Spectre and Meltdown: How Modern CPUs Traded Security for Speed

For years, CPU designers focused on making processors faster. Techniques like out-of-order and speculative execution became standard to keep every part of the chip busy. These tricks helped achieve huge performance gains, but they also opened the door to a new kind of vulnerability.

In 2018, two major security flaws, Spectre and Meltdown, showed that the very features that made processors efficient could be used to steal private data from memory. These attacks broke some of the most fundamental assumptions about isolation between programs and the operating system.

Out-of-Order and Speculative Execution

Modern processors don’t always follow instructions in the same order that they appear in code. Instead, they execute instructions as soon as the required data and resources are available. This approach, known as out-of-order execution, makes the CPU much faster because it can work on other instructions while waiting for slow operations to complete.

Speculative execution goes one step further. When the processor reaches a conditional branch and doesn’t yet know which path to take, it makes an educated guess and runs instructions ahead of time. If the guess was correct, the results are kept. If it was wrong, the CPU discards the work and returns to the right path.

The problem is that while the architectural state of the CPU (registers, memory) gets rolled back, the micro-architectural state - like cache contents - does not. These small traces left behind can be measured, giving attackers a side channel to extract secrets.

How Spectre Works

Spectre tricks the CPU into speculatively executing instructions that should never run in normal program flow. By manipulating the branch predictor, an attacker can force the processor to access sensitive memory and then detect those accesses through cache timing.

One common example involves a victim function that reads from an array after checking if an index is valid:

if (x < array1_size)
    temp = array2[array1[x] * 512];

The attacker first calls this function many times with safe values of x so that the CPU learns the branch is usually true. Then the attacker calls it once with a malicious out-of-bounds value. The processor predicts the condition as true and speculatively executes the body anyway, reading data from memory it should not access. Although the CPU later discards this work, the cache remains changed in a way that reveals the secret value.

By measuring how long it takes to read different cache lines, the attacker can figure out which memory locations were accessed and reconstruct the data.

Another Spectre variant targets indirect branches by poisoning the Branch Target Buffer (BTB). This misleads the CPU into jumping to the wrong location during speculation, again leaking data through cache effects.

How Meltdown Works

Meltdown is a different kind of attack that targets the separation between user programs and the operating system kernel. It takes advantage of the fact that out-of-order execution allows the CPU to perform instructions before checking if the current privilege level is allowed to access that memory.

When a user program tries to read from a kernel address, the CPU should raise an exception. But before the exception is handled, it has already executed a few transient instructions using the secret data. Those instructions can leave a trace in the cache that an attacker can measure.

A typical Meltdown attack:

1. Attempt to load a kernel address (this causes a fault).
2. Use the loaded byte to speculatively access array2[secret * 4096].
3. Catch the fault using a signal handler.
4. Measure which cache line is fast to access, revealing the value of secret.

This effectively lets an unprivileged program read kernel memory. Because Meltdown relies on how hardware handles out-of-order execution, it affects many processors regardless of the operating system.

Mitigations

Hardware Barriers

Intel introduced the LFENCE instruction to act as a speculation barrier. Placed after bounds checks, it stops the CPU from executing later instructions until the previous ones are completed. While this prevents speculative reads, it can also slow down performance if overused.

Operating System Fixes

Linux added Kernel Page Table Isolation (KPTI), which completely separates kernel memory from user space. This blocks Meltdown by removing the mapping that made kernel data visible to user programs.
To defend against Spectre’s indirect branch attacks, developers use a technique called Retpoline, which replaces indirect jumps with a controlled return sequence that traps speculation safely.

Performance Impact

These mitigations come with a cost. Workloads that frequently switch between user and kernel mode, like system calls or virtualization, can see noticeable slowdowns. Security came at the price of some performance.

The Legacy of Spectre and Meltdown

Both vulnerabilities showed that hardware optimizations can have unexpected security consequences. They also proved that even when software is perfectly correct, hardware can still leak data through timing and side channels.

Since then, newer attacks like Foreshadow and Retbleed have built on similar ideas, exploiting subtle hardware behaviors. CPU vendors now include speculation fences, stronger privilege checks, and better isolation in new architectures, but research continues to find new variants.

For developers, these flaws were a reminder that performance features deep in the hardware can undermine even the strongest software security models.