Loading [MathJax]/extensions/MathMenu.js
SpecCheck: A Tool for Systematic Identification of Vulnerable Transient Execution in gem5 | IEEE Conference Publication | IEEE Xplore

SpecCheck: A Tool for Systematic Identification of Vulnerable Transient Execution in gem5


Abstract:

Speculative execution attacks leverage a processor's speculative execution optimization to leak secret information. Previous attempts to generalize transient execution at...Show More

Abstract:

Speculative execution attacks leverage a processor's speculative execution optimization to leak secret information. Previous attempts to generalize transient execution attacks often analyze specific gadgets in software or look solely at mi-croarchitectural state artifacts to explain the fundamental logic behind these attacks. In this work, we present SPECCHECK, a systematic security verification for detecting potential transient data leakage. SPECCHECK is based on a description of a generic transient execution attack in the form of a register based Finite State Machine (FSM). SPECCHECK'S key insight is the fact that transient execution attacks involve both the software and the hardware to succeed and the only way to verify if a design is capable of mitigating such attacks is by considering both at verification time. The FSM is easily incorporated into commonly used processor simulators. As a proof of concept, we implement SPECCHECK'S FSM in the gem5 simulator to check for suspicious program flows during an arbitrary program's simulation and lay the groundwork for a robust and systematic hardware security verification tool. We show that SPECCHECK is able to identify known transient execution gadgets in two of the main Spectre variants, variant 1 (PHT) and 2 (BTB), with a 100% true positives and an average of 14% false positive rate for malicious sequences of code and an average of 19% vulnerable windows identified for the SPEC benchmark suite.
Date of Conference: 21-25 October 2023
Date Added to IEEE Xplore: 27 December 2023
ISBN Information:
Conference Location: Vienna, Austria

Contact IEEE to Subscribe

References

References is not available for this document.