

# SimSpect defense specification reference

Guide to defense implementations in SimSpect formal language  
and model notes

# Contents

**For each defense we outline:**

- Defense overview and paper notes
- SimSpect specification of each defense variant
- Implementation notes and mechanisms to exercise in test generation
- Known bugs (if applicable)

**Defenses:**

- STT [Yu+, MICRO '19]
- SpecShield [Barber+, PACT '19]
- NDA [Weisse+, MICRO '19]
- Delay-on-Miss [Sakalis+, ISCA '19]
- SDO [Yu+, ISCA '20]
- SPT [Choudhary+, MICRO '21]
- Recon [Aimoniotus+, MICRO '23]
- Doppelgänger loads [Kvalsvik+, ISCA '23]
- Protean

**Non-applicable defenses**

- Under construction

## Simple alloy model

- **Protection set, Leakage contract, and Execution contract**
  - Relaxations remove instructions, memory/registers, connecting edges from the model
  - Have generic speculation primitives, transmitters
  - Base of GLIFT-style information flow tracking to conservatively measure protection set propagation through the model

# STT

## Speculative Taint Tracking – MICRO ’19

- Defines explicit vs. implicit covert channels
- Stalls **explicit** transmitters until youngest load whose return value influences data becomes nonspeculative (**YROT**)
- Blocks **implicit branch prediction** from operating as a function of tainted data
- Blocks **implicit branch resolution** from transmitting until predicate is nonspeculative
- Untaints the output of an access instruction when all older control flow instructions resolve (ctrl speculation) or when access instruction cannot be squashed (does this in 1 cycle)

# STT

## SimSpect specification

- **Protection set:** all memory. *Propagation: strict dependency + YROT untaint calculus – a. Any speculative access instruction is tainted. b. Other output is tainted if input is tainted. Untainted once YROT nonspeculative. YROT is youngest YROT of args if not AI, or else AI addr. (like DIFT)*
- **Leakage contract:** explicit transmitter set user-defined, implicit transmitters also handled by aforementioned prediction and resolution taint blocks
- **Execution contract:** Architect-defined visibility point (at head of ROB, or oldest unresolved branch)

# STT

## Mechanisms to exercise

- **Leakage contract:** must complicate transmitter tracking – implicit transmitters are blocked at both prediction and resolution, have two elements for those components and enable probing of relevant state for both
- **Taint tracking:** first example of taint tracking, propagate direct dependencies GLIFT-style through the program
  - Basis for the model data-dependency propagation
  - Relax the data-dependency edges by removing them
    - This is sufficient because we do not check for overprotection, so no point in increasing the number of edges

# STT

## Known bugs

- **Store transmitters**
  - STT does not consider stores to be transmitters. This is in line with their paper and security definitions but not in line with real life or gem5

# SpecShield

## SpecShield – PACT ’19

- **STL** – delays ALs for the duration of speculation, being defined as reaching the head of the ROB
- **ERP** – delays ALs for the duration of speculation, by waiting until all older branches are resolved and nonspeculative and all older loads and stores have no faults (nothing is speculative)
- **ERP+** – tracks taint and allows low leakage instructions to see ALs of speculative things as long as they don't pass to high leakage things
- Handles speculation primitives: meltdown, branch misprediction, memory alias misprediction, control flow hijacking
- ONLY defends memory secrets, not register secrets, through AL provision

# SpecShield

## SpecShield-STL SimSpect specification

- **Protection set:** All memory. *Propagation: strict dependency – a. Any speculative access instruction is protected. b. Other output is protected if input is protected (conservative because this should not be exercised because cut off at AI)*
- **Leakage contract:** Transmitter type irrelevant, should protect for all
- **Execution contract:** Instructions must reach the head of the ROB to become non-speculative

# SpecShield

## SpecShield-ERP SimSpect specification

- **Protection set:** All memory. *Propagation: strict dependency – a. Any speculative access instruction is protected. b. Other output is protected if input is protected (conservative because this should not be exercised because cut off at AI)*
- **Leakage contract:** Transmitter type irrelevant, should protect for all
- **Execution contract:** Instructions are non-speculative at head of ROB, but also before head of ROB if  $\nexists$  older unresolved branches, and  $\nexists$  unresolved or faulted older loads and stores

# SpecShield

## SpecShield-ERP+ SimSpect specification

- **Protection set:** All memory. *Propagation: strict dependency – a. Any speculative access instruction is protected. b. Other output is protected if input is protected*
- **Leakage contract:** High-likelihood transmitters
- **Execution contract:** Instructions are non-speculative at head of ROB, but also before head of ROB if  $\nexists$  older unresolved branches, and  $\nexists$  unresolved or faulted older loads and stores

