This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// From the academic paper "Spectre Attacks: Exploiting Speculative Execution" | |
/* | |
We're putting text "The Magic Words are Squeamish Ossifrage." in memory and then we're trying to read it using exploit. | |
If system is vulnerable, you'll see same text in output, readed from memory. | |
In this code, if the compiled instructions in victim_function() were executed in strict program order, the function would only read from array1[0..15] since array1 size = 16. | |
However, when executed speculatively, out-of-bounds reads are possible. | |
The read memory byte() function makes several training calls to victim_function() to make the branch predictor expect valid values for x, then calls with an out-of-bounds x. | |
The conditional branch mispredicts, and the ensuing speculative execution reads a secret byte using the out-of-bounds x. | |
The speculative code then reads from array2[array1[x] * 512], leaking the value of array1[x] into the cache state. |