

# Principled foundations for microarchitectural security

Marco Guarnieri  
IMDEA Software Institute

SILM, 06-06-2022 @ Genova

Contacts:

@ marco.guarnieri@imdea.org  
 @MarcoGuarnier1





Picture of Intel "Haswell-E" Eight Core CPU







Picture of Intel "Haswell-E" Eight Core CPU



# SPECTRE



# FORESHADOW



# MELTDOWN





# SPECTRE



# FORESHADOW



# MELTDOWN





# Attacks exploit microarchitectural side-effects to compromise security!





# Attacks exploit microarchitectural side-effects to compromise security!



**FORESHADOW**

Picture of Intel "Haswell-E" Eight Core CPU



# it microarchitect compromise side- ity!

Intel has admitted that patches to fix the Spectre and Meltdown chip flaws could slow machines "in some cases"

# Researchers Discover Two Major Flaws in the World's Computers



Intel  
Flaw It, So  
Side-  
carieload bug fix to slow data  
computers  
ity!



# What is the problem?

# What is the problem?

*Microarchitectural leakage*  
depends on *specific*  
*hardware details*



# What is the problem?

*Microarchitectural leakage*  
depends on *specific  
hardware details*



No *faithful, precise* models  
capturing *microarchitectural  
leakage*

# What is the problem?

*Microarchitectural leakage*

depends on *specific hardware details*



No *faithful, precise* models capturing *microarchitectural leakage*



# What is the problem?

*Microarchitectural leakage*  
depends on *specific  
hardware details*



No *faithful, precise* models  
capturing *microarchitectural  
leakage*

*Writing secure code* is  
almost **impossible**

$$\text{P} + \text{Microchip} = \text{Secure}$$

$$\text{P} + \text{Microchip} = \text{Insecure}$$

# A problem of (missing) abstractions

# A problem of (missing) abstractions



# A problem of (missing) abstractions



# What is a good abstraction?



# What is a good abstraction?

Hardware-software  
**contracts** for *security*



# What is a good abstraction?

Hardware-software  
**contracts** for *security*



# What is a good abstraction?

Hardware-software  
**contracts** for *security*



Capture all possible  
*microarchitectural leaks!*

# What is a good abstraction?

Hardware-software  
**contracts** for *security*



Capture all possible  
*microarchitectural leaks!*

Secure programming  
**independently**  
of specific  
microarchitecture

# What is a good abstraction?

Hardware-software  
**contracts** for **security**



Capture all possible  
***microarchitectural leaks!***

Secure programming  
**independently**  
of specific  
microarchitecture

Implement  
***optimizations***  
**compliant** with  
contract

# In this talk

# In this talk

**HW/SW contracts** for *secure speculation*

# In this talk

**HW/SW contracts** for *secure speculation*

**Contracts** + *Hardware*

# In this talk

**HW/SW contracts** for *secure speculation*

**Contracts** + *Hardware*

**Contracts** + *Software*

# Outline

1. Speculative execution attacks
2. Modeling speculative leaks
3. Hardware-software contracts for secure speculation
4. What about hardware?
5. What about software?
6. Conclusions

# Outline

1. Speculative execution attacks
2. Modeling speculative leaks
3. Hardware-software contracts for secure speculation
4. What about hardware?
5. What about software?
6. Conclusions



