> This is thought to be entirely secure against the Meltdown and Spectre CPU vulnerabilities, which require speculative execution on branch instructions.
> The mov-only DOOM renders approximately one frame every 7 hours, so playing this version requires somewhat increased patience.
I can imagine some timing-specific attacks for memory accesses, but they're not likely as robust as attacks against the branch-predictor:
1. This is the simplest one - if the memory being accessed is in a cache (L1/L2, or page in TLB), the function will take a significantly shorter time to execute. If movfuscator achieves conditional execution by manipulating index registers to perform idempotent operations, this will be very easy to detect.
2. Prefetching - if movfuscator reads memory sequentially with a detectable stride, prefetching will shorten the execution time.
3. Write combining - if the code writes to nearby addresses (same cache line), the CPU will combine them to a single write. This will cause a measurable timing difference.
EDIT: One more: Store forwarding - if the code writes to a memory address and reads it soon, the CPU may bypass the memory access (and even cache access) completely.
This is a defense against spectre type attacks, but this cannot be a "good" defense because it sacrifices too much. The programs written this way are assuredly quite slow.
