

# ***IntroSpectre***: A Pre-Silicon Framework for Discovery and Analysis of Transient Execution Vulnerabilities

Moein Ghaniyoun<sup>†</sup>, Kristin Barber<sup>†</sup>, Yinqian Zhang<sup>§</sup>, Radu Teodorescu<sup>†</sup>

Department of Computer Science and Engineering

May 2022

RISC-V  
uSC SIG



<sup>†</sup> THE OHIO STATE  
UNIVERSITY



<http://arch.cse.ohio-state.edu>

# Background

- ***Speculative execution*** has become a **must-have** feature for almost all mid-high range processors
- Performance optimization  ≈ “*Potential*” security flaw
- Recent works demonstrate the existence of a **vast attack surface** on speculative execution

# Background

- The discovery of **Meltdown** and **Spectre** in 2018 has led to an explosion of transient execution attacks



# Background

- The discovery of [REDACTED] and [REDACTED] in 2018 has led to

There has been significant efforts in both industry and academia to ***mitigate*** and/or ***detect*** transient execution attacks



## Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis

Daniel Moghimi, Worcester Polytechnic Institute; Berk S. Michael Schwarz, Graz University of Technology

<https://www.usenix.org/conference/usenixsecurity20/presentation/moghimi>

## DIFFUZZ: Differential Fuzzing for Side-channel Vulnerabilities

Shirin Nilizadeh\*, University of Texas at Arlington, Arlington, TX, USA  
shirin.nilizadeh@uta.edu

Yannic Noll, Humboldt-Universität zu Berlin, Germany  
yannic.noller@hu-berlin.de

**Abstract**—Side-channel attacks allow an adversary to uncover secret program data by observing the behavior of a program with respect to a resource, such as execution time, consumed memory or response size. Side-channel vulnerabilities are difficult to reason about as they involve analyzing the correlations between resource usage over multiple program paths. We present DIFFUZZ, a fuzzing-based approach for detecting side-channel vulnerabilities related to time and space. DIFFUZZ automatically detects these vulnerabilities by analyzing two versions of the program and using resource-guided heuristics to find inputs that maximize the difference in resource consumption between secret-dependent paths. The methodology of DIFFUZZ is general and can be applied to programs written in any language. For this paper, we present an implementation that targets analysis of Java programs, and uses and extends the KELINCI and AFL fuzzers. We evaluate DIFFUZZ on a large number of Java programs and demonstrate that it can reveal unknown side-channel vulnerabilities in popular applications. We also show that DIFFUZZ compares favorably against BLAZER and THEMIS, two state-of-the-art analysis tools for finding side-channels in Java applications.

**Index Terms**—vulnerability detection; side-channel analysis;

Yuan Xiao  
The Ohio State University  
xiao.465@osu.edu

Yinqian Zhang  
The Ohio State University  
yinqian@cse.ohio-state.edu

Radu Teodorescu  
The Ohio State University  
teodorres@cse.ohio-state.edu

**Abstract**—SPECulative Execution side Channel Hardware (SPEECH) Vulnerabilities have enabled the notorious Meltdown, Spectre, and L1 terminal fault (LTTF) attacks. While a number of studies have reported different variants of SPEECH vulnerabilities, they are still not well understood. This is primarily due to the lack of information about microprocessor implementation details that impact the timing and order of various micro-architectural events. Moreover, to date, there is no systematic approach to quantitatively measure SPEECH vulnerabilities on commodity processors.

This paper introduces SPEECHMINER, a software framework for exploring and measuring SPEECH vulnerabilities in an automated manner. SPEECHMINER empirically establishes the link between a novel two-phase fault handling model and the exploitability and speculation windows of SPEECH vulnerabilities. It enables testing of a comprehensive list of exception-triggering instructions under the same software framework, which leverages covert-channel techniques and differential tests to gain visibility into the micro-architectural state changes. We evaluated SPEECHMINER on 9 different processor types, examined 21 potential vulnerability variants, confirmed various known attacks, and

software [27], [21], [3], [25]. Moreover, new variants of these vulnerabilities are constantly being discovered by hackers and security researchers. Prominent examples include LazyFP [32], Meltdown-RW [16], Fallout [29], ZombieLoad [30], etc.

A major challenge faced by researchers, software developers and hardware designers is the ignorance about the fundamental question of what determines the success or failure of an attack. Without a concrete general conclusion over the nature of these attacks, great efforts are put into figuring out unique mitigation for each newly-emerging variant. Evaluating variants is also difficult with only random attempts of seemingly relative implementation tricks, hoping for a successful exploitation. Three aspects of complexity lead to the difficulty for a general conclusion to be made. First, the attacks vary greatly from each other. They have different threat models and exploit different instructions. And not enough details are provided about their implementation. Second, the micro-architectural states during execution is unobservable and unpredictable. The aggressive speculative and out-of-order processing and shared resources make it difficult to predict the

Jurth\*, Herbert Bos\*, and Kaveh Razavi\*

\*Intel Corporation

cryptographic keys) by examining changes made by a victim's execution to the state of shared microarchitectural components such as caches [1, 2, 3, 4, 5], cache directories [6], TLBs [7], and branch predictors [8, 9]. Such attacks are typically based on *whitebox* side-channel analyses which require heroic reverse engineering efforts to gain a deep understanding of the target component and their craft component-specific exploitation primitives (e.g., the ability to track victim cache accesses by actively forcing evictions). Such manual efforts need to be repeated for each new component and each (micro)architecture, in search of new, dedicated exploitation primitives.

In this paper, we present ABSynthe, an automatic, *blackbox* approach towards synthesizing microarchitectural side channels in a more general and sustainable fashion, by exploiting contention on shared resources. Its blackbox analysis requires no reverse engineering effort on the part of the attacker, and eschews complicated eviction strategies that require deep

## SpecFuzz: Bringing Spectre-type vulnerabilities to the surface

Oleksenko and Bohdan Trach, TU Dresden; Oleksenko; Christof Fetzer, TU Dresden  
<https://www.usenix.org/conference/usenixsecurity20/presentation/oleksenko>

## Blackbox Side-channel Analysis of Microarchitectures

- Discovering **all paths** that *transient execution* may lead to **secret data leakage** is not straightforward
- Effects of **speculated** instructions are **rolled back** after the processor detects mis-speculation
- Creating a major **roadblock** to understanding the **negative side-effects** of transient execution

- **Transient state** will **never** be architecturally visible if the executed instructions are on the **wrong** path



How to know what is inside  
this **closed** box?



- Many existing tools used for transient execution vulnerability **detection** rely on **covert/side channels**

- Reliance on **covert/side channels** prevents a systematic evaluation of transient execution vulnerabilities
- Limits the **visibility** into potential leakage to only known channels



Guess what is in the **box** just by poking **holes**!



- **IntroSpectre** tackles the the problem of **visibility** into the internal state of the processor by integrating into **RTL verification flow**
- All relevant **u-arch** structures are monitored in the **cycle-accurate** simulation



The box is **open** now! We can **see** what is inside!



# Outline

- IntroSpectre Framework
- Design
  - Instruction Sequence Generation
  - Leakage Analyzer
- Evaluation

# IntroSpectre Framework

Instruction Sequence Generator



1. Prime memory/buffers with **known secrets**



2. Directly/indirectly access the **inaccessible secrets**



# IntroSpectre Framework



# Outline

- IntroSpectre Framework
- Design
  - Instruction Sequence Generation
  - Leakage Analyzer
- Evaluation



## Instruction Sequence Generation

# IntroSpectre Framework



?

**How to access the **inaccessible** data in a comprehensive manner?**

2. Directly/indirectly access the **inaccessible** secrets



# The Gadget Fuzzer

- *IntroSpectre* uses a set of **targeted gadgets** and employs **guided fuzzing** to select **relevant** combinations of these gadgets to generate **test cases** that are run through the RTL simulator
- The final output of the fuzzer includes instructions for both **priming** and **accessing** secret data



# Gadget Types

## Main Gadgets

The **core** of the leakage test sequence. They include **speculation primitives** and **access** instructions

## Helper Gadgets

Help the fuzzer to **establish the preferred state** for execution of **main gadgets**

## Setup Gadgets



## Multiple Gadget Variants



The fuzzing is **not limited** to only combining gadgets! Most gadgets are **parametrized**, adding another dimension to the fuzzing space



These **parameters** are **randomized** during instruction generation

# Main Gadgets

- Many of them are crafted based on **known** transient execution attacks
- The rest target corner cases by employing **torturous** instructions



*Main gadgets can benefit from certain u-arch states!*

Meltdown\_us()

LOAD x10, [Supervisor Address]

Requirements:

Supervisor address should be present in L1D\$

**Example:**

## Main gadgets

- How often are we able to find or reuse gadgets from other gadgets?

# How to fulfill the required micro-architectural state for main gadgets?

Example:

Low int. [lowered address]  
High int. [higher address]

Higher address should be present in L1 TLB

How to fulfill the required micro-architectural state for main gadgets?

Helper & Setup Gadgets!

# Helper & Setup Gadgets

- These gadgets are **selected** by fuzzer based on the **requirements** of main gadgets
- The only **difference** between helper and setup gadgets is their **execution privilege**



**Example:**

`Bring_to_dcache()`

`Bring_to_lfb()`

`delay()`

⋮

## Wolper & Beyer generate

• These programs are generated by Wolper & Beyer on the  of their progress

- ★ To generate more meaningful test sequences, *IntroSpectre* benefits from an **Execution Model** constructed along with inst. generation

- **Execution Model** is the core of our **guided fuzzing** that helps with gadget selection to generate more useful inst. sequences
- **Predicts** the behavior of the **fuzzed code** by **estimating** the *micro-architectural* effects of adding **each** instruction to the output
- The execution of each inst. affects the ***state of the processor***
- The execution model **captures** these effects

# Execution Model

The execution model assists *gadget selection*,  
*instruction generation* and *leakage analysis*

# Instruction Sequence Generation



Main Gadgets

Helper/Setup Gadgets



# Outline

- IntroSpectre Framework
- Design
  - Instruction Sequence Generation
  - Leakage Analyzer
- Evaluation

# IntroSpectre Framework



## Leakage Analyzer

# The Leakage Analyzer

## RTL Simulation Log

| Cycle #M            | Cycle #N            | Cycle #P            | Cycle #Q            | Cycle #R            |
|---------------------|---------------------|---------------------|---------------------|---------------------|
| LFB                 | LFB                 | LFB                 | LFB                 | LFB                 |
| WB                  | WB                  | WB                  | WB                  | WB                  |
| RF Val0, Val1, Val2 |
| ST/LD Queue         |
| TLB                 | TLB                 | TLB                 | TLB                 | TLB                 |
| Mode: U             |
| ...                 | ...                 | ...                 | ...                 | ...                 |



Here is the **simulation log** generated by the **RTL simulator**



How to look for secrets in the log?

# The Leakage Analyzer

## RTL Simulation Log

| Cycle #M            | Cycle #N            | Cycle #P            | Cycle #Q            | Cycle #R            |
|---------------------|---------------------|---------------------|---------------------|---------------------|
| LFB                 | LFB                 | LFB                 | LFB                 | LFB                 |
| WB                  | WB                  | WB                  | WB                  | WB                  |
| RF Val0, Val1, Val2 |
| ST/LD Queue         |
| TLB                 | TLB                 | TLB                 | TLB                 | TLB                 |
| Mode: U             |
| ...                 | ...                 | ...                 | ...                 | ...                 |



A detailed **secret timeline** is automatically drawn using the **execution model snapshots** taken after adding **each** instruction to the fuzzer output

# The Leakage Analyzer

## RTL Simulation Log

| Cycle #M            | Cycle #N            | Cycle #P            | Cycle #Q            | Cycle #R            |
|---------------------|---------------------|---------------------|---------------------|---------------------|
| LFB                 | LFB                 | LFB                 | LFB                 | LFB                 |
| WB                  | WB                  | WB                  | WB                  | WB                  |
| RF Val0, Val1, Val2 |
| ST/LD Queue         |
| TLB                 | TLB                 | TLB                 | TLB                 | TLB                 |
| Mode: U             |
| ...                 | ...                 | ...                 | ...                 | ...                 |



