Speculative Execution Side Channel
What is Speculative Execution Side Channel?
Speculative Execution Side ChannelA microarchitectural vulnerability class where CPUs leak data through caches and predictors after executing instructions speculatively along paths that should not have run.
Speculative-execution side channels exploit a fundamental performance feature of modern CPUs: branch prediction, out-of-order execution, and speculation execute instructions before the architectural state confirms they should run. While transient results are discarded on misprediction, they leave measurable traces in caches, store buffers, and predictors that an attacker can observe via timing oracles. The Spectre family (variant 1, 2, BHI, RSB, Spectre-NG), Meltdown, MDS, L1TF, Foreshadow, and Downfall use this primitive to read protected memory across processes, VMs, browser sandboxes, or enclaves. Mitigations combine microcode updates, retpolines/IBRS, kernel page-table isolation (KPTI), site isolation in browsers, and defensive code patterns.
● Examples
- 01
Spectre v1 array-bounds bypass leaking kernel data via cache timings.
- 02
Browser-based Spectre PoCs reading cross-origin secrets before Site Isolation.
● Frequently asked questions
What is Speculative Execution Side Channel?
A microarchitectural vulnerability class where CPUs leak data through caches and predictors after executing instructions speculatively along paths that should not have run. It belongs to the Application Security category of cybersecurity.
What does Speculative Execution Side Channel mean?
A microarchitectural vulnerability class where CPUs leak data through caches and predictors after executing instructions speculatively along paths that should not have run.
How does Speculative Execution Side Channel work?
Speculative-execution side channels exploit a fundamental performance feature of modern CPUs: branch prediction, out-of-order execution, and speculation execute instructions before the architectural state confirms they should run. While transient results are discarded on misprediction, they leave measurable traces in caches, store buffers, and predictors that an attacker can observe via timing oracles. The Spectre family (variant 1, 2, BHI, RSB, Spectre-NG), Meltdown, MDS, L1TF, Foreshadow, and Downfall use this primitive to read protected memory across processes, VMs, browser sandboxes, or enclaves. Mitigations combine microcode updates, retpolines/IBRS, kernel page-table isolation (KPTI), site isolation in browsers, and defensive code patterns.
How do you defend against Speculative Execution Side Channel?
Defences for Speculative Execution Side Channel typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Speculative Execution Side Channel?
Common alternative names include: Spectre-class vulnerability, Transient execution attack.
● Related terms
- vulnerabilities№ 1074
Spectre
A family of microarchitectural attacks that abuse CPU speculative execution to leak data across security boundaries via cache-based side channels.
- vulnerabilities№ 665
Meltdown
A microarchitectural vulnerability (CVE-2017-5754) that lets unprivileged code read kernel memory by exploiting out-of-order execution and a delayed permission check.
- vulnerabilities№ 1038
Side-Channel Attack
An attack that recovers secrets from a system by observing physical or implementation characteristics — timing, power, electromagnetic emissions, caches, acoustic signals — rather than logical flaws.
- appsec№ 1051
Site Isolation
A Chromium security architecture that places documents from different sites into separate operating-system processes so a compromised renderer cannot read cross-site data.
- appsec№ 129
Browser Sandbox
An OS-level isolation layer that confines a browser's renderer and helper processes so that compromised web code cannot read the file system or other applications.
- cryptography№ 848
Power Analysis Attack
A side-channel attack that recovers secret keys by measuring fluctuations in the power consumption of a cryptographic device during operations.
● See also
- № 564JIT Spray
- № 1182Type Confusion Vulnerability