Skip to main content

Spectre attacks: Exploiting speculative execution

Authors

Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Haburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwartz and Yuval Yarom

Google

DATA61

Independent

Graz University of Technology

Rambus

Cyberus Technology

G DATA Advanced Analytics

University of Pennsylvania & University of Maryland

Abstract

Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try to guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes, can access the victim’s memory and registers, and can perform operations with measurable side effects. Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim’s process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, including operating system process separation, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing and side-channel attacks. These attacks represent a serious threat to actual systems since vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices. While makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.

BibTeX Entry

  @inproceedings{Kocher_HFGGHHLMPSY_19,
    publisher        = {IEEE},
    booktitle        = {IEEE Symposium on Security and Privacy},
    author           = {Kocher, Paul and Horn, Jann and Fogh, Anders and Genkin, Daniel and Gruss, Daniel and Haas, Werner
                        and Haburg, Mike and Lipp, Moritz and Mangard, Stefan and Prescher, Thomas and Schwartz, Michael and
                        Yarom, Yuval},
    month            = may,
    year             = {2019},
    date             = {2019-5-20},
    title            = {Spectre Attacks: Exploiting Speculative Execution},
    pages            = {19-37},
    address          = {San Francisco}
  }

Download

Served by Apache on Linux on seL4.