# NDA

## Non-speculative Data Access — MICRO '19

- Two types of attacks
  - Control steering, victim control flow leaks its own information
  - Chosen code, attacker uses their own code to violate permissions speculatively
- An instruction is **safe** if not after a branch with unresolved target and direction or a store with an unresolved address
- When a microop resolves, mark things safe until the next outstanding speculation primitive
  - Delay broadcast of outputs until safe
- Strict vs permissive propagation version, which only treats loads as ALs (only protects memory)

# NDA

## NDA-S SimSpec<sup>t</sup> specification

- **Protection set:** all memory and registers. *Propagation: strict dependency –*  
*a. Any speculative access instruction is protected. b. Other output is protected if input is protected*
- **Leakage contract:** Transmitter type irrelevant, should protect for all
- **Execution contract:** Instructions are non-speculative at head of ROB, but also before head of ROB if  $\nexists$  older branches with unresolved target or address, and  $\nexists$  stores with unresolved address

# NDA

## NDA-P SimSpec<sup>t</sup> specification

- **Protection set:** all memory. *Propagation: strict dependency – a. Any speculative access instruction is protected. b. Other output is protected if input is protected*
- **Leakage contract:** Transmitter type irrelevant, should protect for all
- **Execution contract:** Instructions are non-speculative at head of ROB, but also before head of ROB if  $\nexists$  older branches with unresolved target or address, and  $\nexists$  stores with unresolved address

# DoM

## Delay-on-Miss — ISCA '19

- Blocks speculative loads from transmitting by allowing them to go to L1 cache but no further, so they don't exhibit data-dependent timing or prime the cache
- Doesn't discriminate between non-speculatively and speculatively acquired secrets
- Used value prediction to speed up secure speculation
- Has both eager and normal speculation modes

# DoM

## SimSpect specification

- **Protection set:** All registers and memory
- **Leakage contract:** Protects against load-address transmission only
- **Execution contract:** Protects instructions that fall under *shadows*:
  - E-Shadows – instructions that can generate exceptions
  - C-Shadows – control instructions with an unknown address or condition
  - D-Shadows – load dependencies due to stores with unknown addresses because of STL forwarding
  - M-Shadows – under strict memory models, load reordering could lead to squashes

# SDO

## Speculative Data-Oblivious Execution — ISCA '20

- Insight: Because of STT implicit branch stopping, the predictor is safe. There should be no tainted data affecting a predictor
  - Squashes are revealable because they happen only when predicate is no longer tainted
  - Only be concerned about explicit transmitters
- Translate into a set of transmitter functions that cover path variability, and then predict path based on nonspeculative data (squashes are fine)
- Predict based on PC
- Loads are the complicated aspect, load function hides timing but not address leakage, must still block these types of leaks

# SDO

## SimSpect specification

- **Protection set:** all memory. *Propagation: STT - strict dependency + YROT untaint calculus – a. Any speculative access instruction is tainted. b. Other output is tainted if input is tainted. Untainted once YROT nonspeculative. YROT is youngest YROT of args if not AI, or else AI addr.*
- **Leakage contract:** implicit transmitters handled by aforementioned prediction and resolution taint blocks as in STT, explicit transmitters refactored such that  $\mu$ paths don't vary based on data
- **Execution contract:** Architect-defined visibility point (at head of ROB, or oldest unresolved branch)

# SPT

## Speculative Privacy Tracking – MICRO '21

- STT modified with declassification pass back based on implicit instruction functions for leakage propagation
- SNI – does not protect against things that haven't already leaked
- DOES NOT discriminate between partial vs full leakage of an instruction
- Delayed execution protection policy

# SPT

## SimSpect specification

- **Protection set:** all memory.
- *Propagation: Untainting when an operand is transmitted by a non-speculative transmit or branch, followed by propagation:*
  - *Forward output untainting: if all operands untainted, output untainted*
  - *Backward input untainting: if mov or invertible arith, a singular tainted input is untainted if everything else is*
  - *STL load address transmission untainting*
- **Leakage contract:** explicit transmitter set user-defined, implicit transmitters also handled by aforementioned prediction and resolution taint blocks
- **Execution contract:** Visibility point

# SPT

## Mechanisms to exercise

- If we don't just want a conservative non-taint logic, need to differentiate between instructions at a finer granularity such that we can properly cover the untainting

# SPT

## Known bugs

- **Subregister writing**
  - X86 artifact that you can write subregisters, unprotects half-written secrets but then the unaligned load can leak information
  - Gem5 issues 2 separate calls and SPT unprotects both loads because it has byte granularity protection but assumes the memory access hits the whole thing
- **Rename stage**
  - Default to mark registers as unprotected, then protect when renamed