# SPECTRE

Exploits ***speculative execution***

Almost ***all*** modern ***CPUs*** are ***affected***

# Speculative execution + branch prediction

Size of array **A**

```
if (x < A_size)
    y = B[A[x]]
```

# Speculative execution + branch prediction

Size of array **A**

```
if (x < A_size)
    y = B[A[x]]
```

# Speculative execution + branch prediction

```
if (x < A_size) HELP  
y = B[A[x]]
```

Size of array **A**



Branch predictor

# Speculative execution + branch prediction

Prediction based on **branch history** & **program structure**

Size of array **A**

```
if (x < A_size)  
    y = B[A[x]]
```



Branch predictor

# Speculative execution + branch prediction

Prediction based on **branch history** & **program structure**

Size of array **A**

```
if (x < A_size)  
    y = B[A[x]]
```



Branch predictor

# Speculative execution + branch prediction

Prediction based on **branch history** & **program structure**

Size of array **A**

```
if (x < A_size)  
    y = B[A[x]]
```



Wrong prediction? **Rollback changes!**



Architectural (ISA) state



Microarchitectural state

Branch predictor

# Spectre v1

# Spectre v1

```
void f(int x)
  if (x < A_size)
    y = B[A[x]]
```



# Spectre v1



```
void f(int x)
  if (x < A_size)
    y = B[A[x]]
```



# Spectre v1



```
void f(int x)
  if (x < A_size)
    y = B[A[x]]
```



# Spectre v1



```
void f(int x)
if (x < A_size)
    y = B[A[x]]
```



# Spectre v1

```
void f(int x)
if (x < A_size)
    y = B[A[x]]
```



1) Train branch predictor

# Spectre v1

```
void f(int x)
if (x < A_size)
    y = B[A[x]]
```



1) Train branch predictor

2) Prepare cache

# Spectre v1

```
void f(int x)
if (x < A_size)
    y = B[A[x]]
```



1) Train branch predictor

2) Prepare cache

3) Run with  $x = 128$

# Spectre v1

```
void f(int x)
if (x < A_size)
    y = B[A[x]]
```



1) Train branch predictor

2) Prepare cache

3) Run with  $x = 128$

# Spectre v1



1) Train branch predictor

2) Prepare cache

3) Run with  $x = 128$

# Spectre v1



1) Train branch predictor

2) Prepare cache

3) Run with  $x = 128$

# Spectre v1

```
void f(int x)
if (x < A_size)
    y = B[A[x]]
```



Depends on  
 $\mathbf{A}[128]$



Persistent across  
speculations



1) Train branch predictor

2) Prepare cache

3) Run with  $x = 128$

# Spectre v1



# Outline

1. Speculative execution attacks
2. Modeling speculative leaks
3. Hardware-software contracts for secure speculation
4. What about hardware?
5. What about software?
6. Conclusions

# Speculative leaks at program level



# Speculative leaks at program level



# Speculative leaks at program level



+  
Speculative  
semantics

# Speculative leaks at program level



# Speculative leaks at program level



+  
Speculative  
semantics

*Execution mode*

+

*Observer mode*

Models how instructions  
are executed

# Speculative leaks at program level



+  
Speculative  
semantics

## *Execution mode*

Models how instructions  
are executed

+

## *Observer mode*

Capture attacker's  
observational power

# Modeling speculation

```
1. if (x < A_size)
2.     y = A [x]
3.     z = B [y]
4. end
```

# Modeling speculation

```
1. if (x < A_size)  
2.     y = A[x]  
3.     z = B[y]  
4. end
```

Save **program state** before  
executing **branch** instructions

# Modeling speculation

```
1. if (x < A_size)  
2.     y = A[x]  
3.     z = B[y]  
4. end
```

Save **program state** before executing **branch** instructions

Mispredict **all** branch instructions

# Modeling speculation

```
1. if (x < A_size)  
2.     y = A[x]  
3.     z = B[y]  
4. end
```

Save **program state** before executing **branch** instructions

Mispredict **all** branch instructions

Fixed speculative window

# Modeling speculation

```
1. if (x < A_size)  
2.     y = A[x]  
3.     z = B[y]  
4. end
```

Save **program state** before executing **branch** instructions

Mispredict **all** branch instructions

Fixed speculative window

**Rollback** speculation

# Modeling speculation

```
1. if (x < A_size)  
2.     y = A [x]  
3.     z = B [y]  
4. end
```



Save **program state** before executing **branch** instructions

Mispredict **all** branch instructions

Fixed speculative window

**Rollback** speculation

- Non-speculative
- Speculative

# Modeling speculation

```
1. if (x < A_size)
2.     y = A[x]
3.     z = B[y]
4. end
```



Save **program state** before executing **branch** instructions

Mispredict **all** branch instructions

Fixed speculative window

**Rollback** speculation



Non-speculative



Speculative

# Modeling speculation

```
1. if (x < A_size)  
2.     y = A[x]  
3.     z = B[y]  
4. end
```



- Non-speculative
- Speculative

Save **program state** before executing **branch** instructions

Mispredict **all** branch instructions

Fixed speculative window

**Rollback** speculation

# Modeling speculation

```
1. if (x < A_size)  
2.     y = A[x]  
3.     z = B[y]  
4. end
```



Non-speculative  
Speculative

Save **program state** before executing **branch** instructions

Mispredict **all** branch instructions

Fixed speculative window

**Rollback** speculation

# Modeling speculation

```
1. if (x < A_size)  
2.     y = A[x]  
3.     z = B[y]  
4. end
```



Non-speculative

Speculative

Save **program state** before executing **branch** instructions

Mispredict **all** branch instructions

Fixed speculative window

**Rollback** speculation

# Leakage into microarchitecture

```
1. if (x < A_size)
2.     y = A [x]
3.     z = B [y]
4. end
```



# Leakage into microarchitecture

```
1. if (x < A_size)  
2.     y = A [x]  
3.     z = B [y]  
4. end
```

Attacker observes:

- locations of **memory accesses**
- **branch/jump** targets
- **start/end** speculative execution



