More Web Proxy on the site http://driver.im/

research-article

Public Access

Speculator: a tool to analyze speculative execution attacks and mitigations

Authors:

Andrea Mambretti,

Matthias Neugschwandtner,

Alessandro Sorniotti,

William Robertson,

Anil KurmusAuthors Info & Claims

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Pages 747 - 761

https://doi.org/10.1145/3359789.3359837

Published: 09 December 2019 Publication History

Abstract

Speculative execution attacks exploit vulnerabilities at a CPU's microarchitectural level, which, until recently, remained hidden below the instruction set architecture, largely undocumented by CPU vendors. New speculative execution attacks are released on a monthly basis, showing how aspects of the so-far unexplored microarchitectural attack surface can be exploited. In this paper, we introduce, Speculator, a new tool to investigate these new microarchitectural attacks and their mitigations, which aims to be the GDB of speculative execution. Using speculative execution markers, set of instructions that we found are observable through performance counters during CPU speculation, Speculator can study microarchitectural behavior of single snippets of code, or more complex attacker and victim scenarios (e.g. Branch Target Injection (BTI) attacks). We also present our findings on multiple CPU platforms showing the precision and the flexibility offered by Speculator and its templates.

References

[1]

2009. Performance Analysis Guide for Intel Core i7 Processor and Intel Xeon Processors. https://software.intel.com/sites/products/collateral/hpc/vtune/performance_analysis_guide.pdf.

[2]

2017. Preliminary Processor Programming Reference (PPR) for AMD Family 17h Models 00h-0Fh Processors. http://support.amd.com/TechDocs/54945_PPR_Family_17h_Models_00h-0Fh.pdf.

[3]

2018. Analysis and mitigation of speculative store bypass. https://blogs.technet.microsoft.com/srd/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/.

[4]

2018. Intel Architectures Optimization Reference Manual. https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-optimization-manual.pdf.

[5]

2018. Intel Software Developer Manual. https://software.intel.com/en-us/articles/intel-sdm.

[6]

2018. JIT mitigations for Spectre. https://github.com/Microsoft/ChakraCore/commit/08b82b8d33e9b36c0d6628b856f280234c87ba13.

[7]

2018. NetSpectre: Read Arbitrary Memory over Network. https://misc0110.net/web/files/netspectre.pdf.

[8]

2018. Rogue System Register Read. https://software.intel.com/security-software-guidance/software-guidance/rogue-system-register-read.

[9]

2018. SPECULATIVE STORE BYPASS DISABLE.

[10]

AMD. 2017. Software Optimization Guide for AMD Family 17th Processors. https://developer.amd.com/wordpress/media/2013/12/55723_SOG_Fam_17h_Processors_3.00.pdf.

[11]

Nathan Binkert, Bradford Beckmann, Gabriel Black, Steven K. Reinhardt, Ali Saidi, Arkaprava Basu, Joel Hestness, Derek R. Hower, Tushar Krishna, Somayeh Sardashti, Rathijit Sen, Korey Sewell, Muhammad Shoaib, Nilay Vaish, Mark D. Hill, and David A. Wood. 2011. The Gem5 Simulator. SIGARCH Computer Architecture News 39, 2 (Aug. 2011).

Digital Library

[12]

Mathias Bynens. 2018. V8 Untrusted code mitigations. https://github.com/v8/v8/wiki/Untrusted-code-mitigations.

[13]

Chandler Carruth. 2018. Speculative Load Hardening. https://lists.llvm.org/pipermail/llvm-dev/2018-March/122085.html.

[14]

Jonathan Corbet. 2017. KAISER: hiding the kernel from user space. https://lwn.net/Articles/738975/.

[15]

Arnaldo Carvalho de Melo. 2010. The New Linux 'perf' tools. http://www.linux-kongress.org/2010/slides/lk2010-perf-acme.pdf.

[16]

Craig Disselkoen, David Kohlbrenner, Leo Porter, and Dean Tullsen. 2017. Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 51--67. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/disselkoen

Digital Library

[17]

Stephane Eranian. 2006. Perfmon2: a flexible performance monitoring interface for Linux. In Proc. of the 2006 Ottawa Linux Symposium. 269--288.

