interactive explainer · speculative load · cache lines · timing side channels — educational only · no exploit · runs locally
disclaimer
this page does not run gadget code, flush caches, or read cross-origin memory. it only animates the mechanism researchers called Spectre-variant 1: a bounds check hoisted behind a mispredicted branch.
playback
pipeline
- Train branch predictor on pattern true/false
- Speculative load from array[x] before bounds check retires
- Victim cache line pulled into attacker-set probe array
- Evict + reload probe timings leak the secret bit
mitigations: site isolation, reduced timers, branchless access helpers in compilers, retpolines on branches