• Corpus ID: 244527118

Systematic Analysis of Programming Languages and Their Execution Environments for Spectre Attacks

  title={Systematic Analysis of Programming Languages and Their Execution Environments for Spectre Attacks},
  author={Amir Naseredini and Stefan Gast and Martin Schwarzl and Pedro Miguel Sousa Bernardo and Amel Smajic and Claudio Canella and Martin Berger and Daniel Gruss},
In this paper, we analyze the security of programming languages and their execution environments (compilers and interpreters) with respect to Spectre attacks. The analysis shows that only 16 out of 42 execution environments have mitigations against at least one Spectre variant, i.e., 26 have no mitigations against any Spectre variant. Using our novel tool Speconnector, we develop Spectre proof-of-concept attacks in 8 programming languages and on code generated by 11 execution environments that… 

Figures and Tables from this paper


Spectre is here to stay: An analysis of side-channels and speculative execution
It is believed that speculative vulnerabilities on today's hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations, as it is discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels.
ConTExT: A Generic Approach for Mitigating Spectre
The basic idea of ConTExT is that secrets can enter registers but not transiently leave them, and it requires minimal, fully backward-compatible modifications of applications, compilers, operating systems, and the hardware to provide full protection for secrets in memory and secrets in registers.
A Systematic Evaluation of Transient Execution Attacks and Defenses
A systematization of transient execution attacks yields a more complete picture of the attack surface and allows for a more systematic evaluation of defenses, discovering that most defenses cannot fully mitigate all attack variants.
You Shall Not Bypass: Employing data dependencies to prevent Bounds Check Bypass
This work proposes a method of only delaying the vulnerable instructions, without the necessity to completely serialize execution, which causes 60% overhead across Phoenix benchmark suite, which compares favorably to the full serialization causing 440% slowdown.
ret2spec: Speculative Execution Using Return Stack Buffers
This paper investigates a special type of branch predictor that is responsible for predicting return addresses and proposes two new attack variants using RSBs that give attackers similar capabilities as the documented Spectre attacks.
Spectre Returns! Speculation Attacks using the Return Stack Buffer
This paper introduces a new Spectre-class attack that is based on exploiting the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses, and recommends that this patch should be used on all machines to protect against SpectreRSB.
SMoTherSpectre: Exploiting Speculative Execution through Port Contention
SmoTherSpectre is introduced, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process.
SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks
This paper proposes SpectreGuard, a novel defense mechanism against Spectre attacks, in which sensitive memory blocks are marked using simple OS/library API, which are then selectively protected by hardware from Spectre attacks via low-cost micro-architecture extension.
Spectre Attacks: Exploiting Speculative Execution
This paper describes practical attacks that combine methodology from side channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process that violate the security assumptions underpinning numerous software security mechanisms.
SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation
(SafeSpec), a new model for supporting speculation in a way that is immune to the side-channel leakage by storing side effects of speculative instructions in separate structures until they commit, and a cycle accurate model of modified design of an x86-64 processor.