[18]

Agner Fog. 2017. Test results for AMD Ryzen. https://www.agner.org/optimize/blog/read.php?i=838&v=t.

[19]

Agner Fog. 2018. The microarchitecture of Intel, AMD and VIA CPUs: An optimization guide for assembly programmers and compiler makers. https://www.agner.org/optimize/microarchitecture.pdf.

[20]

Ben Gras, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2018. Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks. In USENIX Security Symposium.

[21]

Richard Grisenthwaite. 2018. Cache Speculation Side-channels. https://developer.arm.com/-/media/Files/pdf/Cache_Speculation_Side-channels.pdf.

[22]

Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+Flush: A Fast and Stealthy Cache Attack. In Detection of Intrusions and Malware, and Vulnerability Assessment, Juan Caballero, Urko Zurutuza, and Ricardo J. Rodríguez (Eds.). Springer International Publishing, Cham, 279--299.

[23]

Jann Horn. 2018. Spectre v4. https://bugs.chromium.org/p/project-zero/issues/detail?id=1528.

[24]

Intel. 2018. Analysis of Speculative Execution Side Channels. https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf.

[25]

Intel. 2018. Deep Dive: Indirect Branch Predictor Barrier. https://software.intel.com/security-software-guidance/insights/deep-dive-indirect-branch-predictor-barrier.

[26]

Intel. 2018. Deep Dive: Indirect Branch Restricted Speculation. https://software.intel.com/security-software-guidance/insights/deep-dive-indirect-branch-restricted-speculation.

[27]

Intel. 2018. Deep Dive: Single Thread Indirect Branch Predictors. https://software.intel.com/security-software-guidance/insights/deep-dive-single-thread-indirect-branch-predictors.

[28]

Khaled N. Khasawneh, Esmaeil Mohammadian Koruyeh, Chengyu Song, Dmitry Evtyushkin, Dmitry Ponomarev, and Nael B. Abu-Ghazaleh. 2018. SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation. CoRR (2018). http://arxiv.org/abs/1806.05179

[29]

Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative Buffer Overflows: Attacks and Defenses. https://people.csail.mit.edu/vlk/spectre11.pdf.

[30]

Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In IEEE Symposium on Security and Privacy.

[31]

Esmaeil Mohammadian Koruyeh, Khaled N. Khasawneh, Chengyu Song, and Nael B. Abu-Ghazaleh. 2018. Spectre Returns! Speculation Attacks using the Return Stack Buffer. CoRR (2018). http://arxiv.org/abs/1807.07940

[32]

Butler W. Lampson. 2008. Lazy and Speculative Execution in Computer Systems. In ACM SIGPLAN Conference on Functional Programming.

[33]

John Levon. 2002. Oprofile. http://oprofile.sourceforge.net.

[34]

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In USENIX Security Symposium.

Digital Library

[35]

Jason Lowe-Power, Venkatesh Akella, Matthew K. Farrens, Samuel T. King, and Christopher J. Nitta. 2018. Position Paper: A Case for Exposing Extra-architectural State in the ISA. In Proceedings of the 7th International Workshop on Hardware and Architectural Support for Security and Privacy.

[36]

Giorgi Maisuradze and Christian Rossow. 2018. Ret2Spec: Speculative Execution Using Return Stack Buffers. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). ACM, New York, NY, USA, 2109--2122.

Digital Library

[37]

Andrea Mambretti, Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, and Anil Kurmus. 2019. Two methods for exploiting speculative control flow hijacks. In 13th USENIX Workshop on Offensive Technologies (WOOT 19). USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/woot19/presentation/mambretti

[38]

Oleksii Oleksenko, Bohdan Trach, Tobias Reiher, Mark Silberstein, and Christof Fetzer. 2018. You Shall Not Bypass: Employing data dependencies to prevent Bounds Check Bypass. CoRR (2018). http://arxiv.org/abs/1805.08506

[39]

Andrew Pardoe. 2018. Spectre mitigations in MSVC. https://blogs.msdn.microsoft.com/vcblog/2018/01/15/spectre-mitigations-in-msvc/.

