Spectre and Meltdown: When CPUs Leak Secrets by Guessing

For decades, processor designers chased speed by letting the CPU run ahead of itself — executing instructions before it was certain they were needed, then quietly throwing away the work if it guessed wrong. In January 2018, researchers showed that the discarded work leaves a fingerprint, and that fingerprint can be read. Spectre and Meltdown were not bugs in any one chip. They were consequences of how fast chips are built.

A modern CPU spends a surprising amount of its time waiting. Reading a value from main memory can cost hundreds of cycles — an eternity to a core that could have executed hundreds of instructions in the meantime. Rather than stall, the processor makes an educated guess about what comes next and starts working on it speculatively. If the guess holds, the results are committed and the wait was hidden. If not, the speculative results are rolled back as though they never happened.

Architecturally, that rollback is perfect: no register, no memory location, nothing a program can directly read reflects the discarded work. But the rollback is not complete. Speculative execution pulls data into the CPU's cache, and the cache is not reverted. A value that was touched speculatively is now faster to access than one that wasn't. That timing difference is a covert channel — and Spectre and Meltdown are two different ways to push a secret through it.