Share
## https://sploitus.com/exploit?id=D80DD255-E7C2-55A3-B3A8-E433EEE2722C
# ๐Ÿ›ก๏ธ Spectre Variant 2 (CVE-2017-5715) โ€” Hardware Vulnerability Research


  
  
  
  



  An in-depth research paper and hands-on Proof-of-Concept (PoC) exploring speculative execution attacks on modern CPUs.


---

## ๐Ÿ“– Overview

This project is a research and lab-based exploration of **Spectre Variant 2 (CVE-2017-5715)**, also known as **Branch Target Injection** โ€” a hardware-level side-channel vulnerability affecting CPUs that implement speculative execution and branch prediction.

The goal of this project was to:
- Understand the **microarchitectural root cause** of Spectre Variant 2
- Reproduce a working **Proof of Concept (PoC)** in an isolated virtual lab
- Analyze and validate the leaked data through **cache timing side-channel analysis**
- Document real-world **mitigation strategies**

> โš ๏ธ **Disclaimer:** This work was conducted strictly in a controlled, isolated virtual machine for academic and educational purposes. It does not target or affect any production system, and no proprietary exploit code was authored โ€” the publicly available [SpectrePoC](https://github.com/crozone/SpectrePoC) repository was used for demonstration.

---

## ๐Ÿ“‘ Table of Contents

- [What is Spectre Variant 2?](#-what-is-spectre-variant-2)
- [How the Attack Works](#-how-the-attack-works)
- [Lab Environment](#-lab-environment)
- [Proof of Concept Walkthrough](#-proof-of-concept-walkthrough)
- [Demo Video](#-demo-video)
- [Mitigation Strategies](#-mitigation-strategies)
- [Repository Structure](#-repository-structure)
- [References](#-references)
- [Author](#-author)

---

## ๐Ÿ” What is Spectre Variant 2?

**CVE-2017-5715** is a microprocessor vulnerability that allows an attacker to trick a CPU's branch predictor into executing instructions along an incorrect ("speculative") path. While the CPU correctly discards the *results* of this misprediction, it fails to fully erase the *side effects* โ€” most notably, changes to the CPU cache state. These residual cache changes can be measured using timing analysis, allowing an attacker to infer secret data that should never have been accessible.

Unlike traditional software bugs, Spectre exploits the **hardware design** of modern CPUs, making it extremely difficult to patch completely and requiring a combination of microcode, OS, and compiler-level mitigations.

---

## โš™๏ธ How the Attack Works

1. **Mistrain the branch predictor** โ€” repeatedly execute a branch in a predictable pattern so the CPU learns to expect it.
2. **Trigger a misprediction** โ€” force the CPU to speculatively execute a different, attacker-chosen path.
3. **Speculative out-of-bounds read** โ€” the CPU speculatively accesses memory it shouldn't, pulling secret data into the cache before it realizes the mistake.
4. **Rollback & residue** โ€” the CPU discards the speculative results, but the cache line touched during speculation remains "warm."
5. **Flush + Reload timing attack** โ€” the attacker times memory accesses across the cache to detect which line was cached, and therefore recovers the secret byte-by-byte.

---

## ๐Ÿ–ฅ๏ธ Lab Environment

| Component | Details |
|---|---|
| **Operating System** | Ubuntu 14.04 LTS |
| **Kernel Version** | 4.4.0-148-generic |
| **CPU** | 12th Gen Intelยฎ Coreโ„ข i5-12450H |
| **Virtualization** | VMware Workstation |
| **PoC Repository** | [crozone/SpectrePoC](https://github.com/crozone/SpectrePoC) |

---

## ๐Ÿงช Proof of Concept Walkthrough

### 1. Environment Setup
```bash
sudo apt update
sudo apt install git
git clone https://github.com/crozone/SpectrePoC
cd SpectrePoC
make
```

### 2. Identify CPU Vulnerability Status
Linux exposes CPU vulnerability/mitigation status directly through sysfs:
```bash
grep . /sys/devices/system/cpu/vulnerabilities/*
```
This confirmed the test CPU was **vulnerable to `spectre_v2`**, while other related vulnerabilities (Meltdown, L1TF, MDS) were either mitigated or not affected.

### 3. Execute the PoC
```bash
./spectre.out
```
The tool repeatedly reports `Success` results alongside a confidence "score," derived from cache-timing differences โ€” each successful read represents one leaked byte of otherwise inaccessible memory, reconstructed entirely through the speculative side channel.

### 4. Analysis
- โœ… Successfully mistrained the branch predictor
- โœ… Speculatively executed unauthorized memory reads
- โœ… Used Flush+Reload timing analysis to reconstruct leaked bytes

---

## ๐ŸŽฅ Demo Video

A recorded walkthrough of the full PoC โ€” from environment setup to successful data exfiltration โ€” is included in this repository to visually validate the attack.

โ–ถ๏ธ **[Watch the PoC Demo Video](./demo/spectre-poc-demo.mp4)**

> ๐Ÿ“ *Update the path above once the video file is added to your repository (e.g. place it in a `demo/` or `media/` folder and adjust the link accordingly).*

---

## ๐Ÿ›ก๏ธ Mitigation Strategies

- **Patch firmware & OS** โ€” apply the latest microcode and kernel updates, which include retpoline and other speculation-barrier mitigations.
- **Follow vendor guidance** โ€” Intel, AMD, and OS vendors publish specific mitigation instructions per CPU generation.
- **Enable OS/browser-level protections** โ€” site isolation, `Indirect Branch Restricted Speculation` (IBRS), and similar mitigations reduce cross-boundary leakage.
- **Keep endpoint security current** โ€” while not a direct fix, up-to-date security tooling helps detect exploitation attempts that pair Spectre with other attack chains.

---

## ๐Ÿ“‚ Repository Structure

```
.
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ Research_Paper_-_CVE-2017-5715_Spectre_by_Shivam_Bhatt.pdf
โ””โ”€โ”€ demo/
    โ””โ”€โ”€ spectre-poc-demo.mp4
```

---

## ๐Ÿ“š References

- crozone. (2023). *SpectrePoC*. GitHub. https://github.com/crozone/SpectrePoC
- Microsoft. (n.d.). *Update to enable mitigation against Spectre, Variant 2*.
- Wikipedia. (n.d.). *Spectre (security vulnerability)*. https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
- Wikipedia. (n.d.). *Side-channel attack*. https://en.wikipedia.org/wiki/Side-channel_attack
- Wikipedia. (n.d.). *Row Hammer*. https://en.wikipedia.org/wiki/Row_hammer
- Twingate Team. (2024). *What is Row Hammer? How It Works & Examples*.

---

## ๐Ÿ‘ค Author

**Shivam Bhatt**
Cybersecurity Post-Graduate Diploma (Honours) โ€” NAIT
๐Ÿ”— Feel free to connect on [LinkedIn](#) or reach out for collaboration on cybersecurity research.


  โญ If you found this research useful, consider starring the repo!