Efficient Information-Flow Verification Under Speculative Execution

We study the formal verification of information-flow properties in the presence of speculative execution and side-channels. First, we present a formal model of speculative execution semantics. This model can be parameterized by the depth of speculative execution and is amenable to a range of verification techniques. Second, we introduce a novel notion of information leakage under speculation, which is parameterized by the information that is available to an attacker through side-channels. Finally, we present one verification technique that uses our formalism and can be used to detect information leaks under speculation through cache side-channels, and can decide whether these are only possible under speculative execution. We implemented an instance of this verification technique that combines taint analysis and safety model checking. We evaluated this approach on a range of examples that have been proposed as benchmarks for mitigations of the Spectre vulnerability, and show that our approach correctly identifies all information leaks.

[1]  Christian Rossow,et al.  ret2spec: Speculative Execution Using Return Stack Buffers , 2018, CCS.

[2]  Stephan Merz,et al.  Model Checking , 2000 .

[3]  Sharad Malik,et al.  Lazy Self-composition for Security Verification , 2018, CAV.

[4]  Miroslav N. Velev,et al.  Formal Verification of VLIW Microprocessors with Speculative Execution , 2000, CAV.

[5]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[6]  Marco Pistoia,et al.  Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection , 2005, ECOOP.

[7]  Ranjit Jhala,et al.  Microarchitecture Verification by Compositional Model Checking , 2001, CAV.

[8]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[9]  Marco Guarnieri,et al.  Spectector: Principled Detection of Speculative Information Flows , 2018, 2020 IEEE Symposium on Security and Privacy (SP).

[10]  Dean M. Tullsen,et al.  Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization , 2019, ASPLOS.

[11]  Tulika Mitra,et al.  oo7: Low-overhead Defense against Spectre Attacks via Binary Analysis , 2018, ArXiv.

[12]  Jorge A. Navas,et al.  The SeaHorn Verification Framework , 2015, CAV.

[13]  Amir Pnueli,et al.  A Comparison of Two Verification Methods for Speculative Instruction Execution , 2000, TACAS.

[14]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[15]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[16]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[17]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[18]  Fernando Magno Quintão Pereira,et al.  Sparse representation of implicit flows with applications to side-channel detection , 2016, CC.

[19]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[20]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[21]  Jun Sawada,et al.  Processor Verification with Precise Exeptions and Speculative Execution , 1998, CAV.

[22]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[23]  Julian Stecklina,et al.  LazyFP: Leaking FPU Register State using Microarchitectural Side-Channels , 2018, ArXiv.

[24]  Ganesh Gopalakrishnan,et al.  Verifying Advanced Microarchitectures that Support Speculation and Exceptions , 2000, CAV.

[25]  Babak Falsafi,et al.  SMoTherSpectre: Exploiting Speculative Execution through Port Contention , 2019, CCS.

[26]  Manuel Barbosa,et al.  Formal verification of side-channel countermeasures using self-composition , 2013, Sci. Comput. Program..

[27]  Guanhua Wang,et al.  oo7: Low-overhead Defense against Spectre Attacks via Program Analysis , 2018 .

[28]  Gérard Boudol,et al.  A Theory of Speculative Computation , 2010, ESOP.

[29]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[30]  Gilles Barthe,et al.  Verifying Constant-Time Implementations , 2016, USENIX Security Symposium.

[31]  Shuvendu K. Lahiri,et al.  Deductive Verification of Advanced Out-of-Order Microprocessors , 2003, CAV.

[32]  Carl A. Waldspurger,et al.  Speculative Buffer Overflows: Attacks and Defenses , 2018, ArXiv.