New Models for Understanding and Reasoning about Speculative Execution Attacks

by   Zecheng He, et al.

Spectre and Meltdown attacks and their variants exploit hardware performance optimization features to cause security breaches. Secret information is accessed and leaked through covert or side channels. New attack variants keep appearing and we do not have a systematic way to capture the critical characteristics of these attacks and evaluate why they succeed or fail. In this paper, we provide a new attack-graph model for reasoning about speculative execution attacks. We model attacks as ordered dependency graphs, and prove that a race condition between two nodes can occur if there is a missing dependency edge between them. We define a new concept, "security dependency", between a resource access and its prior authorization operation. We show that a missing security dependency is equivalent to a race condition between authorization and access, which is a root cause of speculative execution attacks. We show detailed examples of how our attack graph models the Spectre and Meltdown attacks, and is generalizable to all the attack variants published so far. This attack model is also very useful for identifying new attacks and for generalizing defense strategies. We identify several defense strategies with different performance-security tradeoffs. We show that the defenses proposed so far all fit under one of our defense strategies. We also explain how attack graphs can be constructed and point to this as promising future work for tool designers.


page 1

page 2

page 3

page 4


A Retrospective and Futurespective of Rowhammer Attacks and Defenses on DRAM

Rowhammer has drawn much attention from both academia and industry in th...

SPECTECTOR: Principled Detection of Speculative Information Flows

Since the advent of SPECTRE, a number of countermeasures have been propo...

Defending Against Stealthy Backdoor Attacks

Defenses against security threats have been an interest of recent studie...

A Systematic Evaluation of Transient Execution Attacks and Defenses

Modern processor optimizations such as branch prediction and out-of-orde...

Data Poisoning Won't Save You From Facial Recognition

Data poisoning has been proposed as a compelling defense against facial ...

Less is More: Exploiting Social Trust to Increase the Effectiveness of a Deception Attack

Cyber attacks such as phishing, IRS scams, etc., still are successful in...

ProPatrol: Attack Investigation via Extracted High-Level Tasks

Kernel audit logs are an invaluable source of information in the forensi...