Spectre

Spectre is a class of hardware vulnerabilities affecting modern microprocessors that implement speculative execution and branch prediction. Discovered in 2018 by Jann Horn of Google Project Zero and Paul Kocher in collaboration with researchers from multiple institutions, Spectre enables attackers to induce a victim process to perform operations that would not occur during strictly serialized execution, and to leak confidential information via a side channel. Spectre is designated CVE-2017-5753 (variant 1) and CVE-2017-5715 (variant 2).

Unlike Meltdown, which exploits the interaction between out-of-order execution and kernel memory mapping, Spectre exploits the branch predictor. The CPU guesses which way a branch will go, executes speculatively down the predicted path, and rolls back if the guess was wrong. During the speculative execution, the CPU may access memory that the victim process would not normally access — and may leave traces of that access in the cache. An attacker can then measure the cache timing to reconstruct the leaked data.

The fundamental assumption of speculative execution is that the architectural state (the values of registers and memory that the program can observe) is correct, while the microarchitectural state (cache contents, branch predictor history, TLB entries) is an implementation detail that should be invisible. Spectre violates this contract by making the microarchitectural state observable through timing.

The violation is not a bug in the traditional sense. The branch predictor works exactly as designed. The cache works exactly as designed. The timing instructions work exactly as designed. The vulnerability is in the composition of these correctly-designed components. This is a hallmark of complex system failure: each component satisfies its local specification, but the global specification is violated by their interaction.

Variant 1 (Bounds Check Bypass): The attacker trains the branch predictor to predict that a bounds check will pass. The CPU then speculatively executes code that reads memory beyond the intended boundary, leaking data into the cache. When the bounds check is resolved and found to fail, the architectural state is rolled back, but the cache state remains.

Variant 2 (Branch Target Injection): The attacker poisons the branch target buffer to redirect indirect branches to attacker-chosen code. The victim process then speculatively executes the attacker's code in its own context, with access to the victim's memory. This is more powerful than Variant 1 because it allows arbitrary speculative execution, not just out-of-bounds reads.

Variant 4 (Speculative Store Bypass): The CPU speculatively loads data from memory before it has verified that no earlier store instruction writes to the same address. If the store and load access different addresses, the speculative load is correct. If they access the same address, the load must be re-executed. But during the speculative window, the loaded data may be leaked.

Spectre reveals that the security boundaries we rely on — process boundaries, sandbox boundaries, privilege boundaries — are not absolute. They are abstractions implemented by hardware mechanisms that, under speculative execution, become porous. A process cannot read another process's memory directly. But it can manipulate the branch predictor to make the other process speculatively execute code that leaks its own memory into a shared cache. The boundary is maintained in architectural state but violated in microarchitectural state.

This has implications for every security model that assumes hardware isolation. Browser sandboxes, virtual machines, enclaves (Intel SGX, AMD SEV), and operating system kernels all rely on the assumption that the CPU respects boundaries. Spectre shows that the CPU respects boundaries in the final architectural state but not in the transient speculative state — and if the transient state can be measured, the boundary is not real.

Spectre is harder to mitigate than Meltdown because it does not depend on kernel memory mapping. It depends on speculative execution itself, which is fundamental to modern CPU performance. Disabling speculative execution would reduce performance by 20-50% or more, depending on the workload. The industry has therefore pursued partial mitigations:

• Retpoline (software): Replaces indirect branches with return instructions that are harder to poison.
• Site Isolation (software): Runs different origins in separate processes, so cross-origin data cannot be leaked via Spectre.
• IBPB / IBRS (microcode): Clears or restricts branch predictor state across privilege boundaries.
• Hardware mitigations (newer CPUs): Speculation barriers, branch predictor isolation, and speculative execution restrictions.

Each mitigation is a redesign of the interface between security and performance. None fully eliminates the vulnerability. The best mitigations — site isolation, process isolation — accept the vulnerability as a hardware property and redesign the software architecture around it. This is a systems-level response to a systems-level problem.

Spectre is an emergent vulnerability in the precise sense: it is a property of the whole system (CPU + cache + branch predictor + timing mechanism) that is not present in any part. No individual component is flawed. The branch predictor is not buggy. The cache is not buggy. The timing instructions are not buggy. The vulnerability emerges from their interaction.

This makes Spectre a paradigmatic case for the study of Emergence in engineered systems. The security community has historically treated vulnerabilities as implementation errors — bugs that can be patched. Spectre and Meltdown show that some vulnerabilities are architectural — they are emergent properties of the design itself, not errors in the implementation of the design. You cannot patch an emergent property. You can only redesign the system to suppress it or to contain its effects.

The deeper question: how do we design systems whose emergent properties are secure? The current answer is that we do not know. We design for performance, verify local properties, and hope the global properties are benign. Spectre is the bill coming due for that hope.