# ReCon

## RevealConceal — Micro '23

- Tracking non-speculative leakage is a good security definition, but carries a lot of overhead in tracking complexity (SPT)
- Insight: the majority of these non-speculative leakage events are pointer dereferences (load address transmissions)
- STT has loss of MLP in prohibition of load-load dependencies
- Only track pointer dereference s.t. we can limit overhead

# ReCon

## ReCon-STT SimSpect specification

- **Protection set:** all memory. *Propagation: STT propagation - data leaked non-speculatively by a load-load pair address transmission*
- **Leakage contract:** explicit transmitter set user-defined, implicit transmitters also handled by aforementioned STT prediction and resolution taint blocks
- **Execution contract:** Shadows, as in DoM

# ReCon

## ReCon-NDA SimSpect specification

- **Protection set:** all memory. *Propagation: STT propagation - data leaked non-speculatively by a load-load pair address transmission*
- **Leakage contract:** all transmitters
- **Execution contract:** Shadows, as in DoM

# ReCon

## Known bugs

- **STT load order bug**
  - Stalls transmitters until oldest load that the sensitive op depends on has become nonspeculative (should be youngest)
- **Secondary STT bug**
  - Untaints register when the youngest load it depends on reads unprotected memory, but if there are multiple you must check all speculative loads it depends on
- **Memory unprotection protection set tracking bug**
  - Recon unprotects secret memory when an interleaved store makes the memory secret but its prior value leaks later

# ReCon

## STT load order bug

Recon stalls transmitters until oldest load that the sensitive operand depends on, should be the youngest.



# ReCon

## Known bug in memory unprotection

ReCon unprotects memory when it is leaked nonspeculatively despite there being an interleaved secret store.

Protection set  
(erroneous protection set)

{sec, m1}

{sec, m1, a}

{sec, b} {sec, m1, a}

{sec, b} {sec, m1, b, c}

{sec, b} {sec, m1, b, d}

**Execution**  
**Instruction**

Equivalence class 1,  
leaked and unprotected



Misinterpreted fr edge



**Hypothesis:** Consider the equivalence classes of arch. state tracked by a defense. Poor protection set tracking occurs when non-rf edges are misinterpreted to collapse equivalence classes

**Equivalence set** to the output of instruction  $i$  at its execution time = what state could be unprotected by transmission at  $i = i \cdot (\neg rf + rf) \wedge (\neg po)$

Transmit a  
Recon thinks m1 leaked,  
unprotects m1 and a,  
splits protection sets

Transmit c  
Sec leaked

# ReCon

## Secondary STT bug

IN PROGRESS

bad execution:

- prot m1
- spec (true)
- load ra from m1
- spec (false)
- load ra from m2
- load rb from m\[ra] \*leak ra\*

# Doppelganger Loads

## Doppelganger Loads – ISCA ’23

- SDO helps with the MLP problem but doesn't neatly conceal load address, just load timing behavior
- Insight: predict load addresses with *doppelganger loads* that predict load address and load information from memory without predicated on speculative data
- Threat-model transparent!

# Doppelganger Loads

## DL-NDA SimSpect specification

- **Protection set:** all memory. *Propagation: strict dependency – a. Any speculative access instruction is protected. b. Other output is protected if input is protected*
- **Leakage contract:** Transmitter type irrelevant, should protect for all
- **Execution contract:** Instructions are non-speculative at head of ROB, but also before head of ROB if  $\nexists$  older branches with unresolved target or address, and  $\nexists$  stores with unresolved address

# Doppelganger Loads

## DL-STT SimSpec specification

- **Protection set:** all memory. *Propagation: strict dependency + YROT untaint calculus – a. Any speculative access instruction is tainted. b. Other output is tainted if input is tainted. Untainted once YROT nonspeculative. YROT is youngest YROT of args if not AI, or else AI addr. (like DIFT)*
- **Leakage contract:** explicit transmitter set user-defined, implicit transmitters also handled by aforementioned prediction and resolution taint blocks
- **Execution contract:** Architect-defined visibility point (at head of ROB, or oldest unresolved branch)

# Doppelganger Loads

## DL-DoM SimSpect specification

- **Protection set:** All registers and memory
- **Leakage contract:** Protects against load-address transmission only
- **Execution contract:** Protects instructions that fall under *shadows*:
  - E-Shadows – instructions that can generate exceptions
  - C-Shadows – control instructions with an unknown address or condition
  - D-Shadows – load dependencies due to stores with unknown addresses because of STL forwarding
  - M-Shadows – under strict memory models, load reordering could lead to squashes

# Protean

## Mechanisms to exercise

- Under construction

# Non-applicable defenses

Todo