AD2024: EnableSpectreMitigations¶

Summary¶

Description¶

Application code should be compiled with Spectre mitigations enabled. The /Qspectre compiler switch instructs the compiler to insert instructions that mitigate certain Spectre variant 1 vulnerabilities.

These mitigations help prevent attackers from using speculative execution side-channel attacks to leak sensitive data.

How It Works¶

The rule examines PDB compilation flags and command lines for the presence of /Qspectre. It also verifies that the compiler version supports Spectre mitigations (Visual Studio 2017 15.5.5+).

Why This Matters¶

Spectre exploits a fundamental property of modern CPU design—speculative execution—to leak sensitive data across security boundaries. Unlike traditional vulnerabilities that exist in software, Spectre is a hardware design flaw that requires software mitigations.

The Spectre Attack¶

Modern CPUs speculatively execute code before knowing if the execution path is correct:

// Vulnerable pattern
if (x < array1_size) {          // Bounds check
    y = array2[array1[x] * 256]; // Speculative access
}

Even when x >= array1_size, the CPU may: 1. Speculatively execute the array access 2. Load array1[x] (out of bounds!) 3. Use that value to index into array2 4. Cache state changes reveal the secret value 5. CPU rolls back—but cache state is not rolled back

What Can Be Stolen¶

Spectre can leak any data accessible to the process:

Real-World Impact¶

Spectre affected virtually every modern computer:

How /Qspectre Mitigates¶

The /Qspectre flag inserts LFENCE instructions or conditional masking:

; Without /Qspectre
cmp rax, rcx
jge skip
mov rbx, [arr1 + rax]  ; Speculatively executed!

; With /Qspectre
cmp rax, rcx
jge skip
lfence                  ; Speculation barrier
mov rbx, [arr1 + rax]  ; Only executed if check passed

Performance Considerations¶

/Qspectre adds overhead that varies by workload:

For security-critical code, this overhead is acceptable. For non-sensitive code, the trade-off should be evaluated.

When Spectre Mitigations Are Critical¶

Must have: - Cryptographic code handling keys - Authentication/authorization code - Multi-tenant environments (cloud) - Code processing secrets - Kernel/hypervisor code

Lower priority: - Non-sensitive batch processing - Air-gapped systems - Code without secret data

Spectre Variants¶

/Qspectre specifically addresses Variant 1.

Resolution¶

Enable Qspectre¶

Compiler flag:

cl.exe /Qspectre ...

Project Properties¶

1. Open Project Properties
2. Navigate to C/C++ → Code Generation
3. Set "Spectre Mitigation" to "Enabled (/Qspectre)"

CMake¶

if(MSVC AND MSVC_VERSION GREATER_EQUAL 1912)
    add_compile_options(/Qspectre)
endif()

Install Spectre-Mitigated Libraries¶

Visual Studio provides Spectre-mitigated CRT libraries:

1. Open Visual Studio Installer
2. Modify your installation
3. Individual Components → Search "Spectre"
4. Install "MSVC v143 - VS 2022 C++ x64/x86 Spectre-mitigated libs"

Link Against Mitigated Libraries¶

Ensure you're using Spectre-mitigated runtime:

# Use spectre-mitigated libraries
cl.exe /Qspectre /MT ...  # Static CRT
cl.exe /Qspectre /MD ...  # Dynamic CRT

When to Suppress¶

This rule may be suppressed for:

• Performance-critical code: After risk assessment (mitigations add ~5% overhead)
• Non-sensitive code: Code that doesn't handle secrets
• Older compilers: VS 2017 15.5.4 and earlier don't support /Qspectre
• Air-gapped systems: No network exposure

Caveats¶

• Requires Visual Studio 2017 15.5.5 or later
• Spectre-mitigated libraries must be installed separately
• Some performance overhead (~5%)
• Only mitigates Spectre variant 1, not all speculative execution attacks

Minimum Compiler Versions¶

Related Rules¶

• AD2006: BuildWithSecureTools
• AD2025: EnableShadowStack

References¶

• /Qspectre
• Spectre Mitigations in MSVC
• Spectre Side Channels