When the Spectre and Meltdown attacks were disclosed earlier this year, the expectation was that these attacks would be the first of many, as researchers took a closer look at the way that the speculative execution in modern processors could be used to leak sensitive information and undermine the security of software running on those processors. In May, we saw the speculative store bypass, and today we have a new variant on this theme: speculative buffer overflows, discovered by Vladimir Kiriansky at MIT and independent researcher Carl Waldspurger.
All the attacks follow a common set of principles. Each processor has an architectural behavior (the documented behavior that describes how the instructions work and that programmers depend on to write their programs) and a microarchitectural behavior (the way an actual implementation of the architecture behaves). These can diverge in subtle ways. For example, architecturally, a program that loads a value from a particular address in memory will wait until the address is known before trying to perform the load. Microarchitecturally, however, the processor might try to speculatively guess at the address so that it can start loading the value from memory (which is slow) even before it’s absolutely certain of which address it should use.
If the processor guesses wrong, it will ignore the guessed-at value and perform the load again, this time with the correct address. The architecturally defined behavior is thus preserved. But that faulty guess will disturb other parts of the processor—in particular the contents of the cache. These microarchitectural disturbances can be detected and measured, allowing a malicious program to make inferences about the values stored in memory.