# Leakage into microarchitecture

```
1. if (x < A_size)  
2.     y = A [x]  
3.     z = B [y]  
4. end
```

Attacker observes:

- locations of **memory accesses**
- **branch/jump** targets
- **start/end** speculative execution



Inspired by “constant-time” requirements

# Leakage into microarchitecture

```
1. if (x < A_size)  
2.     y = A [x]  
3.     z = B [y]  
4. end
```

Attacker observes:

- locations of **memory accesses**
- **branch/jump** targets
- **start/end** speculative execution



Inspired by “constant-time” requirements

- Non-speculative
- Speculative

# Leakage into microarchitecture

```
1. if (x < A_size)  
2.   y = A[x]  
3.   z = B[y]  
4. end
```

start  
pc 2



Attacker observes:

- locations of **memory accesses**
- **branch/jump** targets
- **start/end** speculative execution

Inspired by “constant-time” requirements

- Non-speculative
- Speculative

# Leakage into microarchitecture

```
1. if (x < A_size)
2.     y = A[x]
3.     z = B[y]
4. end
```



- Non-speculative
- Speculative

Attacker observes:

- locations of **memory accesses**
- **branch/jump** targets
- **start/end** speculative execution

Inspired by “constant-time” requirements

# Leakage into microarchitecture

```
1. if (x < A_size)
2.     y = A[x]
3.     z = B[y]
4. end
```

load **A+x**



Attacker observes:

- locations of **memory accesses**
- **branch/jump** targets
- **start/end** speculative execution

Inspired by “constant-time” requirements

Non-speculative

Speculative

# Leakage into microarchitecture

```
1. if (x < A_size)  
2.     y = A [x]  
3.     z = B [y]  
4. end
```

load A+**x**



Non-speculative

Speculative

Attacker observes:

- locations of **memory accesses**
- **branch/jump** targets
- **start/end** speculative execution

Inspired by “constant-time” requirements

# Leakage into microarchitecture

```
1. if (x < A_size)  
2.     y = A [x]  
3.     z = B [y]  
4. end
```

load B+A [**x**]



Non-speculative



Speculative

Attacker observes:

- locations of **memory accesses**
- **branch/jump** targets
- **start/end** speculative execution

Inspired by “constant-time” requirements

# Leakage into microarchitecture

```
1. if (x < A_size)  
2.     y = A [x]  
3.     z = B [y]  
4. end
```

load B+A [**x**]



Non-speculative

Speculative

Attacker observes:

- locations of **memory accesses**
- **branch/jump** targets
- **start/end** speculative execution

Inspired by “constant-time” requirements

# Leakage into microarchitecture

```
1. if (x < A_size)
2.     y = A[x]
3.     z = B[y]
4. end
```

rollback  
pc 4



- Non-speculative
- Speculative

Attacker observes:

- locations of **memory accesses**
- **branch/jump** targets
- **start/end** speculative execution

Inspired by “constant-time” requirements

# Leakage into microarchitecture

```
1. if (x < A_size)  
2.     y = A [x]  
3.     z = B [y]  
4. end
```

Attacker observes:

- locations of **memory accesses**
- **branch/jump** targets
- **start/end** speculative execution



Inspired by “constant-time” requirements

- Non-speculative
- Speculative

# Outline

1. Speculative execution attacks
2. Modeling speculative leaks
3. Hardware-software contracts for secure speculation
4. What about hardware?
5. What about software?
6. Conclusions

# Building sound leakage abstractions



# Building sound leakage abstractions



**Hardware-software  
contract**

# Building sound leakage abstractions



**Hardware-software  
contract**

***Contracts*** specify which  
***program executions*** a  
microarchitectural ***adversary***  
***can distinguish***

# Building sound leakage abstractions



**Hardware-software  
contract**

**Contracts** specify which **program executions** a microarchitectural **adversary** **can distinguish**

## Goals

- Capture **HW** security **guarantees**
- **Basis** for **secure programming**

# Contracts

# Contracts

## Contract



ISA extended with  
observations

# Contracts

*Observations* expose  
security-relevant *events*

## Contract



ISA extended with  
**observations**



# Contracts

*Observations* expose  
security-relevant *events*

## Contract



ISA extended with  
**observations**

Contract traces:   $(p, \sigma)$

# Contracts

*Observations* expose  
security-relevant *events*

## Contract



ISA extended with  
**observations**

Contract traces: ( $p, \sigma$ )



## Hardware

Processor+attacker  
observations

# Contracts

*Observations* expose  
security-relevant *events*

## Contract



ISA extended with  
observations

Contract traces: ( $p, \sigma$ )



## Hardware

Processor+attacker  
observations

Hardware traces: ( $p, \sigma$ )

