Facilitating the spread of knowledge and innovation in professional software development



Choose your language

InfoQ Homepage News Spectre 1.1 and 1.2 Vulnerabilities Disclosed

Spectre 1.1 and 1.2 Vulnerabilities Disclosed


Two new vulnerabilities exploiting flaws in CPUs speculative execution have been recently disclosed. Dubbed Spectre 1.1 and 1.2, both are variants of the original Spectre (Spectre-v1) vulnerability and leverage speculative stores to create speculative buffer overflows which can escape Spectre-v1 mitigations.

According to the paper produced by Vladimir Kiriansky and Carl Waldspurger:

The ability to perform arbitrary speculative writes presents significant new risks, including arbitrary speculative execution. Unfortunately, this enables both local and remote attacks, even when Spectre1.0 gadgets are not present. It also allows attackers to bypass recommended software mitigations for previous speculative-execution attacks.

The security researchers that disclosed the new vulnerabilities, the following code provides a proof-of-concept attack for Spectre 1.1:

if (y < lenc)
    c[y] = z;

The problem with the code above lies with the possibility that during speculative branch execution the CPU might ignore the bounds check, thus leaving open the possibility for an attacker to arbitrarily overwrite memory. This mechanism makes it possible to temporarily overwrite data used by a subsequent Spectre-v1 attack.

Spectre 1.2 exploits instead lazy enforcement of user/superuser protection checks for page-table entries (PTEs). Thus a speculative data attack could overwrite read-only data, which include code pointers, vtables, and control-flow mitigation metadata.

The researchers described both software and hardware mitigations, which include the use of speculation fences, which stop speculative execution altogether; masking, which resorts to masking index values before they are used in an attempt to bound them, so a subsequent access to that position in the array is likely to not access out-of-bounds memory; and others. The researchers also pointed out that software defenses against the new attacks end up being the same as the techniques to prevent classical buffer overflows:

A good first step toward preventing them would be to strengthen existing checks against stack overflows, heap overflows, integer overflows, etc.

Although, Kiriansky and Waldspurger reported the two new Spectre variants to Intel, ARM, AMD, Google, IBM, and Microsoft, no patches are yet available.

We need your feedback

How might we improve InfoQ for you

Thank you for being an InfoQ reader.

Each year, we seek feedback from our readers to help us improve InfoQ. Would you mind spending 2 minutes to share your feedback in our short survey? Your feedback will directly help us continually evolve how we support you.

Take the Survey

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p


Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.