Spectre Attacks: Exploiting Speculative Execution

Spectre Attacks: Exploiting Speculative Execution

Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try to guess the destination and attempt to execute ahead. When the memory value finally ar...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Kocher, Paul, Horn, Jann, Fogh, Anders, Genkin, Daniel, Gruss, Daniel, Haas, Werner, Hamburg, Mike, Lipp, Moritz, Mangard, Stefan, Prescher, Thomas, Schwarz, Michael, Yarom, Yuval
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Arrays
Hardware
microarchitectural-attack
Microarchitecture
microarchitecture-security
Program processors
Registers
Side-channel attacks
Spectre
speculative-execution
Transient analysis
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 19
container_issue
container_start_page 1
container_title
container_volume
creator Kocher, Paul
Horn, Jann
Fogh, Anders
Genkin, Daniel
Gruss, Daniel
Haas, Werner
Hamburg, Mike
Lipp, Moritz
Mangard, Stefan
Prescher, Thomas
Schwarz, Michael
Yarom, Yuval
description Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try to guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes, can access the victim's memory and registers, and can perform operations with measurable side effects. Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, including operating system process separation, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing and side-channel attacks. These attacks represent a serious threat to actual systems since vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices. While makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.
doi_str_mv 10.1109/SP.2019.00002
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_RIE</sourceid><recordid>TN_cdi_ieee_primary_8835233</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>8835233</ieee_id><sourcerecordid>8835233</sourcerecordid><originalsourceid>FETCH-LOGICAL-c302t-5faa5297b35b6545763a02ee56b46ee652bf14cd382a26574d0db67dd245b0e73</originalsourceid><addsrcrecordid>eNotjM1OwzAQhA0SEqX0yIlLXiDB3vXaMbeqKj9SJZAK58pONsgQ2igxCN4eI_guM5oZjRAXSlZKSXe1faxAKlfJDByJhbO1IqxNRrpjMQO0VCqQ9lScTdNrHkl0eibUduAmjVwsU_LN23RdrL-G_hBT3L8Uv91H71P85Bxnn-Jhfy5OOt9PvPjXuXi-WT-t7srNw-39arkpG5SQSuq8J3A2IAVDmqxBL4GZTNCG2RCETummxRo8GLK6lW0wtm1BU5BscS4u_34jM--GMb778XtX10iAiD_68kLb</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Spectre Attacks: Exploiting Speculative Execution</title><source>IEEE Electronic Library (IEL)</source><creator>Kocher, Paul ; Horn, Jann ; Fogh, Anders ; Genkin, Daniel ; Gruss, Daniel ; Haas, Werner ; Hamburg, Mike ; Lipp, Moritz ; Mangard, Stefan ; Prescher, Thomas ; Schwarz, Michael ; Yarom, Yuval</creator><creatorcontrib>Kocher, Paul ; Horn, Jann ; Fogh, Anders ; Genkin, Daniel ; Gruss, Daniel ; Haas, Werner ; Hamburg, Mike ; Lipp, Moritz ; Mangard, Stefan ; Prescher, Thomas ; Schwarz, Michael ; Yarom, Yuval</creatorcontrib><description>Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try to guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes, can access the victim's memory and registers, and can perform operations with measurable side effects. Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, including operating system process separation, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing and side-channel attacks. These attacks represent a serious threat to actual systems since vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices. While makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.</description><identifier>EISSN: 2375-1207</identifier><identifier>EISBN: 9781538666609</identifier><identifier>EISBN: 153866660X</identifier><identifier>DOI: 10.1109/SP.2019.00002</identifier><language>eng</language><publisher>IEEE</publisher><subject>Arrays ; Hardware ; microarchitectural-attack ; Microarchitecture ; microarchitecture-security ; Program processors ; Registers ; Side-channel attacks ; Spectre ; speculative-execution ; Transient analysis</subject><ispartof>2019 IEEE Symposium on Security and Privacy (SP), 2019, p.1-19</ispartof><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c302t-5faa5297b35b6545763a02ee56b46ee652bf14cd382a26574d0db67dd245b0e73</citedby></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/8835233$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,796,27924,54757</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/8835233$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Kocher, Paul</creatorcontrib><creatorcontrib>Horn, Jann</creatorcontrib><creatorcontrib>Fogh, Anders</creatorcontrib><creatorcontrib>Genkin, Daniel</creatorcontrib><creatorcontrib>Gruss, Daniel</creatorcontrib><creatorcontrib>Haas, Werner</creatorcontrib><creatorcontrib>Hamburg, Mike</creatorcontrib><creatorcontrib>Lipp, Moritz</creatorcontrib><creatorcontrib>Mangard, Stefan</creatorcontrib><creatorcontrib>Prescher, Thomas</creatorcontrib><creatorcontrib>Schwarz, Michael</creatorcontrib><creatorcontrib>Yarom, Yuval</creatorcontrib><title>Spectre Attacks: Exploiting Speculative Execution</title><title>2019 IEEE Symposium on Security and Privacy (SP)</title><addtitle>SP</addtitle><description>Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try to guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes, can access the victim's memory and registers, and can perform operations with measurable side effects. Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, including operating system process separation, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing and side-channel attacks. These attacks represent a serious threat to actual systems since vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices. While makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.</description><subject>Arrays</subject><subject>Hardware</subject><subject>microarchitectural-attack</subject><subject>Microarchitecture</subject><subject>microarchitecture-security</subject><subject>Program processors</subject><subject>Registers</subject><subject>Side-channel attacks</subject><subject>Spectre</subject><subject>speculative-execution</subject><subject>Transient analysis</subject><issn>2375-1207</issn><isbn>9781538666609</isbn><isbn>153866660X</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2019</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotjM1OwzAQhA0SEqX0yIlLXiDB3vXaMbeqKj9SJZAK58pONsgQ2igxCN4eI_guM5oZjRAXSlZKSXe1faxAKlfJDByJhbO1IqxNRrpjMQO0VCqQ9lScTdNrHkl0eibUduAmjVwsU_LN23RdrL-G_hBT3L8Uv91H71P85Bxnn-Jhfy5OOt9PvPjXuXi-WT-t7srNw-39arkpG5SQSuq8J3A2IAVDmqxBL4GZTNCG2RCETummxRo8GLK6lW0wtm1BU5BscS4u_34jM--GMb778XtX10iAiD_68kLb</recordid><startdate>20190501</startdate><enddate>20190501</enddate><creator>Kocher, Paul</creator><creator>Horn, Jann</creator><creator>Fogh, Anders</creator><creator>Genkin, Daniel</creator><creator>Gruss, Daniel</creator><creator>Haas, Werner</creator><creator>Hamburg, Mike</creator><creator>Lipp, Moritz</creator><creator>Mangard, Stefan</creator><creator>Prescher, Thomas</creator><creator>Schwarz, Michael</creator><creator>Yarom, Yuval</creator><general>IEEE</general><scope>6IE</scope><scope>6IH</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIO</scope></search><sort><creationdate>20190501</creationdate><title>Spectre Attacks: Exploiting Speculative Execution</title><author>Kocher, Paul ; Horn, Jann ; Fogh, Anders ; Genkin, Daniel ; Gruss, Daniel ; Haas, Werner ; Hamburg, Mike ; Lipp, Moritz ; Mangard, Stefan ; Prescher, Thomas ; Schwarz, Michael ; Yarom, Yuval</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c302t-5faa5297b35b6545763a02ee56b46ee652bf14cd382a26574d0db67dd245b0e73</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Arrays</topic><topic>Hardware</topic><topic>microarchitectural-attack</topic><topic>Microarchitecture</topic><topic>microarchitecture-security</topic><topic>Program processors</topic><topic>Registers</topic><topic>Side-channel attacks</topic><topic>Spectre</topic><topic>speculative-execution</topic><topic>Transient analysis</topic><toplevel>online_resources</toplevel><creatorcontrib>Kocher, Paul</creatorcontrib><creatorcontrib>Horn, Jann</creatorcontrib><creatorcontrib>Fogh, Anders</creatorcontrib><creatorcontrib>Genkin, Daniel</creatorcontrib><creatorcontrib>Gruss, Daniel</creatorcontrib><creatorcontrib>Haas, Werner</creatorcontrib><creatorcontrib>Hamburg, Mike</creatorcontrib><creatorcontrib>Lipp, Moritz</creatorcontrib><creatorcontrib>Mangard, Stefan</creatorcontrib><creatorcontrib>Prescher, Thomas</creatorcontrib><creatorcontrib>Schwarz, Michael</creatorcontrib><creatorcontrib>Yarom, Yuval</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan (POP) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP) 1998-present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Kocher, Paul</au><au>Horn, Jann</au><au>Fogh, Anders</au><au>Genkin, Daniel</au><au>Gruss, Daniel</au><au>Haas, Werner</au><au>Hamburg, Mike</au><au>Lipp, Moritz</au><au>Mangard, Stefan</au><au>Prescher, Thomas</au><au>Schwarz, Michael</au><au>Yarom, Yuval</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Spectre Attacks: Exploiting Speculative Execution</atitle><btitle>2019 IEEE Symposium on Security and Privacy (SP)</btitle><stitle>SP</stitle><date>2019-05-01</date><risdate>2019</risdate><spage>1</spage><epage>19</epage><pages>1-19</pages><eissn>2375-1207</eissn><eisbn>9781538666609</eisbn><eisbn>153866660X</eisbn><abstract>Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try to guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes, can access the victim's memory and registers, and can perform operations with measurable side effects. Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, including operating system process separation, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing and side-channel attacks. These attacks represent a serious threat to actual systems since vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices. While makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.</abstract><pub>IEEE</pub><doi>10.1109/SP.2019.00002</doi><tpages>19</tpages><oa>free_for_read</oa></addata></record>
fulltext fulltext_linktorsrc
identifier EISSN: 2375-1207
ispartof 2019 IEEE Symposium on Security and Privacy (SP), 2019, p.1-19
issn 2375-1207
language eng
recordid cdi_ieee_primary_8835233
source IEEE Electronic Library (IEL)
subjects Arrays
Hardware
microarchitectural-attack
Microarchitecture
microarchitecture-security
Program processors
Registers
Side-channel attacks
Spectre
speculative-execution
Transient analysis
title Spectre Attacks: Exploiting Speculative Execution
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-12T01%3A15%3A27IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Spectre%20Attacks:%20Exploiting%20Speculative%20Execution&rft.btitle=2019%20IEEE%20Symposium%20on%20Security%20and%20Privacy%20(SP)&rft.au=Kocher,%20Paul&rft.date=2019-05-01&rft.spage=1&rft.epage=19&rft.pages=1-19&rft.eissn=2375-1207&rft_id=info:doi/10.1109/SP.2019.00002&rft_dat=%3Cieee_RIE%3E8835233%3C/ieee_RIE%3E%3Curl%3E%3C/url%3E&rft.eisbn=9781538666609&rft.eisbn_list=153866660X&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=8835233&rfr_iscdi=true