Revizor: testing black-box CPUs against speculation contracts

  title={Revizor: testing black-box CPUs against speculation contracts},
  author={Oleksii Oleksenko and Christof Fetzer and Boris K{\"o}pf and Mark Silberstein},
  journal={Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems},
  • O. Oleksenko, C. Fetzer, M. Silberstein
  • Published 14 May 2021
  • Computer Science
  • Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
Speculative vulnerabilities such as Spectre and Meltdown expose speculative execution state that can be exploited to leak information across security domains via side-channels. Such vulnerabilities often stay undetected for a long time as we lack the tools for systematic testing of CPUs to find them. In this paper, we propose an approach to automatically detect microarchitectural information leakage in commercial black-box CPUs. We build on speculation contracts, which we employ to specify the… 

Figures and Tables from this paper


Unicorn: Next generation CPU emulator framework
  • In BlackHat USA
  • 2015
Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis
This work proposes a new attack, named Medusa, which can leak data from implicit write-combining memory operations, and shows that Medusa can leak various parts of an RSA key during the base64 decoding stage and recover full RSA keys by employing lattice-based cryptanalysis techniques.
LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection
This paper proposes Load Value Injection (LVI) as an innovative technique to reversely exploit Meltdown-type microarchitectural data leakage by directly injecting incorrect, attacker-controlled values into a victim’s transient execution.
Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data
The main idea is that it is safe to execute and selectively forward the results of speculative instructions that read secrets, as long as it can prove that the forwarded results do not reach potential covert channels.
Spectre Attacks: Exploiting Speculative Execution
This paper describes practical attacks that combine methodology from side channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process that violate the security assumptions underpinning numerous software security mechanisms.
ISA semantics for ARMv8-a, RISC-v, and CHERI-MIPS
This paper presents rigorous semantic models for the sequential behaviour of large parts of the mainstream ARMv8-A, RISC-V, and MIPS architectures, and the research CHERI-MIPS architecture, that are complete enough to boot operating systems, variously Linux, FreeBSD, or seL4.
Formal specification of the x86 instruction set architecture
This thesis formally specify the x86 instruction set architecture (ISA) by developing an abstract machine that models the behaviour of a modern computer with multiple x86 processors and design a new domain-specific language that has intuitive syntax for defining registers and instructions.
Engineering a Formal, Executable x86 ISA Simulator for Software Verification
This work describes a formal, executable model of the x86 instruction-set architecture and presents design decisions made during model development to optimize both validation and verification, i.e., efficiency of both simulation and reasoning.
SpecFuzz: Bringing Spectre-type vulnerabilities to the surface
The prototype for detecting Spectre V 1 vulnerabilities successfully identifies all known variations of Spectre V1 and decreases the mitigation overheads across the evaluated applications, reducing the amount of instrumented branches by up to 77% given a sufficient test coverage.
Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks
This analysis specifically focuses on the class of transient execution based on machine clears, reverse engineering previously unexplored root causes such as Floating Point MC, Self-Modifying Code MC, Memory Ordering MC, and Memory Disambiguation MC to present a new root cause-based classification of all known transient execution paths.