# Contracts



## Contract

ISA extended with  
**observations**

Contract traces:   $(p, \sigma)$

*Observations* expose security-relevant **events**

**Hw traces** model attacker's observational power



## Hardware

Processor+attacker observations



Hardware traces:   $(p, \sigma)$

# Contracts

*Observations* expose security-relevant *events*

*Hw traces* model attacker's observational power

## Contract

ISA extended with  
observations



Contract traces:  $(p, \sigma)$

## Hardware

Processor+attacker observations



Hardware traces:  $(p, \sigma)$

## Contract satisfaction

Hardware satisfies contract if for all programs  $p$  and arch. states  $\sigma, \sigma'$ : if  $(p, \sigma) = \equiv$   $(p, \sigma')$  then  $(p, \sigma) = \equiv$   $(p, \sigma')$

# Contracts

*Observations* expose security-relevant *events*

*Hw traces* model attacker's observational power

## Contract

ISA extended with  
observations



Contract traces:  $(p, \sigma)$

## Hardware

Processor+attacker observations



Hardware traces:  $(p, \sigma)$

## Contract satisfaction

Hardware satisfies contract if for all programs  $p$  and arch. states  $\sigma, \sigma'$ : if  $(p, \sigma) = \boxed{\equiv}(p, \sigma')$  then  $(p, \sigma) = \boxed{=}\boxed{\equiv}(p, \sigma')$

# Contracts

*Observations* expose security-relevant *events*

*Hw traces* model attacker's observational power

## Contract

ISA extended with  
observations



Contract traces:  $(p, \sigma)$

## Hardware



Processor+attacker observations

Hardware traces:  $(p, \sigma)$

## Contract satisfaction

Hardware satisfies contract if for all programs  $p$  and arch. states  $\sigma, \sigma'$ : if  $(p, \sigma) = \square(p, \sigma')$  then  $(p, \sigma) = \square(p, \sigma')$

# Contracts for secure speculation

# Contracts for secure speculation

**Contract** =

Execution Mode • Observer Mode

# Contracts for secure speculation

At ISA level

**Contract** =

Execution Mode · Observer Mode

# Contracts for secure speculation

At ISA level

**Contract** =

**Execution Mode** · Observer Mode



How are programs executed?

# Contracts for secure speculation

At ISA level

**Contract** =

Execution Mode · **Observer Mode**



How are programs executed?



What is visible about the execution?

# Contracts for secure speculation

**Contract** =

**Execution Mode** · Observer Mode

**seq** — sequential execution

**spec** — mispredict branch

instructions

# Contracts for secure speculation

**Contract** =

Execution Mode · Observer Mode

**seq** — sequential execution

**spec** — mispredict branch  
instructions

# Contracts for secure speculation

**Contract** =

Execution Mode · **Observer Mode**

**pc** — only program counter

**ct** — **pc** + address of loads/stores

**arch** — **ct** + loaded values

# Contracts for secure speculation

**Contract** =

Execution Mode · **Observer Mode**

**pc** — only program counter

**ct** — **pc** + address of loads/stores

**arch** — **ct** + loaded values

# A lattice of contracts



# A lattice of contracts



# A lattice of contracts



Leaks  
“nothing”

Leaks “everything”

# A lattice of contracts



# A lattice of contracts



# A lattice of contracts



# Model different security guarantees!



# Outline

1. Speculative execution attacks
2. Modeling speculative leaks
3. Hardware-software contracts for secure speculation
4. What about hardware?
5. What about software?
6. Conclusions

# Hardware countermeasures

# Hardware countermeasures

## InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy

Mengjia Yan<sup>†</sup>, Jiho Choi<sup>†</sup>, Dimitrios Skarlatos, Adam Morrison\*, Christopher W. Fletcher, and Josep Torrellas

University of Illinois at Urbana-Champaign      \*Tel Aviv University

{myan8, jchoi42, skarlat2}@illinois.edu, mad@cs.tau.ac.il, {cwfletch, torrella}@illinois.edu

# Hardware countermeasures

## InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy

Mengjia Yan<sup>†</sup>, Jiho Choi<sup>†</sup>, Dimitrios Skarlatos, Adam Morrison\*, Christopher W. Fletcher, and Josep Torrellas

University of Illinois at Urbana-Champaign      \*Tel Aviv University

{myan8, jchoi42, skarlat2}@illinois.edu, mad@cs.tau.ac.il, {cwfletch, torrella}@illinois.edu

*CleanupSpec: An “Undo” Approach to Safe Speculation*

Gururaj Saileshwar  
gururaj.s@gatech.edu  
Georgia Institute of Technology

Moinuddin K. Qureshi  
moin@gatech.edu  
Georgia Institute of Technology

# Hardware countermeasures

## InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy

Mengjia Yan<sup>†</sup>, Jiho Choi<sup>†</sup>, Dimitrios Skarlatos, Adam Morrison\*, Christopher W. Fletcher, and Josep Torrellas

University of Illinois at Urbana-Champaign

\*Tel Aviv University

{myan8, jchoi42, skarlat2}@illinois.edu, mad@cs.tau.ac.il, {cwfletch, torrella}@illinois.edu

Efficient Invisible Speculative Execution through  
Selective Delay and Value Prediction

Christos Sakalis  
Uppsala University  
Uppsala, Sweden  
christos.sakalis@it.uu.se

Alexandra Jimborean  
Uppsala University  
Uppsala, Sweden  
alexandra.jimborean@it.uu.se

Stefanos Kaxiras  
Uppsala University  
Uppsala, Sweden  
stefanos.kaxiras@it.uu.se

Magnus Själander  
Norwegian University of Science and  
Technology  
Trondheim, Norway  
magnus.sjlander@ntnu.no

*CleanupSpec: An “Undo” Approach to Safe Speculation*

Moinuddin K. Qureshi  
moin@gatech.edu  
Georgia Institute of Technology

Alberto Ros  
University of Murcia  
Murcia, Spain  
aros@ditec.unimur.es

# Hardware countermeasures

# InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy

Mengjia Yan<sup>†</sup>, Jiho Choi<sup>†</sup>, Dimitrios Skarlatos, Adam Morrison\*, †

University of Illinois at Urbana-Champaign

{myan8, jchoi42, skarlat2}@illinois.edu, mad

*CleanupSpec:* `A`

Gururaj Saileshwar  
gururaj.s@gatech.edu  
Georgia Institute of Technology

# dware countermeasures

## c: Making Speculative Execution Visible in the Cache Hierarchy

### NDA: Preventing Speculative Execution Attacks at Their Source

Ioannis Skarlatos, Adam Morrison\*, Christopher Karayannidis, Ian Neal, Baris Kasikci, Stefanos Kaxiras  
University of Illinois at Urbana-Champaign, University of Michigan, University of Michigan, Uppsala University  
karlat2}@illinois.edu, mazmorr@illinois.edu, ian.neal@umich.edu, baris.kasikci@umich.edu, stefanos.kaxiras@uppsala.se

### Efficient Invisible Speculative Selective Delay and Value Recovery

Ofir Weisse, Thomas F. Wenisch, NDA: Preventing Speculative Execution Attacks at Their Source  
University of Michigan, University of Michigan, University of Illinois at Urbana-Champaign  
ofir.weisse@umich.edu, wenisch@umich.edu, mazmorr@illinois.edu

### Efficient Invisible Speculative Selective Delay and Value Recovery

Kevin Loughlin, Ian Neal, Baris Kasikci, Stefanos Kaxiras  
University of Michigan, University of Michigan, University of Michigan, Uppsala University  
kevin.loughlin@umich.edu, ian.neal@umich.edu, baris.kasikci@umich.edu, stefanos.kaxiras@uppsala.se

# *Approach to Safe Speculation*

*Moinuddin K. Qureshi*  
*moin@gatech.edu*  
Georgia Institute of Technology  
25

Alberto Ros  
University of Murcia  
Murcia, Spain  
[aeros@ditec.um.es](mailto:aeros@ditec.um.es)

# Hardware countermeasures

## InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy

Mengjia Yan<sup>†</sup>, Jiho Choi<sup>†</sup>, Dimitrios Skarlatos, Adam Morrison<sup>\*</sup>  
University of Illinois at Urbana-Champaign  
<sup>†</sup>{myan8, jchoi42, skarlat2}@illinois.edu, <sup>\*</sup>morrison@illinois.edu

Ofir Weisse  
University of Michigan

Thomas F. Wenisch  
University of Michigan

Ian Neal  
University of Michigan

Baris Kasikci  
University of Michigan

Kevin Loughlin  
University of Michigan

Stefanos Kaxiras  
Uppsala University  
stefanos.kaxiras@it.uu.se

Magnus Själander  
Norwegian University of Science and Technology  
Trondheim, Norway  
sjalander@ntnu.no

Alberto Ros  
University of Murcia  
Murcia, Spain  
aros@ditec.unm.es

NDA: Preventing Speculative Execution Attacks at Their Source

Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data

Jiyong Yu  
University of Illinois at Urbana-Champaign  
jiyong.yu@illinois.edu

Mengjia Yan  
University of Illinois at Urbana-Champaign  
myan8@illinois.edu

Artem Khyzha  
Tel Aviv University  
artkhyzha@mail.tau.ac.il

Moinuddin K. Qureshi  
moin@gatech.edu  
Georgia Institute of Technology

Josep Torrella  
University of Illinois at Urbana-Champaign  
torrella@illinois.edu

