Abstract:
Speculative execution attacks leverage a processor's speculative execution optimization to leak secret information. Previous attempts to generalize transient execution at...Show MoreMetadata
Abstract:
Speculative execution attacks leverage a processor's speculative execution optimization to leak secret information. Previous attempts to generalize transient execution attacks often analyze specific gadgets in software or look solely at mi-croarchitectural state artifacts to explain the fundamental logic behind these attacks. In this work, we present SPECCHECK, a systematic security verification for detecting potential transient data leakage. SPECCHECK is based on a description of a generic transient execution attack in the form of a register based Finite State Machine (FSM). SPECCHECK'S key insight is the fact that transient execution attacks involve both the software and the hardware to succeed and the only way to verify if a design is capable of mitigating such attacks is by considering both at verification time. The FSM is easily incorporated into commonly used processor simulators. As a proof of concept, we implement SPECCHECK'S FSM in the gem5 simulator to check for suspicious program flows during an arbitrary program's simulation and lay the groundwork for a robust and systematic hardware security verification tool. We show that SPECCHECK is able to identify known transient execution gadgets in two of the main Spectre variants, variant 1 (PHT) and 2 (BTB), with a 100% true positives and an average of 14% false positive rate for malicious sequences of code and an average of 19% vulnerable windows identified for the SPEC benchmark suite.
Published in: 2023 32nd International Conference on Parallel Architectures and Compilation Techniques (PACT)
Date of Conference: 21-25 October 2023
Date Added to IEEE Xplore: 27 December 2023
ISBN Information: