Spectre Attacks: Exploiting Speculative Execution

by   Paul Kocher, et al.

Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes, can access to the victim's memory and registers, and can perform operations with measurable side effects. Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, including operating system process separation, static analysis, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing/side-channel attacks. These attacks represent a serious threat to actual systems, since vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices. While makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.


page 1

page 2

page 3

page 4


Adversarial Prefetch: New Cross-Core Cache Side Channel Attacks

On modern x86 processors, data prefetching instructions can be used by p...

SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution

This paper presents SgxPectre Attacks that exploit the recently disclose...

BasicBlocker: Redesigning ISAs to Eliminate Speculative-Execution Attacks

Recent research has revealed an ever-growing class of microarchitectural...

Taking a Look into Execute-Only Memory

The development process of microcontroller firmware often involves multi...

Efficiently Hardening SGX Enclaves against Memory Access Pattern Attacks via Dynamic Program Partitioning

Intel SGX is known to be vulnerable to a class of practical attacks expl...

Evaluation of Cache Attacks on Arm Processors and Secure Caches

Timing-based side and covert channels in processor caches continue to be...

Speculose: Analyzing the Security Implications of Speculative Execution in CPUs

Whenever modern CPUs encounter a conditional branch for which the condit...

Please sign up or login with your details

Forgot password? Click here to reset