Skip to content

AD5027: EnableSpeculativeLoadHardeningMachO

Summary

Property Value
ID AD5027
Name EnableSpeculativeLoadHardeningMachO
Category Security
Severity Warning
Applies to Mach-O (macOS, iOS)

Description

Mach-O binaries handling sensitive data should consider enabling Speculative Load Hardening (SLH) to mitigate Spectre-style attacks.

How It Works

The rule checks for SLH indicators:

  1. Speculative load hardening instructions
  2. LLVM SLH metadata
  3. Hardened conditional moves

Why This Matters

Spectre attacks can leak sensitive data through speculative execution side channels. SLH provides software-based mitigation.

Spectre Attack Overview

Speculative execution:
  if (x < array_len) {
    y = array[x];      // Speculatively executed
    z = probe[y * 4096]; // Leaks y through cache
  }

Even if x >= array_len, speculative execution
may access array[x] and leak its value

How SLH Works

SLH transforms code to:
1. Compute a "predicate state" from conditions
2. Mask all loads with the predicate
3. Wrong path → masks load addresses
4. No useful speculation on wrong path

Performance Impact

Workload Overhead
Typical 10-50%
Crypto 15-30%
Parsing 20-40%

SLH has significant overhead - use only for sensitive code.

When to Use SLH

Scenario Recommendation
Crypto libraries Yes
Authentication Yes
General code Usually no
Performance-critical Consider alternatives

Resolution

Enable SLH for sensitive code:

clang -mspeculative-load-hardening program.c

Selective Hardening

// Only harden sensitive functions
__attribute__((speculative_load_hardening))
void process_secret(const char* key) {
    // Hardened
}

void normal_function() {
    // Not hardened
}