Compilation-time checks to secure processes from speculative rogue cache loads

The invention claimed is: 1. A method for generating computer executable machine instructions, the method comprising: receiving source code representative of a program expressed in a programming language different from the computer executable machine instructions; scanning the source code to generate a plurality of tokens; generating intermediate code from the plurality of tokens; and generating the computer executable machine instructions from the intermediate code, including: identifying a plurality of memory operations; and for each memory operation in the plurality of memory operations, inserting address shifting code prior in sequence to that memory operation, wherein, for each memory operation in the plurality of memory operations, the address shifting code masks out a range of addresses that belong to a kernel address space in a virtual address space of the computer executable machine instructions to prevent access to a kernel address space in a virtual address space of the computer executable machine instructions by that memory operation. 2. The method of claim 1 , further comprising generating a digital signature that is derived from the computer executable machine instructions and combining the digital signature with the computer executable machine instructions to produce an executable application. 3. The method of claim 2 , further comprising executing the executable application, including: using PTI-disabled process page tables when the digital signature is authentic; using PTI-enabled process page tables when the digital signature is not authentic; and when switching from user mode to kernel mode during execution of the executable application, performing a context switch only when the executable application is using PTI-enabled process page tables. 4. The method of claim 1 , further comprising, for each memory operation in the plurality of memory operations, inserting the address shifting code immediately prior in sequence to that memory operation. 5. The method of claim 1 , wherein the memory operations are identified in the intermediate code. 6. The method of claim 1 , wherein the memory operations are identified in the computer executable machine instructions. 7. A non-transitory computer-readable storage medium having stored thereon computer executable instructions, which when executed by a computer device, cause the computer device to: receive source code representative of a program expressed in a programming language different from the computer executable machine instructions; scan the source code to generate a plurality of tokens; generate intermediate code from the plurality of tokens; and generate the computer executable machine instructions from the intermediate code, including: identify a plurality of memory; and for each memory operation in the plurality of memory operations, insert address shifting code prior in sequence to that memory operation, wherein, for each memory operation in the plurality of memory operations, the address shifting code masks out a range of addresses that belong to a kernel address space in a virtual address space of the computer executable machine instructions to prevent access to a kernel address space in a virtual address space of the computer executable machine instructions by that memory operation. 8. The non-transitory computer-readable storage medium of claim 7 , wherein the computer executable instructions, which when executed by the computer device, further cause the computer device to generate a digital signature that is derived from the computer executable machine instructions and combine the digital signature with the computer executable machine instructions to produce an executable application. 9. The non-transitory computer-readable storage medium of claim 7 , wherein the computer executable instructions, which when executed by the computer device, further cause the computer device to execute the executable application, including: defining a virtual address space for the executable application using PTI-disabled process page tables that map an entire kernel address space of an operating system when the digital signature is authentic; and defining a virtual address space for the executable application using PTI-enabled process page tables that map at most only a portion of the kernel address space of the operating system when the digital signature is not authentic, wherein accessing the kernel address space during execution of the executable application includes performing a context switch when the digital signature is not authentic and does not include performing a context switch when the digital signature is authentic. 10. The non-transitory computer-readable storage medium of claim 7 , wherein the computer executable instructions, which when executed by the computer device, further cause the computer device to insert, for each memory operation in the plurality of memory operations, the address shifting code immediately prior in sequence to that memory operation. 11. The non-transitory computer-readable storage medium of claim 7 , wherein the memory operations are identified in the intermediate code. 12. The non-transitory computer-readable storage medium of claim 7 , wherein the memory operations are identified in the computer executable machine instructions. 13. An apparatus comprising: one or more computer processors; and a computer-readable storage medium comprising instructions for controlling the one or more computer processors to be operable to: receive source code representative of a program expressed in a programming language different from the computer executable machine instructions; scan the source code to generate a plurality of tokens; generate intermediate code from the plurality of tokens; and generate the computer executable machine instructions from the intermediate code, including: identify a plurality of memory operations; and for each memory operation in the plurality of memory operations, insert address shifting code prior in sequence to that memory operation, wherein, for each memory operation in the plurality of memory operations, the address shifting code masks out a range of addresses that belong to a kernel address space in a virtual address space of the computer executable machine instructions to prevent access to a kernel address space in a virtual address space of the computer executable machine instructions by that memory operation. 14. The apparatus of claim 13 , wherein the computer-readable storage medium further comprises instructions for controlling the one or more computer processors to be operable to generate a digital signature that is derived from the computer executable machine instructions and combine the digital signature with the computer executable machine instructions to produce an executable application. 15. The apparatus of claim 13 , wherein the computer-readable storage medium further comprises instructions for controlling the one or more computer processors to be operable to execute the executable application, including: defining a virtual address space for the executable application using PTI-disabled process page tables that map an entire kernel address space of an operating system when the digital signature is authentic; and defining a virtual address space for the executable application using PTI-enabled process page tables that map at most only a portion of the kernel address space of the operating system when the digital signature is not authentic, wherein accessing the kernel address space during execution of the executable application includes performing a context