This timeline **specifies** what values should be considered **secret** during different **stages** of program execution

# The Leakage Analyzer

| RTL Simulation Log  |                     |                     |                     |                     |
|---------------------|---------------------|---------------------|---------------------|---------------------|
| Cycle #M            | Cycle #N            | Cycle #P            | Cycle #Q            | Cycle #R            |
| LFB                 | LFB                 | LFB                 | LFB                 | LFB                 |
| WB                  | WB                  | WB                  | WB                  | WB                  |
| RF Val0, Val1, Val2 |
| ST/LD Queue         |
| TLB                 | TLB                 | TLB                 | TLB                 | TLB                 |
| Mode: U             |
| ...                 | ...                 | ...                 | ...                 | ...                 |



★ Whether a **Val** is a **secret** or **not** depends on:

1. **Execution privilege** of the processor
2. **Permission bits** of the mem. page holding Val

**Secret**

# The Leakage Analyzer

| RTL Simulation Log  |                     |                     |                     |                     |
|---------------------|---------------------|---------------------|---------------------|---------------------|
| Cycle #M            | Cycle #N            | Cycle #P            | Cycle #Q            | Cycle #R            |
| LFB                 | LFB                 | LFB                 | <b>LFB</b>          | LFB                 |
| WB                  | WB                  | WB                  | WB                  | WB                  |
| RF Val0, Val1, Val2 |
| ST/LD Queue         |
| TLB                 | TLB                 | TLB                 | TLB                 | TLB                 |
| Mode: U             |
| ...                 | ...                 | ...                 | ...                 | ...                 |



Let's assume that our analyzer finds **Val 2** in **LFB** during the execution cycles from  $t_Q$  to  $t_R$ .

# The Leakage Analyzer



Let's assume that our analyzer finds **Val 2** in **LFB** during the execution cycles from  $t_Q$  to  $t_R$ .

# The Leakage Analyzer

| RTL Simulation Log  |                     |                     |                     |
|---------------------|---------------------|---------------------|---------------------|
| Cycle #M            | Cycle #N            | Cycle #P            | Cycle #Q            |
| LFB                 | LFB                 | LFB                 | LFB                 |
| WB                  | WB                  | WB                  | WB                  |
| RF Val0, Val1, Val2 |
| ST/LD Queue         | ST/LD Queue         | ST/LD Queue         | ST/LD Queue         |
| TLB                 | TLB                 | TLB                 | TLB                 |
| Mode: U             | Mode: U             | Mode: U             | Mode: U             |
| ...                 | ...                 | ...                 | ...                 |



★ **Secret Leakage Found!** ★

# Evaluation

- We evaluated **IntroSpectre** on **RISC-V BOOM v2.2.3** single core using  
**Verilator RTL Simulator v4.035**
- Out of around **100 fuzzing rounds**, discovered **13 distinct scenarios** leading to **secret leakage** through different **u-arch structures** categorized across three classes



Many of these secret leakage scenarios have **NOT** been reported before on **BOOM**



- **R-Type Leakage:** Secret data in both **register file and LFB**
- **L-Type Leakage:** Secret data only in **LFB**
- **Miscellaneous:** Meltdown-JP & Meltdown-X

# Leakage Scenarios in BOOM v2.2.3

R-Type

|        |    |                                                                                        |
|--------|----|----------------------------------------------------------------------------------------|
| R-Type | R1 | Supervisor-only bypass                                                                 |
|        | R2 | User-only bypass                                                                       |
|        | R3 | Machine-only bypass                                                                    |
|        | R4 | Reading from <b>invalid user pages</b> regardless of permission bits                   |
|        | R5 | Reading from user pages <b>without read permission</b>                                 |
|        | R6 | Reading from user pages <b>with access and dirty bits off</b>                          |
|        | R7 | Reading from user pages <b>with access bit off</b>                                     |
|        | R8 | Reading from user pages <b>with dirty bit off</b>                                      |
| L-Type | L1 | Leaking <b>page table entries</b> through LFB                                          |
|        | L2 | Leaking secrets of a page without proper permissions in LFB by using <b>prefetcher</b> |
|        | L3 | Leaking supervisor secrets after <b>handling an exception</b> through LFB              |
| Misc.  | X1 | Jump to an address and <b>execute the stale value</b>                                  |
|        | X2 | Speculatively <b>execute supervisor-code/inaccessible-user-code</b> while in user mode |

