sunglinf404 / CPU-vulnerability-collections

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool



paper blog POC
Meltdown: Reading Kernel Memory from User Space(
Spectre Attacks: Exploiting Speculative Execution(
(Spectre v1&Spectre v2)
Reading privileged memory with a side-channel(
性能VS安全?CPU芯片漏洞攻击实战(1) - 破解macOS KASLR篇(
性能VS安全?CPU芯片漏洞攻击实战(2) - Meltdown获取Linux内核数据(
Into the Implementation of Spectre(
Speculative Buffer Overflows: Attacks and Defenses(
(Spectre v1.1&Spectre v1.2)
(Spectre v3a)
Issue 1528: speculative execution, variant 4: speculative store bypass(
Analysis and mitigation of speculative store bypass (CVE-2018-3639)(
(Spectre v4)
provided in the blog
Port Contention for Fun and Profit(
NetSpectre: Read Arbitrary Memory over Network(
NetSpectre: A Truly Remote Spectre Variant(
ret2spec: Speculative Execution Using Return Stack Buffers(
Spectre Returns! Speculation Attacks using the Return Stack Buffer(
LazyFP: Leaking FPU Register State using Microarchitectural Side-Channels( Intel LazyFP vulnerability: Exploiting lazy FPU state switching(
BranchScope: A New Side-Channel Attack on Directional Branch Predictor(
SgxPectre Attacks: Stealing Intel Secrets from SGX Enclaves via Speculative Execution(
ExSpectre: Hiding Malware in Speculative Execution(
Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks(
Spectre is here to stay: An analysis of side-channels and speculative execution(
MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols( provided in the paper
A Systematic Evaluation of Transient Execution Attacks and Defenses(
System Management Mode Speculative Execution Attacks(
FORESHADOW: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution(
Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution(
Analysis and mitigation of L1 Terminal Fault (L1TF)(
SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks(
SMoTherSpectre: exploiting speculative execution through port contention( SMoTherSpectre: transient execution attacks through port contention(
ZombieLoad: Cross-Privilege-Boundary Data Sampling( ZombieLoad: Cross Privilege-Boundary Data Leakage(
RIDL: Rogue In-Flight Data Load(
Fallout: Reading Kernel Writes From User Space(
Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs(
Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction(
VoltJockey: Breaking SGX by Software-Controlled Voltage-Induced Hardware Faults(
VoltJockey: Breaching TrustZone by Software-Controlled Voltage Manipulation over Multi-core Frequencies(
CacheOut: Leaking Data on Intel CPUs via Cache Evictions(

2.check tool

3.patch analysis

3.1.KPTI(Kernel Page Table Isolation)


3.2.KVAS(Kernel Virtual Address Shadow)


KVA Shadow: Mitigating Meltdown on Windows(

A Deep Dive Analysis of Microsoft’s Kernel Virtual Address Shadow Feature(

3.3.Retpoline(return trampoline)

Retpoline: The Anti sectre type 2 mitigation in windows(


Retpoline: a software construct for preventing branch-target-injection(

Mitigating Spectre variant 2 with Retpoline on Windows(


Spectre mitigations in MSVC(

Mitigating speculative execution side channel hardware vulnerabilities(


Exploiting CVE-2018-1038 - Total Meltdown(

Issue 1711: Linux: eBPF Spectre v1 mitigation is insufficient(

(some notes about this by me:CVE-2018-3639/CVE-2019-7308—Spectre攻击linux内核ebpf的分析(

Oh No! KPTI DefeatedUnauthorized Data Leakage is Still Possible(

Detecting Attacks that Exploit Meltdown and Spectre with Performance Counters(
