SPECCFI: Mitigating Spectre Attacks using CFI Informed Speculation

Spectre attacks and their many subsequent variants are a new vulnerability class for modern CPUs. The attacks rely on the ability to misguide/hijack speculative execution, generally by exploiting the branch prediction structures, to execute a vulnerable code sequence speculatively. In this paper, we propose to use Control-Flow Integrity (CFI), a security technique used to stop control-flow hijacking attacks, on the committed path to prevent speculative control-flow from being hijacked to launch the most dangerous variants of the Spectre attacks (Spectre-BTB and Spectre-RSB). Specifically, CFI attempts to constrain the target of an indirect branch to a set of legal targets defined by a pre-calculated control-flow graph (CFG). As CFI is being adopted by commodity software (e.g., Windows and Android) and commodity hardware (e.g., Intel's CET and ARM's BTI), the CFI information could be readily available through the hardware CFI extensions. With the CFI information, we apply CFI principles to also constrain illegal control-flow during speculative execution. SpecCFI ensures that control flow instructions target legal destinations to constrain dangerous speculation on forward control-flow paths (indirect calls and branches). We complement our solution with a precise speculation-aware hardware stack to constrain speculation on backward control-flow edges (returns). We combine this solution with existing solutions against branch target predictor attacks (Spectre-PHT) to close all non-vendor-specific Spectre vulnerabilities. We show that SpecCFI results in small overheads both in terms of performance and additional hardware complexity.


page 1

page 10


Shining Light On Shadow Stacks

Control-Flow Hijacking attacks are the dominant attack vector to comprom...

Mitigating Branch-Shadowing Attacks on Intel SGX using Control Flow Randomization

Intel Software Guard Extensions (SGX) is a promising hardware-based tech...

FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch Tracking

We present the design, implementation, and evaluation of FineIBT: a CFI ...

DARM: Control-Flow Melding for SIMT Thread Divergence Reduction – Extended Version

GPGPUs use the Single-Instruction-Multiple-Thread (SIMT) execution model...

Mitigating Speculation-based Attacks through Configurable Hardware/Software Co-design

New speculation-based attacks that affect large numbers of modern system...

Restricting Control Flow During Speculative Execution with Venkman

Side-channel attacks such as Spectre that utilize speculative execution ...

Proconda – Protected Control Data

Memory corruption vulnerabilities often enable attackers to take control...

Please sign up or login with your details

Forgot password? Click here to reset