[40]

Mikael Pettersson. 2006. PerfCtr. http://user.it.uu.se/~mikpe/linux/perfctr/.

[41]

Sundaram Ramakesavan and Juan Rodriguez. 2016. Intel Memory Protection Extensions Enabling Guide. https://software.intel.com/en-us/articles/intel-memory-protection-extensions-enabling-guide.

[42]

T. Rohl, J. Eitzinger, G. Hager, and G. Wellein. 2017. LIKWID Monitoring Stack: A Flexible Framework Enabling Job Specific Performance monitoring for the masses. In IEEE International Conference on Cluster Computing (CLUSTER).

[43]

Dan Terpstra, Heike Jagode, Haihang You, and Jack Dongarra. 2010. Collecting performance data with PAPI-C. In Tools for High Performance Computing 2009. Springer, 157--173.

[44]

Kevin B. Theobald, Guang R. Gao, and Laurie J. Hendren. 1993. Speculative Execution and Branch Prediction on Parallel Machines. In International Conference on Supercomputing.

[45]

Eran Tromer, Dag Arne Osvik, and Adi Shamir. 2010. Efficient Cache Attacks on AES, and Countermeasures. Journal of Cryptology 23, 1 (01 Jan 2010), 37--71.

[46]

Paul Turner. 2018. Retpoline: a software construct for preventing branch-target-injection. https://support.google.com/faqs/answer/7625886.

[47]

Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution. In USENIX Security Symposium.

Digital Library

[48]

Luke Wagner. 2018. Mitigations landing for new class of timing attack. https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/.

[49]

David W. Wall. 1991. Limits of Instruction-level Parallelism. In Proceedings of the Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS IV). ACM, New York, NY, USA, 176--188.

Digital Library

[50]

Vincent M Weaver. 2013. Linux perf_event features and overhead. In The 2nd International Workshop on Performance Analysis of Workload Optimized Systems, FastPath, Vol. 13.

[51]

Ofir Weisse, Jo Van Bulck, Marina Minkin, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Raoul Strackx, Thomas F. Wenisch, and Yuval Yarom. 2018. https://foreshadowattack.eu/foreshadow-NG.pdf.

[52]

Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-channel Attack. In Proceedings of the 23rd USENIX Conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA, 719--732. http://dl.acm.org/citation.cfm?id=2671225.2671271

Digital Library

[53]

Dmitrijs Zaparanuks, Milan Jovic, and Matthias Hauswirth. 2009. Accuracy of performance counter measurements. In Performance Analysis of Systems and Software, 2009. ISPASS 2009. IEEE International Symposium on. IEEE, 23--32.

[54]

Google Project Zero. 2018. Reading privileged memory with a side-channel. https://googleprojectzero.blogspot.ch/2018/01/reading-privileged-memory-with-side.html.

Cited By

Gerhorst LHerzog HWägemann POtt MKapitza RHönig T(2024)VeriFence: Lightweight and Precise Spectre Defenses for Untrusted Linux Kernel ExtensionsProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678907(644-659)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678907
Langehaug TGraham S(2024)CuMONITOR: Continuous Monitoring of Microarchitecture for Software Task Identification and ClassificationDigital Threats: Research and Practice10.1145/36528615:3(1-22)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3652861
Chen WZhao YZhang YQiang WZou DJin H(2024)ReminISCence: Trusted Monitoring Against Privileged Preemption Side-Channel AttacksComputer Security – ESORICS 202410.1007/978-3-031-70903-6_2(24-44)Online publication date: 5-Sep-2024
https://doi.org/10.1007/978-3-031-70903-6_2
Show More Cited By

Index Terms

Speculator: a tool to analyze speculative execution attacks and mitigations
1. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures
      1. Side-channel analysis and countermeasures
    2. Hardware reverse engineering

Recommendations

ret2spec: Speculative Execution Using Return Stack Buffers
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Speculative execution is an optimization technique that has been part of CPUs for over a decade. It predicts the outcome and target of branch instructions to avoid stalling the execution pipeline. However, until recently, the security implications of ...
Tamper Evident Microprocessors
SP '10: Proceedings of the 2010 IEEE Symposium on Security and Privacy

Most security mechanisms proposed to date unquestioningly place trust in microprocessor hardware. This trust, however, is misplaced and dangerous because microprocessors are vulnerable to insider attacks that can catastrophically compromise security, ...
All Your PC Are Belong to Us: Exploiting Non-control-Transfer Instruction BTB Updates for Dynamic PC Extraction
ISCA '23: Proceedings of the 50th Annual International Symposium on Computer Architecture

Leaking a program's instruction address (PC) pattern, completely and precisely, has long been a sought-after capability for microarchitectural side-channel attackers. Case in point, such a primitive would be sufficient to construct powerful control-...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

December 2019

821 pages

ISBN:9781450376280

DOI:10.1145/3359789

Conference Chair:
David Balenson
SRI International

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Artifacts Evaluated & Reusable

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ACSAC '19

ACSAC '19: 2019 Annual Computer Security Applications Conference

December 9 - 13, 2019

Puerto Rico, San Juan, USA

Acceptance Rates

ACSAC '19 Paper Acceptance Rate 60 of 266 submissions, 23%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
1,176
Total Downloads

Downloads (Last 12 months)351
Downloads (Last 6 weeks)42

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gerhorst LHerzog HWägemann POtt MKapitza RHönig T(2024)VeriFence: Lightweight and Precise Spectre Defenses for Untrusted Linux Kernel ExtensionsProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678907(644-659)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678907
Langehaug TGraham S(2024)CuMONITOR: Continuous Monitoring of Microarchitecture for Software Task Identification and ClassificationDigital Threats: Research and Practice10.1145/36528615:3(1-22)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3652861
Chen WZhao YZhang YQiang WZou DJin H(2024)ReminISCence: Trusted Monitoring Against Privileged Preemption Side-Channel AttacksComputer Security – ESORICS 202410.1007/978-3-031-70903-6_2(24-44)Online publication date: 5-Sep-2024
https://doi.org/10.1007/978-3-031-70903-6_2
Zhang ZBarthe GChuengsatiansup CSchwabe PYarom YCalandrino JTroncoso C(2023)Ultimate SLHProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620636(7125-7142)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620636
Qiu PGao QLiu CWang DLyu YLi XWang CQu G(2023)PMU-Spill: A New Side Channel for Transient Execution AttacksIEEE Transactions on Circuits and Systems I: Regular Papers10.1109/TCSI.2023.329891370:12(5048-5059)Online publication date: Dec-2023
https://doi.org/10.1109/TCSI.2023.3298913
Yang YQiu PWang CJin YGao QLi XWang DQu G(2023)Exploration and Exploitation of Hidden PMU Events2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD)10.1109/ICCAD57390.2023.10323695(1-9)Online publication date: 28-Oct-2023
https://doi.org/10.1109/ICCAD57390.2023.10323695
Milburn ASun KKawakami H(2023)You Cannot Always Win the Race: Analyzing mitigations for branch target prediction attacks2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00046(671-686)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00046
Cauligi SDisselkoen CMoghimi DBarthe GStefan D(2022)SoK: Practical Foundations for Software Spectre Defenses2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833707(666-680)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833707
Qiu PGao QWang DLyu YLiu CLi XWang CQu G(2022)PMU-Spill: Performance Monitor Unit Counters Leak Secrets in Transient Executions2022 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)10.1109/AsianHOST56390.2022.10022280(1-6)Online publication date: 14-Dec-2022
https://doi.org/10.1109/AsianHOST56390.2022.10022280
Schwarzl MBorrello PKogler AVarda KSchuster TSchwarz MGruss D(2022)Robust and Scalable Process Isolation Against Spectre in the CloudComputer Security – ESORICS 202210.1007/978-3-031-17146-8_9(167-186)Online publication date: 26-Sep-2022
https://dl.acm.org/doi/10.1007/978-3-031-17146-8_9
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents