Speculose: Analyzing the Security Implications of Speculative Execution in CPUs

01/12/2018
by   Giorgi Maisuradze, et al.
0

Whenever modern CPUs encounter a conditional branch for which the condition cannot be evaluated yet, they predict the likely branch target and speculatively execute code. Such pipelining is key to optimizing runtime performance and is incorporated in CPUs for more than 15 years. In this paper, to the best of our knowledge, we are the first to study the inner workings and the security implications of such speculative execution. We revisit the assumption that speculatively executed code leaves no traces in case it is not committed. We reveal several measurable side effects that allow adversaries to enumerate mapped memory pages and to read arbitrary memory---all using only speculated code that was never fully executed. To demonstrate the practicality of such attacks, we show how a user-space adversary can probe for kernel pages to reliably break kernel-level ASLR in Linux in under three seconds and reduce the Windows 10 KASLR entropy by 18 bits in less than a second.

READ FULL TEXT
research
07/26/2018

ret2spec: Speculative Execution Using Return Stack Buffers

Speculative execution is an optimization technique that has been part of...
research
02/25/2018

SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution

This paper presents SgxPectre Attacks that exploit the recently disclose...
research
06/29/2021

An Analysis of Speculative Type Confusion Vulnerabilities in the Wild

Spectre v1 attacks, which exploit conditional branch misprediction, are ...
research
01/03/2018

Spectre Attacks: Exploiting Speculative Execution

Modern processors use branch prediction and speculative execution to max...
research
03/08/2022

You Cannot Always Win the Race: Analyzing the LFENCE/JMP Mitigation for Branch Target Injection

LFENCE/JMP is an existing software mitigation option for Branch Target I...
research
12/15/2022

On (the Lack of) Code Confidentiality in Trusted Execution Environments

Trusted Execution Environments (TEEs) have been proposed as a solution t...

Please sign up or login with your details

Forgot password? Click here to reset