# Leakage Scenario

R-Type



# Leakage Scenario

R-Type



# Leakage Scenario

R-Type



# Leakage Scenarios in BOOM v2.2.3

R-Type

|                                                                                   |           |                                                                                        |
|-----------------------------------------------------------------------------------|-----------|----------------------------------------------------------------------------------------|
|  | <b>R1</b> | Supervisor-only bypass                                                                 |
|                                                                                   | <b>R2</b> | User-only bypass                                                                       |
|                                                                                   | <b>R3</b> | Machine-only bypass                                                                    |
|                                                                                   | <b>R4</b> | Reading from <b>invalid user pages</b> regardless of permission bits                   |
|                                                                                   | <b>R5</b> | Reading from user pages <b>without read permission</b>                                 |
|                                                                                   | <b>R6</b> | Reading from user pages <b>with access and dirty bits off</b>                          |
|                                                                                   | <b>R7</b> | Reading from user pages <b>with access bit off</b>                                     |
|                                                                                   | <b>R8</b> | Reading from user pages <b>with dirty bit off</b>                                      |
|  | <b>L1</b> | Leaking <b>page table entries</b> through LFB                                          |
|                                                                                   | <b>L2</b> | Leaking secrets of a page without proper permissions in LFB by using <b>prefetcher</b> |
|                                                                                   | <b>L3</b> | Leaking supervisor secrets after <b>handling an exception</b> through LFB              |
|  | <b>X1</b> | Jump to an address and <b>execute the stale value</b>                                  |
|                                                                                   | <b>X2</b> | Speculatively <b>execute supervisor-code/inaccessible-user-code</b> while in user mode |

Misc.

# Leakage Scenarios in BOOM v2.2.3

**R-Type**

|    |                                                                                                                                                 |
|----|-------------------------------------------------------------------------------------------------------------------------------------------------|
| R1 | Supervisor-only bypass                                                                                                                          |
| R2 | User-only bypass  <b>Bypassing all three privilege levels!</b> |
| R3 | Machine-only bypass                                                                                                                             |
| R4 | Reading from <b>invalid user pages</b> regardless of permission bits                                                                            |
| R5 | Reading from user pages <b>without read permission</b>                                                                                          |
| R6 | Reading from user pages <b>with access and dirty bits off</b>                                                                                   |
| R7 | Reading from user pages <b>with access bit off</b>                                                                                              |
| R8 | Reading from user pages <b>with dirty bit off</b>                                                                                               |
| L1 | Leaking <b>page table entries</b> through LFB                                                                                                   |
| L2 | Leaking secrets of a page without proper permissions in LFB by using <b>prefetcher</b>                                                          |
| L3 | Leaking supervisor secrets after <b>handling an exception</b> through LFB                                                                       |
| X1 | Jump to an address and <b>execute the stale value</b>                                                                                           |
| X2 | Speculatively <b>execute supervisor-code/inaccessible-user-code</b> while in user mode                                                          |

**Misc.**

# Leakage Scenarios in BOOM v2.2.3

**R-Type**

|    |                                                                                                                                                 |
|----|-------------------------------------------------------------------------------------------------------------------------------------------------|
| R1 | Supervisor-only bypass                                                                                                                          |
| R2 | User-only bypass  <b>Bypassing all three privilege levels!</b> |
| R3 | Machine-only bypass                                                                                                                             |
| R4 | Reading from <b>invalid user pages</b> regardless of permission bits                                                                            |
| R5 | Reading from user pages <b>without read permission</b>                                                                                          |
| R6 | Read  <b>Leaking secrets from inaccessible user pages!</b>     |
| R7 | Reading from user pages <b>with access bit off</b>                                                                                              |
| R8 | Reading from user pages <b>with dirty bit off</b>                                                                                               |
| L1 | Leaking <b>page table entries</b> through LFB                                                                                                   |
| L2 | Leaking secrets of a page without proper permissions in LFB by using <b>prefetcher</b>                                                          |
| L3 | Leaking supervisor secrets after <b>handling an exception</b> through LFB                                                                       |
| X1 | Jump to an address and <b>execute the stale value</b>                                                                                           |
| X2 | Speculatively <b>execute supervisor-code/inaccessible-user-code</b> while in user mode                                                          |

