SoK: Practical Foundations for Software Spectre Defenses

Spectre vulnerabilities violate our fundamental assumptions about architectural abstractions, allowing attackers to steal sensitive data despite previously state-of-the-art countermeasures. To defend against Spectre, developers of verification tools and compiler-based mitigations are forced to reason about microarchitectural details such as speculative execution. In order to aid developers with these attacks in a principled way, the research community has sought formal foundations for speculative execution upon which to rebuild provable security guarantees. This paper systematizes the community’s current knowledge about software verification and mitigation for Spectre. We study state-of-the-art software defenses, both with and without associated formal models, and use a cohesive framework to compare the security properties each defense provides. We explore a wide variety of tradeoffs in the expressiveness of formal frameworks, the complexity of defense tools, and the resulting security guarantees. As a result of our analysis, we suggest practical choices for developers of analysis and mitigation tools, and we identify several open problems in this area to guide future work on grounded software defenses.

[1]  Alon Zakai,et al.  Bringing the web up to speed with WebAssembly , 2017, PLDI.

[2]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[3]  Nael B. Abu-Ghazaleh,et al.  SpecCFI: Mitigating Spectre Attacks using CFI Informed Speculation , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[4]  Adam Morrison,et al.  An Analysis of Speculative Type Confusion Vulnerabilities in the Wild , 2021, USENIX Security Symposium.

[5]  D. Tullsen,et al.  I See Dead µops: Leaking Secrets via Intel/AMD Micro-Op Caches , 2021, 2021 ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA).

[6]  Sergey Bratus,et al.  Ghostbusting: mitigating spectre with intraprocess memory isolation , 2020, HotSoS.

[7]  Christof Fetzer,et al.  SpecFuzz: Bringing Spectre-type vulnerabilities to the surface , 2019, USENIX Security Symposium.

[8]  Fan Yao,et al.  BranchSpec: Information Leakage Attacks Exploiting Speculative Branch Instruction Executions , 2020, 2020 IEEE 38th International Conference on Computer Design (ICCD).

[9]  Marco Patrignani,et al.  Exorcising Spectres with Secure Compilers , 2021, CCS.

[10]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[11]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[12]  Heng Yin,et al.  SpecTaint: Speculative Taint Analysis for Discovering Spectre Gadgets , 2021, NDSS.

[13]  Jay L. Gischer,et al.  The Equational Theory of Pomsets , 1988, Theor. Comput. Sci..

[14]  Gilles Barthe,et al.  System-level Non-interference for Constant-time Cryptography , 2014, IACR Cryptol. ePrint Arch..

[15]  Dan Meng,et al.  Conditional Speculation: An Effective Approach to Safeguard Out-of-Order Execution Against Spectre Attacks , 2019, 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[16]  Benjamin Grégoire,et al.  High-Assurance Cryptography in the Spectre Era , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[17]  Gururaj Saileshwar,et al.  CleanupSpec: An "Undo" Approach to Safe Speculation , 2019, MICRO.

[18]  Dominik Stoffel,et al.  A Formal Approach for Detecting Vulnerabilities to Transient Execution Attacks in Out-of-Order Processors , 2020, 2020 57th ACM/IEEE Design Automation Conference (DAC).

[19]  Nikos Nikoleris,et al.  BRB: Mitigating Branch Predictor Side-Channels. , 2019, 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[20]  Cristiano Giuffrida,et al.  Speculative Probing: Hacking Blind in the Spectre Era , 2020, CCS.

[21]  Engin Kirda,et al.  Speculator: a tool to analyze speculative execution attacks and mitigations , 2019, ACSAC.

[22]  Kirsten Winter,et al.  An abstract semantics of speculative execution for reasoning about security vulnerabilities , 2019, FM Workshops.

[23]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[24]  Tamara Rezk,et al.  Hunting the Haunter - Efficient Relational Symbolic Execution for Spectre with Haunted RelSE , 2021, NDSS.

[25]  Satish Narayanasamy,et al.  DOLMA: Securing Speculation with the Principle of Transient Non-Observability , 2021, USENIX Security Symposium.

[26]  Martin Schwarzl,et al.  NetSpectre: Read Arbitrary Memory over Network , 2018, ESORICS.

[27]  Jakub Szefer,et al.  Survey of Transient Execution Attacks and Their Mitigations , 2021, ACM Comput. Surv..

[28]  Berk Sunar,et al.  Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis , 2020, USENIX Security Symposium.

[29]  Heechul Yun,et al.  SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks , 2019, 2019 56th ACM/IEEE Design Automation Conference (DAC).

[30]  Frank Piessens,et al.  Fallout: Leaking Data on Meltdown-resistant CPUs , 2019, CCS.

[31]  Roberto Guanciale,et al.  InSpectre: Breaking and Fixing Microarchitectural Vulnerabilities by Formal Analysis , 2019, CCS.

[32]  Sanjit A. Seshia,et al.  A Formal Approach to Secure Speculation , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[33]  Ofir Weisse,et al.  NDA: Preventing Speculative Execution Attacks at Their Source , 2019, MICRO.

