ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During an architecture review of a multi-tenant IaaS platform running on commodity x86-64 servers, you are asked to recommend a control that will most effectively reduce the risk that Spectre/Meltdown-style speculative execution attacks could allow one tenant to read privileged or cross-VM memory pages. Which host-level requirement should you specify?

Compile all guest workloads with retpoline to eliminate indirect branch speculation.
Enable simultaneous multithreading (hyper-threading) and pin each virtual CPU to a dedicated hardware core.
Strengthen address space layout randomization (ASLR) and stack canaries in all guest images.
Require Kernel Page-Table Isolation (KPTI) to separate user and kernel page tables on both host and guest operating systems.

Report Issue

Answer Description

Kernel Page-Table Isolation (KPTI) forces the processor to keep separate page tables for user-mode and kernel-mode addresses. Because speculative execution can no longer access kernel mappings that have been removed from user space, attacks like Meltdown-and many cross-VM data-exfiltration techniques that rely on reading privileged memory during speculation-are largely neutralized. Retpoline only hardens indirect branches against Spectre variant 2 and does not stop Meltdown. ASLR and stack canaries help against traditional memory-safety exploits but do not block speculative reads of privileged pages. Enabling simultaneous multithreading (hyper-threading) can actually increase side-channel exposure rather than mitigate it.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.