**Misc.**

# Leakage Scenarios in BOOM v2.2.3

**R-Type**

|    |                                                                                                                                                                                                             |
|----|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| R1 | Supervisor-only bypass                                                                                                                                                                                      |
| R2 | User-only bypass  <b>Bypassing all three privilege levels!</b>                                                             |
| R3 | Machine-only bypass                                                                                                                                                                                         |
| R4 | Reading from invalid user pages regardless of permission bits                                                                                                                                               |
| R5 | Reading from user pages without read permission                                                                                                                                                             |
| R6 | Reading  <b>Leaking secrets from inaccessible user pages!</b>                                                              |
| R7 | Reading from user pages with access bit off                                                                                                                                                                 |
| R8 | Reading from user pages with dirty bit off                                                                                                                                                                  |
| L1 | Leaking page table entries through LFB                                                                                                                                                                      |
| L2 | Leaking secrets of a page without proper permissions in LFB by using prefetcher  <b>Potential secret leakage from LFB!</b> |
| L3 | Leaking supervisor secrets after handling an exception through LFB                                                                                                                                          |
| X1 | Jump to an address and <b>execute the stale value</b>                                                                                                                                                       |
| X2 | Speculatively <b>execute supervisor-code/inaccessible-user-code</b> while in user mode                                                                                                                      |

**Misc.**

# Leakage Scenarios in BOOM v2.2.3

**R-Type**

|    |                                                                                                                                                                                                             |
|----|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| R1 | Supervisor-only bypass                                                                                                                                                                                      |
| R2 | User-only bypass  <b>Bypassing all three privilege levels!</b>                                                             |
| R3 | Machine-only bypass                                                                                                                                                                                         |
| R4 | Reading from invalid user pages regardless of permission bits                                                                                                                                               |
| R5 | Reading from user pages without read permission                                                                                                                                                             |
| R6 | Reading  <b>Leaking secrets from inaccessible user pages!</b>                                                              |
| R7 | Reading from user pages with access bit off                                                                                                                                                                 |
| R8 | Reading from user pages with dirty bit off                                                                                                                                                                  |
| L1 | Leaking page table entries through LFB                                                                                                                                                                      |
| L2 | Leaking secrets of a page without proper permissions in LFB by using prefetcher  <b>Potential secret leakage from LFB!</b> |
| L3 | Leaking supervisor secrets after handling an exception through LFB                                                                                                                                          |
| X1 | Jump to an address and <b>execute the stale value</b>                                                                                                                                                       |
| X2 | Speculatively  <b>Illegal speculative control-flow!</b>                                                                    |

**Misc.**

# Coverage Analysis

- The coverage of **IntroSpectre** can be examined along four dimensions:

1. **Coverage of u-arch structures**



All relevant **u-arch structure's state** is recorded in the simulation log

2. **Coverage of isolation boundaries**



All possible accesses across **all isolation boundaries** are covered

3. **Coverage of gadgets**



All **known and applicable** Meltdown-like attacks are covered + other **torturing** gadgets

4. **False positives/ False negatives**



**No** false negatives regarding leakage scenarios triggered by fuzzer



**Cannot** guarantee to capture the leakage scenarios not exercised by the test code



**Might** have false positives regarding the exploitability of a secret leakage

- We developed **IntroSpectre**, a framework for **transient execution vulnerability detection**
- **Full visibility** into internal processor's state enables a **systematic evaluation** of the design
- We focus on **Meltdown-like** leaks, but the tool can be **extended** to cover **other transient execution attacks (Spectre)**

# Thank you!

★ The source code of **IntroSpectre** will be available soon at :★



<https://github.com/MoeinGhaniyoun/IntroSpectre>



@MoeinGhaniyoun



Ghaniyoun.1@osu.edu



<http://arch.cse.ohio-state.edu>