Christopher W. Fletcher  
University of Illinois at Urbana-Champaign  
cwfletch@illinois.edu

Approach to Safe Speculation



# Hardware countermeasures

```
1. if (x < A_size)
2.   y = A[x]
3.   z = B[y]
4. end
```

# Hardware countermeasures

```
1. if (x < A_size)
2.     y = A[x]
3.     z = B[y]
4. end
```

Non-speculative

Speculative

# Hardware countermeasures

```
1. if (x < A size)
2.   y = A [x]
3.   z = B [y]
4. end
```

 Non-speculative

 Speculative

# Hardware countermeasures

```
1. if (x < A size)  
2.     y = A [x]  
3.     z = B [y]  
4. end
```

Delay loads until they are no longer speculative

[Sakalis et al., ISCA'19]

Non-speculative

Speculative

# Hardware countermeasures

```
1. if (x < A size)  
2.   y = A [x]  
3.   z = B [y]  
4. end
```

Delay loads until they are no longer speculative

[Sakalis et al., ISCA'19]

Taint speculatively loaded data  
+ delay tainted loads

[STT and NDA, MICRO'19]



Non-speculative



Speculative

# Hardware countermeasures

```
1.   y = A[x]  
2.   if (x < A_size)  
3.       z = B[y]  
4. end
```

# Hardware countermeasures

```
1.   y = A[x]  
2.   if (x < A_size)  
3.       z = B[y]  
4. end
```

 Non-speculative

 Speculative

# Hardware countermeasures

```
1. y = A[x]  
2. if (x < A_size)  
3.     z = B[y]  
4. end
```

Delay loads until they are no longer speculative

[Sakalis et al., ISCA'19]

Non-speculative

Speculative

# Hardware countermeasures

```
1. y = A[x]  
2. if (x < A_size)  
3.     z = B[y]  
4. end
```

Delay loads until they are no longer speculative

[Sakalis et al., ISCA'19]

Taint speculatively loaded data  
+ delay tainted loads  
[STT and NDA, MICRO'19]

Non-speculative

Speculative

# Hardware countermeasures

$$1. \quad \mathbf{y} = \mathbf{A} [\mathbf{x}]$$

Delay loads until they are no longer speculative

[Sakalis et al., ISCA'19]

## Countermeasures block different leaks!

Taint speculatively loaded data  
+ delay tainted loads  
[STT and NDA, MICRO'19]

Non-speculative

Speculative

# Guarantees



-  Vanilla out-of-order (OoO) CPU
-  In-order CPU  
(no speculative execution)
-  OoO CPU+load delay
-  OoO CPU+taint tracking

# Guarantees



3-stage pipeline with **speculative** and **out-of-order** (OoO) execution

Formalized as **operational semantics**

**Attacker** observes part of **microarchitectural state**

|  |                                            |
|--|--------------------------------------------|
|  | Vanilla out-of-order (OoO) CPU             |
|  | In-order CPU<br>(no speculative execution) |
|  | OoO CPU+load delay                         |
|  | OoO CPU+taint tracking                     |

# Guarantees



3-stage pipeline with **speculative** and **out-of-order** (OoO) execution

Formalized as **operational semantics**

**Attacker** observes part of **microarchitectural state**

-  Vanilla out-of-order (OoO) CPU
-  In-order CPU (no speculative execution)
-  OoO CPU+load delay
-  OoO CPU+taint tracking

# Guarantees



**No** speculative and out-of-order execution

Instructions executed ***in-order***



# Guarantees



**No** speculative and out-of-order execution

Instructions executed ***in-order***

**OoO** Vanilla out-of-order (OoO) CPU

**NS** In-order CPU (no speculative execution)

**LD** OoO CPU+load delay

**TT** OoO CPU+taint tracking

# Guarantees



*Delaying loads* until all sources of **speculation are resolved**

Sakalis et al., ISCA'19

- OoO** Vanilla out-of-order (OoO) CPU
- NS** In-order CPU (no speculative execution)
- LD** OoO CPU+load delay
- TT** OoO CPU+taint tracking

# Guarantees



*Delaying loads* until all sources of **speculation** are resolved

Sakalis et al., ISCA'19

-  Vanilla out-of-order (OoO) CPU
-  In-order CPU (no speculative execution)
-  OoO CPU+load delay
-  OoO CPU+taint tracking

# Guarantees



**Taint** speculative data  
**Propagate taint** through computation  
**Delay** tainted operations  
STT and NDA, MICRO'19

- OoO**: Vanilla out-of-order (OoO) CPU
- NS**: In-order CPU (no speculative execution)
- LD**: OoO CPU+load delay
- TT**: OoO CPU+taint tracking

# Guarantees



**Taint** speculative data

**Propagate taint** through computation

**Delay** tainted operations

STT and NDA, MICRO'19

Vanilla out-of-order (OoO) CPU

In-order CPU  
(no speculative execution)

OoO CPU+load delay

OoO CPU+taint tracking

# Characterize and compare security guarantees!



*Propagate taint* through computation

*Delay* tainted operations

STT and NDA, MICRO'19

Vanilla out-of-order (OoO) CPU

In-order CPU (no speculative execution)

OoO CPU+load delay

OoO CPU+taint tracking

# Outline

1. Speculative execution attacks
2. Modeling speculative leaks
3. Hardware-software contracts for secure speculation
4. What about hardware?
5. What about software?
6. Conclusions

# Speculative leaks in programs



Program



CPU with ***speculative  
execution***

= Secure?



# Speculative non-interference

Program  $\mathbf{P}$  is **speculatively non-interferent** if

$$\text{Leakage}(\mathbf{P}, \boxed{\text{chip}}) = \text{Leakage}(\mathbf{P}, \boxed{\text{ghost}})$$

Information leaked by  
executing  $\mathbf{P}$  **without**  
speculative execution

Information leaked by  
executing  $\mathbf{P}$  **with**  
speculative execution

# Speculative non-interference

Program  $\mathbf{P}$  is **speculatively non-interferent** if

$$\text{Leakage}(\mathbf{P}, \boxed{\phantom{\dots}}) = \text{Leakage}(\mathbf{P}, \boxed{\text{ghost}})$$

Executed under **seq-ct**

# Speculative non-interference

Program  $\mathbf{P}$  is **speculatively non-interferent** if

$$\text{Leakage}(\mathbf{P}, \square) = \text{Leakage}(\mathbf{P}, \square)$$

Executed under **seq-ct**

Executed under **spec-ct**

# Speculative non-interference

Program  $\mathbf{P}$  is **speculatively non-interferent** if

$$\text{Leakage}(\mathbf{P}, \boxed{\phantom{\dots}}) = \text{Leakage}(\mathbf{P}, \boxed{\text{ghost}})$$

For all program states  $\sigma$  and  $\sigma'$ :

# Speculative non-interference

Program  $\mathbf{P}$  is **speculatively non-interferent** if

$$\text{Leakage}(\mathbf{P}, \boxed{\phantom{\dots}}) = \text{Leakage}(\mathbf{P}, \boxed{\text{ghost}})$$

For all program states  $\sigma$  and  $\sigma'$ :

$$\mathbf{seq\text{-}ct}(\mathbf{P}, \sigma) = \mathbf{seq\text{-}ct}(\mathbf{P}, \sigma')$$

# Speculative non-interference

Program  $\mathbf{P}$  is **speculatively non-interferent** if

$$\text{Leakage}(\mathbf{P}, \boxed{\phantom{\dots}}) = \text{Leakage}(\mathbf{P}, \boxed{\text{ghost}})$$

For all program states  $\sigma$  and  $\sigma'$ :

$$\begin{aligned} \mathbf{seq\text{-}ct}(\mathbf{P}, \sigma) &= \mathbf{seq\text{-}ct}(\mathbf{P}, \sigma') \\ \Rightarrow \mathbf{spec\text{-}ct}(\mathbf{P}, \sigma) &= \mathbf{spec\text{-}ct}(\mathbf{P}, \sigma') \end{aligned}$$

# Speculative non-interference

```
1. if (x < A_size)
2.     y = A [x]
3.     z = B [y]
4. end
```

# Speculative non-interference

```
1. if (x < A_size)
2.   y = A[x]
3.   z = B[y]
4. end
```



**x**=128  
**A\_size**=16  
**A**[128]=0



**x**=128  
**A\_size**=16  
**A**[128]=1

- Non-speculative
- Speculative

# Speculative non-interference

```
1. if (x < A_size)
2.     y = A[x]
3.     z = B[y]
4. end
```



Non-speculative



Speculative

# Speculative non-interference

```
1. if (x < A_size)
2.   y = A[x]
3.   z = B[y]
4. end
```

- Non-speculative
- Speculative



# Speculative non-interference

```
1. if (x < A_size)
2.   y = A[x]
3.   z = B[y]
4. end
```



Non-speculative

Speculative

# Speculative non-interference

```
1. if (x < A_size)
2.   y = A[x]
3.   z = B[y]
4. end
```

- Non-speculative
- Speculative



# Speculative non-interference

```
1. if (x < A_size)
2.   y = A[x]
3.   z = B[y]
4. end
```

- Non-speculative
- Speculative



# Speculative non-interference



## Spectre v1 violates SNI

3.      $z = B[y]$   
4.     end



- Non-speculative (green)
- Speculative (pink)

