research-article

Free access

Spectre attacks: exploiting speculative execution

Authors:

Stefan Mangard,

Thomas Prescher,

Michael Schwarz,

Yuval YaromAuthors Info & Claims

Communications of the ACM, Volume 63, Issue 7

Pages 93 - 101

https://doi.org/10.1145/3399742

Published: 18 June 2020 Publication History

All formats PDF

Abstract

Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try to guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes, can access the victim's memory and registers, and can perform operations with measurable side effects.

Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side-channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, such as operating system process separation, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing and side-channel attacks. These attacks represent a serious threat to actual systems because vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices.

Although makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.

References

[1]

Aciiçmez, O., Koç, Ç.K., Seifert, J.-P. Predicting Secret Keys Via Branch Prediction. In: CT-RSA, 2007.

[2]

Advanced Micro Devices, Inc. Software Techniques for Managing Speculation on AMD Processors, 2018. [Online]. http://developer:amd:com/wordpress/media/2013/12/Managing-Speculation-on-AMD-Processors:pdf

[3]

Bernstein, D.J. Cache-Timing Attacks on AES. 2005. [Online]. http://cr:yp:to/antiforgery/cachetiming-20050414:pdf

[4]

Ge, Q., Yarom, Y., Cock, D., Heiser, G. A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 1, 8 (2018), 1--27.

[5]

Gruss, D., Spreitzer, R., Mangard, S. Cache template attacks: Automating attacks on inclusive last-level caches. In USENIX Security Symposium, 2015.

[6]

Gullasch, D., Bangerter, E., Krenn, S. Cache games---Bringing access-based cache attacks on AES to practice. In S&P, 2011.

Digital Library

[7]

Horn, J. Speculative execution, variant 4: Speculative store bypass, 2018. [Online]. https://bugs:chromium:org/p/project-zero/issues/detail?id=1528

[8]

Intel Corp. Speculative Execution Side Channel Mitigations, Jan. 2018. [Online]. https://software:intel:com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations:pdf

[9]

Intel Corp. Intel Analysis of Speculative Execution Side Channels, Jan. 2018. [Online]. https://newsroom:intel:com/wpcontent/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels:pdf

[10]

Irazoqui Apecechea, G., Eisenbarth, T., Sunar, B. S$A: A shared cache attack that works across cores and defies VM sandboxing---and its application to AES. In S&P, 2015.

Digital Library

[11]

Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In ISCA, 2014.

Digital Library

[12]

Kocher, P. Spectre mitigations in Microsoft's C/C++ compiler; 2018. [Online]. https://www:paulkocher:com/doc/MicrosoftCompilerSpectreMitigation:html

[13]

Kocher, P., Jaffe, J., Jun, B. Differential power analysis. In CRYPTO, 1999.

Digital Library

[14]

Kocher, P.C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In CRYPTO, 1996.

Digital Library

[15]

Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S. ARMageddon: Cache attacks on mobile devices. In USENIX Security Symposium, 2016.

[16]

Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., Hamburg, M. Meltdown: Reading kernel memory from user space. In USENIX Security Symposium (to appear), 2018.

[17]

Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B. Last-level cache side-channel attacks are practical. In S&P, 2015.

Digital Library

[18]

McCanne, S., Jacobson, V. The BSD packet filter: A new architecture for user-level packet capture. In USENIX Winter, 1993.

Digital Library

[19]

Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D. The spy in the sandbox: Practical cache attacks in JavaScript and their implications. In CCS, 2015.

Digital Library

[20]

Osvik, D.A., Shamir, A., Tromer, E. Cache attacks and countermeasures: The case of AES. In CT-RSA, 2006.

Digital Library

[21]

Pizlo, F. What spectre and meltdown mean for WebKit, Jan. 2018. [Online]. https://webkit:org/blog/8048/what-spectreand-meltdown-mean-for-webkit/

[22]

Schwarz, M., Maurice, C., Gruss, D., Mangard, S. Fantastic timers and where to find them: High-resolution microarchitectural attacks in JavaScript. In Financial Cryptography, 2017.

[23]

Shacham, H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS, 2007.

[24]

Sibert, O., Porras, P.A., Lindell, R. The Intel 80x86 processor architecture: Pitfalls for secure systems. In S&P, 1995.

[25]

Tang, A., Sethumadhavan, S., Stolfo, S. CLKSCREW: Exposing the perils of security-oblivious energy management. In USENIX Security Symposium, 2017.

[26]

The Chromium Projects. Site Isolation. [Online]. http://www:chromium:org/Home/chromiumsecurity/site-isolation

[27]

Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H. Cryptanalysis of DES implemented on computers with cache. In CHES, 2003.

[28]

Turner, P. Retpoline: A software construct for preventing branch-target-injection. [Online]. https://support:google:com/faqs/answer/7625886

[29]

Yarom, Y., Falkner, K. Flush + reload: A high resolution, low noise, L3 cache side-channel attack. In USENIX Security Symposium, 2014.

