{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T14:40:20Z","timestamp":1775745620609,"version":"3.50.1"},"reference-count":29,"publisher":"Association for Computing Machinery (ACM)","issue":"7","license":[{"start":{"date-parts":[[2020,6,18]],"date-time":"2020-06-18T00:00:00Z","timestamp":1592438400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Commun. ACM"],"published-print":{"date-parts":[[2020,6,18]]},"abstract":"Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try to guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes, can access the victim's memory and registers, and can perform operations with measurable side effects.<\/jats:p>\n Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side-channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, such as operating system process separation, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing and side-channel attacks. These attacks represent a serious threat to actual systems because vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices.<\/jats:p>\n Although makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.<\/jats:p>","DOI":"10.1145\/3399742","type":"journal-article","created":{"date-parts":[[2020,6,18]],"date-time":"2020-06-18T20:23:33Z","timestamp":1592511813000},"page":"93-101","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":226,"title":["Spectre attacks"],"prefix":"10.1145","volume":"63","author":[{"given":"Paul","family":"Kocher","sequence":"first","affiliation":[]},{"given":"Jann","family":"Horn","sequence":"additional","affiliation":[{"name":"Google Project Zero"}]},{"given":"Anders","family":"Fogh","sequence":"additional","affiliation":[{"name":"G DATA Advanced Analytics"}]},{"given":"Daniel","family":"Genkin","sequence":"additional","affiliation":[{"name":"University of Michigan"}]},{"given":"Daniel","family":"Gruss","sequence":"additional","affiliation":[{"name":"Graz University of Technology"}]},{"given":"Werner","family":"Haas","sequence":"additional","affiliation":[{"name":"Cyberus Technology"}]},{"given":"Mike","family":"Hamburg","sequence":"additional","affiliation":[{"name":"Rambus, Cryptography Research Division"}]},{"given":"Moritz","family":"Lipp","sequence":"additional","affiliation":[{"name":"Graz University of Technology"}]},{"given":"Stefan","family":"Mangard","sequence":"additional","affiliation":[]},{"given":"Thomas","family":"Prescher","sequence":"additional","affiliation":[{"name":"Cyberus Technology"}]},{"given":"Michael","family":"Schwarz","sequence":"additional","affiliation":[{"name":"Graz University of Technology"}]},{"given":"Yuval","family":"Yarom","sequence":"additional","affiliation":[{"name":"University of Adelaide and Data61"}]}],"member":"320","published-online":{"date-parts":[[2020,6,18]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"Predicting Secret Keys Via Branch Prediction","author":"Acii\u00e7mez O.","year":"2007","unstructured":"Acii\u00e7mez , O. , Ko\u00e7 , \u00c7. K. , Seifert , J.-P. Predicting Secret Keys Via Branch Prediction . In : CT-RSA , 2007 . Acii\u00e7mez, O., Ko\u00e7, \u00c7.K., Seifert, J.-P. Predicting Secret Keys Via Branch Prediction. In: CT-RSA, 2007."},{"key":"e_1_2_1_2_1","unstructured":"Advanced Micro Devices Inc. Software Techniques for Managing Speculation on AMD Processors 2018. [Online]. http:\/\/developer:amd:com\/wordpress\/media\/2013\/12\/Managing-Speculation-on-AMD-Processors:pdf Advanced Micro Devices Inc. Software Techniques for Managing Speculation on AMD Processors 2018. [Online]. http:\/\/developer:amd:com\/wordpress\/media\/2013\/12\/Managing-Speculation-on-AMD-Processors:pdf"},{"key":"e_1_2_1_3_1","volume-title":"Cache-Timing Attacks on AES","author":"Bernstein D.J.","year":"2005","unstructured":"Bernstein , D.J. Cache-Timing Attacks on AES . 