kocher_analysis.txt

01: we pass
02: we pass
03: we pass
04: this really does leak secret information (off the end of array1) without
    speculative execution, that is, even obeying the bounds check.
05: we pass
06: we pass
07: we pass
08: this uses a ternary which compiles to a cmov. We don't speculate on cmovs,
    they are secure. So this really should be no violation detected.
09: this really does leak secret information without speculative execution,
    that is, even obeying the bounds check, because the attacker controls the
    bounds check.
10: we pass
11gcc: unlike the '11ker' and '11sub' variants, the '11gcc' variant of
    'mymemcmp' includes a branch on values in the arrays, one of which is
    uninitialized in this test case (even without speculative execution).
    So, even without speculative execution, we branch on 'secret' data
    (specifically, the contents of `array2`). Arguably we should consider the
    contents of `array2` to be public for this test, in which case we will pass
    this test case
11ker: we pass
11sub: we pass
12: we pass
13: we pass
14: Like 04, this really does leak secret information (off the end of array1)
    without speculative execution, that is, even obeying the bounds check.
15: This really does leak secret information (namely, the value at `*x` for
    any `x` the attacker passes into the function) even without speculative
    execution. For instance, the attacker can easily observe whether the
    bounds check passes or fails, which leaks information about the value of
    `*x`. Further information about `*x` may be leaked as it is incorporated
    into the address calculation later on, if the bounds check passes.