Digital Library

Cited By

Joshi KGupta AGonz´lez JKumar AReddy KGeorge ALund SAxboe JMa XWon Y(2024)I/O PassthruProceedings of the 22nd USENIX Conference on File and Storage Technologies10.5555/3650697.3650704(107-122)Online publication date: 27-Feb-2024
https://dl.acm.org/doi/10.5555/3650697.3650704
Indu PMazumdar NBhattacharyya S(2024)Security Incidents and Security Requirements in Internet of Things (IoT) DevicesHuman-Centered Approaches in Industry 5.010.4018/979-8-3693-2647-3.ch007(154-175)Online publication date: 16-Jan-2024
https://doi.org/10.4018/979-8-3693-2647-3.ch007
Deka RGhosh ANanda SBarik RSaikia M(2024)Smart Healthcare System in Server-Less Environment: Concepts, Architecture, Challenges, Future DirectionsComputers10.3390/computers1304010513:4(105)Online publication date: 19-Apr-2024
https://doi.org/10.3390/computers13040105
Show More Cited By

Index Terms

Spectre attacks: exploiting speculative execution
1. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures
      1. Side-channel analysis and countermeasures
  2. Systems security
    1. Operating systems security

Recommendations

Spectre returns! speculation attacks using the return stack buffer
WOOT'18: Proceedings of the 12th USENIX Conference on Offensive Technologies

The recent Spectre attacks exploit speculative execution, a pervasively used feature of modern microprocessors, to allow the exfiltration of sensitive data across protection boundaries. In this paper, we introduce a new Spectreclass attack that we call ...
Software Mitigation of RISC-V Spectre Attacks
Innovative Security Solutions for Information Technology and Communications
Abstract
Speculative attacks are still an active threat today that, even if initially focused on the x86 platform, reach across all modern hardware architectures. RISC-V is a newly proposed open instruction set architecture that has seen traction from both ...
Short Paper: Static and Microarchitectural ML-Based Approaches For Detecting Spectre Vulnerabilities and Attacks
HASP '22: Proceedings of the 11th International Workshop on Hardware and Architectural Support for Security and Privacy

Spectre intrusions exploit speculative execution design vulnerabilities in modern processors. The attacks violate the principles of isolation in programs to gain unauthorized private user information. Current state-of-the-art detection techniques ...

Comments

Information & Contributors

Information

Published In

cover image Communications of the ACM

Communications of the ACM Volume 63, Issue 7

July 2020

102 pages

ISSN:0001-0782

EISSN:1557-7317

DOI:10.1145/3407166

Editor:
Andrew A. Chien
Association for Computing Machinery, New York, NY

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 June 2020

Published in CACM Volume 63, Issue 7

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

119
Total Citations
View Citations
17,491
Total Downloads

Downloads (Last 12 months)2,001
Downloads (Last 6 weeks)259

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Joshi KGupta AGonz´lez JKumar AReddy KGeorge ALund SAxboe JMa XWon Y(2024)I/O PassthruProceedings of the 22nd USENIX Conference on File and Storage Technologies10.5555/3650697.3650704(107-122)Online publication date: 27-Feb-2024
https://dl.acm.org/doi/10.5555/3650697.3650704
Indu PMazumdar NBhattacharyya S(2024)Security Incidents and Security Requirements in Internet of Things (IoT) DevicesHuman-Centered Approaches in Industry 5.010.4018/979-8-3693-2647-3.ch007(154-175)Online publication date: 16-Jan-2024
https://doi.org/10.4018/979-8-3693-2647-3.ch007
Deka RGhosh ANanda SBarik RSaikia M(2024)Smart Healthcare System in Server-Less Environment: Concepts, Architecture, Challenges, Future DirectionsComputers10.3390/computers1304010513:4(105)Online publication date: 19-Apr-2024
https://doi.org/10.3390/computers13040105
Krausz MThoma JStolz FFyrbiak MGüneysu T(2024)Three Sidekicks to Support Spectre Countermeasures2024 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE58400.2024.10546575(1-6)Online publication date: 25-Mar-2024
https://doi.org/10.23919/DATE58400.2024.10546575
AL-Zu'bi MWeissenbacher G(2024)Statistical Profiling of Micro-Architectural Traces and Machine Learning for Spectre Detection: A Systematic Evaluation2024 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE58400.2024.10546539(1-6)Online publication date: 25-Mar-2024
https://doi.org/10.23919/DATE58400.2024.10546539
Chen YPashrashid AWu YCarlson T(2024)Prime+Reset: Introducing A Novel Cross-World Covert-Channel Through Comprehensive Security Analysis on ARM TrustZone2024 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE58400.2024.10546531(1-6)Online publication date: 25-Mar-2024
https://doi.org/10.23919/DATE58400.2024.10546531
Wang HTang MXu KWang Q(2024)Cache Bandwidth Contention Leaks Secrets2024 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE58400.2024.10546529(1-6)Online publication date: 25-Mar-2024
https://doi.org/10.23919/DATE58400.2024.10546529
Zhao LShuang HXu SHuang WCui RBettadpur PLie D(2024)A Survey of Hardware Improvements to Secure Program ExecutionACM Computing Surveys10.1145/3672392Online publication date: 12-Jun-2024
https://doi.org/10.1145/3672392
Chen YLi S(2024)HeMate: Enhancing Heap Security through Isolating Primitive Types with Arm Memory Tagging ExtensionProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664492(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664492
Cheng POzga WValdez EAhmed SGu ZJamjoom HFranke HBottomley J(2024)Intel TDX Demystified: A Top-Down ApproachACM Computing Surveys10.1145/365259756:9(1-33)Online publication date: 14-Mar-2024
https://dl.acm.org/doi/10.1145/3652597
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Digital Edition

View this article in digital edition.

Digital Edition

Magazine Site

View this article on the magazine site (external)

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents