Contributions, comments and corrections are welcome, please do PR.
-
[ÆPIC Leak] Architecturally Leaking Uninitialized Data from the Microarchitecture
-
TPM-FAIL / TPM meets Timing and Lattice Attacks
- [CVE-2019-11090] For Intel fTPM
- [CVE-2019-16863] For STMicroelectronics TPM
-
[CVE-2015-0565] Rowhammer based:
- [CVE-2016-6728] DRAMMER
- [CVE-2018-9442] RAMPage
- [CVE-2019-0174] RAMBleed
- [CVE-2019-0162] SPOILER / Speculative Load Hazards Boost Rowhammer and Cache Attacks
- [CVE-2021-42114] Blacksmith/ Scalable Rowhammering in the Frequency Domain
- DRAMA/DRAM Addressing
- Flip Feng Shui (FFS)
- SGX-Bomb
- Nethammer
- JackHammer
- Half-Double: Next-Row-Over Assisted Rowhammer
-
Spectre:
-
[CVE-2017-5753] Spectre-V1 / Spectre v1 / Spectre-PHT / Bounds Check Bypass (BCB)
-
[CVE-2018-3693] Spectre 1.2 / Meltdown-RW / Read-only protection bypass (RPB)
-
[CVE-2017-5715] Spectre-V2 / Spectre v2 / Spectre-BTB / Branch Target Injection (BTI)
-
SpectreNG class:
- [CVE-2018-3640] Spectre v3a / Meltdown-GP / Rogue System Register Read (RSRR)
- [CVE-2018-3639] Spectre v4 / Spectre-STL / Speculative Store Bypass (SSB)
- [CVE-2018-3665] LazyFP / Meltdown-NM / Spectre-NG 3 / Lazy FP State Save-Restore
- [CVE-2018-3693] Spectre 1.1 / Spectre-PHT / Bounds Check Bypass Store (BCBS)
- [CVE-2019-1125] Spectre SWAPGS
-
- [CVE-2018-3615] Foreshadow / Spectre v5 / L1TF / Meltdown-P / L1 Terminal Fault in SGX
- [CVE-2018-3620] Foreshadow-NG / Foreshadow-OS
- [CVE-2018-3646] Foreshadow-NG / Foreshadow-VMM
-
Spectre RSB (Return Mispredict / Return Stack Buffer (RSB)) based:
-
Meltdown (Rogue Data Cache Load (RDCL)):
- [CVE-2017-5754] Meltdown v3 / Spectre v3 / Spectre-V3 / Meltdown-US:
- Meltdown-BR / Bounds Check Bypass
- Meltdown-NM / FPU Register Bypass
- Meltdown-P / Virtual Translation Bypass
- Meltdown-PK / Protection Key Bypass
- [CVE-2017-5754] Meltdown v3 / Spectre v3 / Spectre-V3 / Meltdown-US:
-
Microarchitectural Data Sampling (MDS):
- [CVE-2018-12126] Fallout / Microarchitectural Store Buffer Data Sampling (MSBDS)
- Rogue In-Flight Data Load (RIDL):
- [CVE-2018-12130] ZombieLoad / Microarchitectural Fill Buffer Data Sampling (MFBDS)
- [CVE-2018-12127] Microarchitectural Load Port Data Sampling (MLPDS)
- [CVE-2019-11091] Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
- [CVE-2019-11135] ZombieLoad v2 / TSX Asynchronous Abort (TAA)
- [CVE-2020-0548] Vector Register Sampling (VRS)
- [CVE-2020-0549] CacheOut / L1D Eviction Sampling (L1DES)
-
[CVE-2020-0551] Hijacking Transient Execution with Load Value Injection (LVI)
-
[CVE-2020-0543] Crosstalk / Special Register Buffer Data Sampling (SRBDS)
-
Processor MMIO Stale Data based:
- [CVE-2022-21166] Device Register Partial Write (DRPW)
- [CVE-2022-21127] Update to Special Register Buffer Data Sampling (SRBDS Update)
- [CVE-2022-21123] Shared Buffers Data Read (SBDR)
- [CVE-2022-21125] Shared Buffers Data Sampling (SBDS)
-
Speculative Race Conditions (SRC):
-
-
[PACMAN] Attacking ARM pointer authentication with speculative execution
-
[Lord of the Ring(s)] Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical
-
[Augury] Using Data Memory-Dependent Prefetchers (DMP) to Leak Data at Rest
-
[CVE-2020-8694 / CVE-2020-8695] PLATYPUS: Software-based Power Side-Channel Attacks on x86
-
[Hertzbleed] Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86
-
[CVE-2023-20593] Zenbleed: A use-after-free in AMD Zen2 processors
-
[CVE-2023-20583] Collide+Power: Leaking Inaccessible Data with Software-based Power Side Channels
-
[CVE-2023-23583] Reptar: A Intel redundant prefix vulnerability
- TPM-Fail: https://github.com/VernamLab/TPM-Fail
- Rowhammer (Google): https://github.com/google/rowhammer-test
- Rowhammer (IAIK): https://github.com/IAIK/rowhammerjs
- DRAMMER: https://github.com/vusec/drammer
- SGX-Bomb: https://github.com/sslab-gatech/sgx-bomb
- SWAPGS: https://github.com/bitdefender/swapgs-attack-poc
- Berkeley Out-of-Order Machine (BOOM) RV64GC RISC-V core Spectre attacks: https://github.com/riscv-boom/boom-attacks
- RETBleed: https://github.com/comsec-group/retbleed
- Linux Kernel Defence Map
- Linux Kernel Hardware Vulnerabilities
- Transient Execution Attacks
- SGX Fail: How Stuff Gets eXposed
- A Spectre demo written in Javascript for Chrome 88
- RAM Anatomy Poster
- speculation-bugs: Docs and resources on CPU Speculative Execution bugs
- Interactive guide to speculative execution attacks:
- sandsifter: The x86 processor fuzzer.
- OpcodeTester: Analyse Undocumented Instructions on Intel x86/x86-64 and RISC-V.
- evsets: Tool for testing and finding minimal eviction sets.
- cachequery: A tool for interacting with hardware memory caches in modern Intel CPUs.
- haruspex: Exploration of x86-64 ISA using speculative execution.
- Blacksmith: Next-gen Rowhammer fuzzer that uses non-uniform, frequency-based patterns.
- Speculator: Tool to Analyze Speculative Execution Attacks and Mitigations.
- MicrocodeDecryptor: Understand how Intel mitigated spectre vulnerability, explore the implementation of Intel TXT, SGX,VT-x technologies.
- SiliFuzz: Fuzzing CPUs by proxy.
- Cascade: CPU Fuzzing via Intricate Program Generation.
- A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data
- Custom Processing Unit: Tracing and Patching Intel Atom Microcode.
- ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture.
- CPU Introspection: Intel Load Port Snooping
- Sushi Roll: A CPU research kernel with minimal noise for cycle-by-cycle micro-architectural introspection
- Pulling Bits From ROM Silicon Die Images: Unknown Architecture
- Beating the L1 cache with value speculation
- COMSEC (ETH Zürich) Blog
- No More Speculation: Exploiting CPU Side-Channels for Real
- Reverse Engineering of Intel Microcode Update Structure
- Security Analysis of AMD predictive store forwarding (AMD Zen 3)
- Flushgeist: Cache Leaks from Beyond the Flush
- Theory and Practice of Finding Eviction Sets
- CacheQuery: Learning Replacement Policies from Hardware Caches
- Hardware-Software Contracts for Secure Speculation
- Speculative Probing: Hacking Blind in the Spectre Era
- Speculation at Fault: Modeling and Testing Microarchitectural Leakage of CPU Exceptions
$ cat /sys/devices/system/cpu/vulnerabilities/*