[34]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[35]  Martin Schwarzl,et al.  Specfuscator: Evaluating Branch Removal as a Spectre Mitigation , 2021, Financial Cryptography.

[36]  Craig Disselkoen,et al.  The Code That Never Ran: Modeling Attacks on Speculative Evaluation , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[37]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[38]  Carl A. Waldspurger,et al.  Speculative Buffer Overflows: Attacks and Defenses , 2018, ArXiv.

[39]  Jie Zhou,et al.  Restricting Control Flow During Speculative Execution with Venkman , 2019, ArXiv.

[40]  Charles Reis,et al.  Site Isolation: Process Separation for Web Sites within the Browser , 2019, USENIX Security Symposium.

[41]  Craig Disselkoen,et al.  Constant-time foundations for the new spectre era , 2020, PLDI.

[42]  Craig Disselkoen,et al.  Automatically eliminating speculative leaks from cryptographic code with blade , 2020, Proc. ACM Program. Lang..

[43]  William K. Robertson,et al.  Bypassing memory safety mechanisms through speculative control flow hijacks , 2020, 2021 IEEE European Symposium on Security and Privacy (EuroS&P).

[44]  Tamara Rezk,et al.  Binsec/Rel: Efficient Relational Symbolic Execution for Constant-Time at Binary-Level , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[45]  Zhiqiang Zuo,et al.  SPECUSYM: Speculative Symbolic Execution for Cache Timing Leak Detection , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[46]  Sam Ainsworth,et al.  MuonTrap: Preventing Cross-Domain Spectre-Like Attacks by Capturing Speculative State , 2019, 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA).

[47]  Shravan Narayan,et al.  Swivel: Hardening WebAssembly against Spectre , 2021, USENIX Security Symposium.

[48]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[49]  Marco Guarnieri,et al.  Hardware-Software Contracts for Secure Speculation , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[50]  Meng Wu,et al.  Abstract interpretation under speculative execution , 2019, PLDI.

[51]  Dean M. Tullsen,et al.  Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization , 2019, ASPLOS.

[52]  Zhenkai Liang,et al.  Codejail: Application-Transparent Isolation of Libraries with Tight Program Interactions , 2012, ESORICS.

[53]  Gilles Barthe,et al.  Verifying Constant-Time Implementations , 2016, USENIX Security Symposium.

[54]  Josep Torrellas,et al.  InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[55]  Marco Guarnieri,et al.  Spectector: Principled Detection of Speculative Information Flows , 2018, 2020 IEEE Symposium on Security and Privacy (SP).

[56]  Babak Falsafi,et al.  SMoTherSpectre: Exploiting Speculative Execution through Port Contention , 2019, CCS.

[57]  Benjamin Grégoire,et al.  FaCT: a DSL for timing-sensitive computation , 2019, PLDI.

[58]  Tao Zhang,et al.  Exploring Branch Predictors for Constructing Transient Execution Trojans , 2020, ASPLOS.

[59]  Toon Verwaest,et al.  Spectre is here to stay: An analysis of side-channels and speculative execution , 2019, ArXiv.

[60]  Michael C. Huang,et al.  A Lightweight Isolation Mechanism for Secure Branch Predictors , 2020, 2021 58th ACM/IEEE Design Automation Conference (DAC).

[61]  Christian Rossow,et al.  ret2spec: Speculative Execution Using Return Stack Buffers , 2018, CCS.

[62]  Benjamin Grégoire,et al.  Secure Compilation of Side-Channel Countermeasures: The Case of Cryptographic “Constant-Time” , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[63]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[64]  Josep Torrellas,et al.  Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data , 2019, IEEE Micro.

[65]  Sai Manoj Pudukotai Dinakarrao,et al.  Evolution of Defenses against Transient-Execution Attacks , 2020, ACM Great Lakes Symposium on VLSI.

[66]  Nael B. Abu-Ghazaleh,et al.  SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation , 2018, 2019 56th ACM/IEEE Design Automation Conference (DAC).

[67]  Mathias Payer,et al.  SpecROP: Speculative Exploitation of ROP Chains , 2020, RAID.

[68]  Srinivas Devadas,et al.  DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[69]  Berk Sunar,et al.  LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[70]  Michael Schwarz,et al.  ConTExT: A Generic Approach for Mitigating Spectre , 2020, NDSS.

[71]  Sorin Lerner,et al.  On Subnormal Floating Point and Abnormal Timing , 2015, 2015 IEEE Symposium on Security and Privacy.

[72]  Tulika Mitra,et al.  KLEESpectre , 2019, ACM Trans. Softw. Eng. Methodol..

[73]  Daniel Moghimi Data Sampling on MDS-resistant 10th Generation Intel Core (Ice Lake) , 2020, ArXiv.

[74]  Guanhua Wang,et al.  oo7: Low-overhead Defense against Spectre Attacks via Program Analysis , 2018 .

[75]  Nael B. Abu-Ghazaleh,et al.  Spectre Returns! Speculation Attacks Using the Return Stack Buffer , 2018, IEEE Design & Test.