2005 . [Online]. http:\/\/cr:yp:to\/antiforgery\/cachetiming-20050414:pdf Bernstein, D.J. Cache-Timing Attacks on AES. 2005. [Online]. http:\/\/cr:yp:to\/antiforgery\/cachetiming-20050414:pdf"},{"key":"e_1_2_1_4_1","first-page":"8","article-title":"A survey of microarchitectural timing attacks and countermeasures on contemporary hardware","volume":"1","author":"Ge Q.","year":"2018","unstructured":"Ge , Q. , Yarom , Y. , Cock , D. , Heiser , G . A survey of microarchitectural timing attacks and countermeasures on contemporary hardware . J. Cryptogr. Eng. 1 , 8 ( 2018 ), 1--27. Ge, Q., Yarom, Y., Cock, D., Heiser, G. A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 1, 8 (2018), 1--27.","journal-title":"J. Cryptogr. Eng."},{"key":"e_1_2_1_5_1","volume-title":"USENIX Security Symposium","author":"Gruss D.","year":"2015","unstructured":"Gruss , D. , Spreitzer , R. , Mangard , S. Cache template attacks: Automating attacks on inclusive last-level caches . In USENIX Security Symposium , 2015 . Gruss, D., Spreitzer, R., Mangard, S. Cache template attacks: Automating attacks on inclusive last-level caches. In USENIX Security Symposium, 2015."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.22"},{"key":"e_1_2_1_7_1","volume-title":"Speculative execution, variant 4: Speculative store bypass","author":"Horn J.","year":"2018","unstructured":"Horn , J. Speculative execution, variant 4: Speculative store bypass , 2018 . [Online]. https:\/\/bugs:chromium:org\/p\/project-zero\/issues\/detail?id=1528 Horn, J. Speculative execution, variant 4: Speculative store bypass, 2018. [Online]. https:\/\/bugs:chromium:org\/p\/project-zero\/issues\/detail?id=1528"},{"key":"e_1_2_1_8_1","volume-title":"Jan.","author":"Intel Corp.","year":"2018","unstructured":"Intel Corp. Speculative Execution Side Channel Mitigations , Jan. 2018 . [Online]. https:\/\/software:intel:com\/sites\/default\/files\/managed\/c5\/63\/336996-Speculative-Execution-Side-Channel-Mitigations:pdf Intel Corp. Speculative Execution Side Channel Mitigations, Jan. 2018. [Online]. https:\/\/software:intel:com\/sites\/default\/files\/managed\/c5\/63\/336996-Speculative-Execution-Side-Channel-Mitigations:pdf"},{"key":"e_1_2_1_9_1","volume-title":"Jan.","author":"Intel Corp.","year":"2018","unstructured":"Intel Corp. Intel Analysis of Speculative Execution Side Channels , Jan. 2018 . [Online]. https:\/\/newsroom:intel:com\/wpcontent\/uploads\/sites\/11\/2018\/01\/Intel-Analysis-of-Speculative-Execution-Side-Channels:pdf Intel Corp. Intel Analysis of Speculative Execution Side Channels, Jan. 2018. [Online]. https:\/\/newsroom:intel:com\/wpcontent\/uploads\/sites\/11\/2018\/01\/Intel-Analysis-of-Speculative-Execution-Side-Channels:pdf"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.42"},{"key":"e_1_2_1_11_1","volume-title":"ISCA","author":"Kim Y.","year":"2014","unstructured":"Kim , Y. , Daly , R. , Kim , J. , Fallin , C. , Lee , J.H. , Lee , D. , Wilkerson , C. , Lai , K. , Mutlu , O. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors . In ISCA , 2014 . Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In ISCA, 2014."},{"key":"e_1_2_1_12_1","volume-title":"Spectre mitigations in Microsoft's C\/C++ compiler","author":"Kocher P.","year":"2018","unstructured":"Kocher , P. Spectre mitigations in Microsoft's C\/C++ compiler ; 2018 . [Online]. https:\/\/www:paulkocher:com\/doc\/MicrosoftCompilerSpectreMitigation:html Kocher, P. Spectre mitigations in Microsoft's C\/C++ compiler; 2018. [Online]. https:\/\/www:paulkocher:com\/doc\/MicrosoftCompilerSpectreMitigation:html"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.5555\/646764.703989"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.5555\/646761.706156"},{"key":"e_1_2_1_15_1","volume-title":"USENIX Security Symposium","author":"Lipp M.","year":"2016","unstructured":"Lipp , M. , Gruss , D. , Spreitzer , R. , Maurice , C. , Mangard , S. AR Mageddon : Cache attacks on mobile devices . In USENIX Security Symposium , 2016 . Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S. ARMageddon: Cache attacks on mobile devices. In USENIX Security Symposium, 2016."},{"key":"e_1_2_1_16_1","volume-title":"USENIX Security Symposium (to appear)","author":"Lipp M.","year":"2018","unstructured":"Lipp , M. , Schwarz , M. , Gruss , D. , Prescher , T. , Haas , W. , Fogh , A. , Horn , J. , Mangard , S. , Kocher , P. , Genkin , D. , Yarom , Y. , Hamburg , M. Meltdown : Reading kernel memory from user space . In USENIX Security Symposium (to appear) , 2018 . Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., Hamburg, M. Meltdown: Reading kernel memory from user space. In USENIX Security Symposium (to appear), 2018."},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.43"},{"key":"e_1_2_1_18_1","volume-title":"USENIX","author":"McCanne S.","year":"1993","unstructured":"McCanne , S. , Jacobson , V. The BSD packet filter: A new architecture for user-level packet capture . In USENIX Winter, 1993 . McCanne, S., Jacobson, V. The BSD packet filter: A new architecture for user-level packet capture. In USENIX Winter, 1993."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813708"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1007\/11605805_1"},{"key":"e_1_2_1_21_1","volume-title":"Jan.","author":"Pizlo F.","year":"2018","unstructured":"Pizlo , F. What spectre and meltdown mean for WebKit , Jan. 2018 . [Online]. https:\/\/webkit:org\/blog\/8048\/what-spectreand-meltdown-mean-for-webkit\/ Pizlo, F. What spectre and meltdown mean for WebKit, Jan. 2018. [Online]. https:\/\/webkit:org\/blog\/8048\/what-spectreand-meltdown-mean-for-webkit\/"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-70972-7_13"},{"key":"e_1_2_1_23_1","volume-title":"CCS","author":"Shacham H.","year":"2007","unstructured":"Shacham , H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) . In CCS , 2007 . Shacham, H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS, 2007."},{"key":"e_1_2_1_24_1","volume-title":"S&P","author":"Sibert O.","year":"1995","unstructured":"Sibert , O. , Porras , P.A. , Lindell , R. The Intel 80x86 processor architecture: Pitfalls for secure systems . In S&P , 1995 . Sibert, O., Porras, P.A., Lindell, R. The Intel 80x86 processor architecture: Pitfalls for secure systems. In S&P, 1995."},{"key":"e_1_2_1_25_1","volume-title":"USENIX Security Symposium","author":"Tang A.","year":"2017","unstructured":"Tang , A. , Sethumadhavan , S. , Stolfo , S. CLKSCREW : Exposing the perils of security-oblivious energy management . In USENIX Security Symposium , 2017 . Tang, A., Sethumadhavan, S., Stolfo, S. CLKSCREW: Exposing the perils of security-oblivious energy management. In USENIX Security Symposium, 2017."},{"key":"e_1_2_1_26_1","unstructured":"The Chromium Projects. Site Isolation. [Online]. http:\/\/www:chromium:org\/Home\/chromiumsecurity\/site-isolation The Chromium Projects. Site Isolation. [Online]. http:\/\/www:chromium:org\/Home\/chromiumsecurity\/site-isolation"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-45238-6_6"},{"key":"e_1_2_1_28_1","unstructured":"Turner P. Retpoline: A software construct for preventing branch-target-injection. [Online]. https:\/\/support:google:com\/faqs\/answer\/7625886 Turner P. Retpoline: A software construct for preventing branch-target-injection. [Online]. https:\/\/support:google:com\/faqs\/answer\/7625886"},{"key":"e_1_2_1_29_1","volume-title":"USENIX Security Symposium","author":"Yarom Y.","year":"2014","unstructured":"Yarom , Y. , Falkner , K. Flush + reload : A high resolution, low noise, L3 cache side-channel attack . In USENIX Security Symposium , 2014 . Yarom, Y., Falkner, K. Flush + reload: A high resolution, low noise, L3 cache side-channel attack. In USENIX Security Symposium, 2014."}],"container-title":["Communications of the ACM"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3399742","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3399742","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T21:31:49Z","timestamp":1750195909000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3399742"}},"subtitle":["exploiting speculative execution"],"short-title":[],"issued":{"date-parts":[[2020,6,18]]},"references-count":29,"journal-issue":{"issue":"7","published-print":{"date-parts":[[2020,6,18]]}},"alternative-id":["10.1145\/3399742"],"URL":"https:\/\/doi.org\/10.1145\/3399742","relation":{},"ISSN":["0001-0782","1557-7317"],"issn-type":[{"value":"0001-0782","type":"print"},{"value":"1557-7317","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,6,18]]},"assertion":[{"value":"2020-06-18","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}