# Detecting speculative leaks



```
mov    rax, A_size
mov    rcx, x
cmp    rcx, rax
END
L1: mov    rax, A[rcx]
        mov    rax, B[rax]
```

x64 to μASM

```
        rax <- A_size
        rcx <- x
        jmp  rcx≥rax, END
L1:   load  rax, A + rcx
END:   load  rax, B + rax
```



Check for speculative leaks



# Detecting speculative leaks



```
mov    rax, A_size  
mov    rcx, x  
cmp    rcx, rax  
jae    END  
L1: mov    rax, A[rax]  
       mov    rax, B[rax]
```





# Spectector

<https://spectector.github.io>



Check for speculative leaks

```
rax <- A_size  
rcx <- x  
jmp rcx>=rax, END  
load rax, A + rcx  
load rax, B + rax
```



Symbolic  
execution



# Case study: compiler mitigations

# Case study: compiler mitigations

## *Injection of LFENCEs*

LFENCE **stops** speculation

Compilers (**ICC**, **MSVC**) insert  
LFENCE after **branch instructions**

# Case study: compiler mitigations

## *Injection of LFENCEs*

LFENCE **stops** speculation

Compilers (**ICC**, **MSVC**) insert  
LFENCE after **branch instructions**

```
if (x < A_size)  
y = B[A[x]]
```



```
if (x < A_size)  
lfence  
y = B[A[x]]
```

# Case study: compiler mitigations

## *Injection of LFENCEs*

LFENCE **stops** speculation

Compilers (**ICC**, **MSVC**) insert  
LFENCE after **branch instructions**

```
if (x < A_size)  
    y = B[A[x]]
```



```
if (x < A_size)  
    lfence  
    y = B[A[x]]
```

# Case study: compiler mitigations

## *Injection of LFENCEs*

LFENCE **stops** speculation

Compilers (**ICC**, **MSVC**) insert  
LFENCE after **branch instructions**

```
if (x < A_size)  
y = B[A[x]]
```



```
if (x < A_size)  
lfence  
y = B[A[x]]
```

**ICC** enforces **SNI** (security proof) +  
unnecessary LFENCEs

**MSVC** is **insecure** – leaks checked  
with Spectector

# Outline

1. Speculative execution attacks
2. Modeling speculative leaks
3. Hardware-software contracts for secure speculation
4. What about hardware?
5. What about software?
6. Conclusions

# A problem of (missing) abstractions



# A problem of (missing) abstractions



**Hardware-software  
contract**

# Challenges

We need ***precise*** and ***simple hardware-software contracts*** for ***security***

# Challenges

We need ***precise*** and ***simple hardware-software contracts*** for ***security***

***Challenge 1:*** (Languages and abstractions for) contracts that scale to real-world ISAs + other microarchitectural side-effects

# Challenges

We need ***precise*** and ***simple hardware-software contracts*** for ***security***

***Challenge 1:*** (Languages and abstractions for) contracts that scale to real-world ISAs + other microarchitectural side-effects

***Challenge 2:*** Techniques for testing/verifying if hardware complies with a given contract (or even inferring compliant contract!)

# Challenges

We need ***precise*** and ***simple hardware-software contracts*** for ***security***

***Challenge 1:*** (Languages and abstractions for) contracts that scale to real-world ISAs + other microarchitectural side-effects

***Challenge 2:*** Techniques for testing/verifying if hardware complies with a given contract (or even inferring compliant contract!)

***Challenge 3:*** Contract-aware analysis and secure compilation techniques to enforce program security

# Collaborators

- Boris Köpf @ Microsoft Research
- Jan Reineke @ Saarland University
- José F. Morales @ IMDEA Software
- Pepe Vila @ IMDEA Software
- Andrés Sánchez @ IMDEA Software
- Marco Patrignani @ University of Trento

Supported by Intel Strategic  
Research Alliance (ISRA)  
“Information Flow Tracking  
across the Hardware-  
Software Boundary”

We need ***precise*** and ***simple hardware-software contracts*** for ***security***

***Challenge 1:*** (Languages and abstractions for) contracts that scale to real-world ISAs + other microarchitectural side-effects

***Challenge 2:*** Techniques for testing/verifying if hardware complies with a given contract (or even inferring compliant contract!)

***Challenge 3:*** Contract-aware analysis and secure compilation techniques to enforce program security