'The Meltdown and Spectre attacks that use processor speculative execution to leak sensitive information have resulted in a wide range of software changes to try to limit the scope for harm. Many of these are operating system-level fixes, some of which depend on processor microcode updates. But Spectre isn't a simple attack to solve; operating system changes help a great deal, but application-level changes are also needed. Apple has talked about some of the updates it has made to the WebKit rendering engine, used in its Safari browser, but this is only a single application. Microsoft is offering a compiler-level change for Spectre. The "Spectre" label actually covers two different attacks. The one that Microsoft's compiler is addressing, known as "variant 1," concerns checking the size of an array: before accessing the Nth element of an array, code should check that the array has at least N elements in it. Programmers using languages like C and C++ often have to write these checks explicitly. Other languages, like JavaScript and Java, perform them automatically. Either way, the test has to be done; attempts to access array members that don't exist are a whole class of bugs all on their own. [...] In fairness, Microsoft does warn that "there is no guarantee that all possible instances of variant 1 will be instrumented," but as Kocher's examination shows, it's not simply that some Spectre-vulnerable code will escape the compiler's fixes. Much—and perhaps even most—Spectre-vulnerable code will escape. And even if it were only a few instances, bad guys would be able to locate the unprotected routines and focus their attacks accordingly.' -- source: https://arstechnica.com/gadgets/2018/02/microsofts-compiler-level-spectre-fi... Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/