT ⬅︎ WP
eBPF JIT
KVM
SMAP, SMEP
TSX
Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory ⬅︎ Flush+Reload
Notes from the Intelpocalypse

Regarding “prefetcher” I quote from Intel® 64 and IA-32 Architectures Optimization Reference Manual

xkcd


Extreme fix??

Mark cache lines that were speculatively loaded. (TLB entries too) Free them upon speculation failure. Sometimes this would actually speed things up.


Orthogonal partial fix:

Make some (all?) of the instructions whose semantics is about cache lines contingent on a bit that only the kernel can set. Architecturally these instructions are all noops. Without the bit set, they are really noops. Only those rare programs with legitimate need for these ops can really execute them. Also limit these ops to addresses to which the program has write access.


My summary