Spectre Attacks: Exploiting Speculative Execution

1 Spectre Attacks: Exploiting Speculative ExecutionPaul Kocher1, Jann Horn2, Anders Fogh3, Daniel Genkin4,Daniel Gruss5, Werner Haas6, Mike Hamburg7, Moritz Lipp5,Stefan Mangard5, Thomas Prescher6, Michael Schwarz5, Yuval Yarom81 Independent( ),2 Google Project Zero,3G DATA Advanced Analytics,4 University of Pennsylvania and University of Maryland,5 Graz University of Technology,6 Cyberus Technology,7 Rambus, Cryptography Research Division,8 University of Adelaide and Data61 Abstract Modern processors use branch prediction and spec-ulative Execution to maximize performance.

2 For example, if thedestination of a branch depends on a memory value that is in theprocess of being read, CPUs will try to guess the destination andattempt to execute ahead. When the memory value finally arrives,the CPU either discards or commits the Speculative logic is unfaithful in how it executes, can access thevictim s memory and registers, and can perform operations withmeasurable side attacks involve inducing a victim to speculativelyperform operations that would not occur during correct programexecution and which leak the victim s confidential information viaa side channel to the adversary.

3 This paper describes practicalattacks that combine methodology from side channel attacks,fault attacks, and return-oriented programming that can readarbitrary memory from the victim s process. More broadly, thepaper shows that Speculative Execution implementations violatethe security assumptions underpinning numerous software secu-rity mechanisms, including operating system process separation,containerization, just-in-time (JIT) compilation, and countermea-sures to cache timing and side-channel attacks. These attacksrepresent a serious threat to actual systems since vulnerablespeculative Execution capabilities are found in microprocessorsfrom Intel, AMD, and ARM that are used in billions of makeshift processor-specific countermeasures are possi-ble in some cases, sound solutions will require fixes to processordesigns as well as updates to instruction set architectures (ISAs)to give hardware architects and software developers a commonunderstanding as to what computation state CPU implementa-tions are (and are not)

4 Permitted to INTRODUCTIONC omputations performed by physical devices often leaveobservable side effects beyond the computation s nominaloutputs. Side-channel attacks focus on Exploiting these sideeffects to extract otherwise-unavailable secret their introduction in the late 90 s [43], many physicaleffects such as power consumption [41, 42], electromagneticradiation [58], or acoustic noise [20] have been leveraged toextract cryptographic keys as well as other side-channel attacks can also be used to extractsecret information from complex devices such as PCs andmobile phones [21, 22].

5 However, because these devicesoften execute code from a potentially unknown origin, theyface additional threats in the form of software-based attacks,which do not require external measurement equipment. Whilesome attacks exploit software vulnerabilities (such as bufferoverflows [5] or double-free errors [12]), other software attacksleverage hardware vulnerabilities to leak sensitive of the latter type include microarchitectural attacksexploiting cache timing [8, 30, 48, 52, 55, 69, 74], branchprediction history [1, 2], branch target buffers [14, 44] or openDRAM rows [56].

6 Software-based techniques have also beenused to mount fault attacks that alter physical memory [39] orinternal CPU values [65].Several microarchitectural design techniques have facilitatedthe increase in processor speed over the past decades. One suchadvancement is Speculative Execution , which is widely usedto increase performance and involves having the CPU guesslikely future Execution directions and prematurely executeinstructions on these paths. More specifically, consider anexample where the program s control flow depends on anuncached value located in external physical memory.

7 As thismemory is much slower than the CPU, it often takes severalhundred clock cycles before the value becomes known. Ratherthan wasting these cycles by idling, the CPU attempts to guessthe direction of control flow, saves a checkpoint of its registerstate, and proceeds to speculatively execute the program on theguessed path. When the value eventually arrives from memory,the CPU checks the correctness of its initial guess. If theguess was wrong, the CPU discards the incorrect speculativeexecution by reverting the register state back to the storedcheckpoint, resulting in performance comparable to , if the guess was correct, the Speculative executionresults are committed, yielding a significant performance gainas useful work was accomplished during the a security perspective, Speculative Execution involvesexecuting a program in possibly incorrect ways.

8 However,because CPUs are designed to maintain functional correctnessby reverting the results of incorrect Speculative executions totheir prior states, these errors were previously assumed to Our ResultsIn this paper, we analyze the security implications of suchincorrect Speculative Execution . We present a class of microar-chitectural attacks which we callSpectre attacks. At a highlevel, Spectre attacks trick the processor into speculativelyexecuting instruction sequences that should not have beenexecuted under correct program Execution .

9 As the effects ofthese instructions on the nominal CPU state are eventuallyreverted, we call themtransient instructions. By influencingwhich transient instructions are speculatively executed, we areable to leak information from within the victim s memoryaddress empirically demonstrate the feasibility of Spectre attacksby Exploiting transient instruction sequences to leak informa-tion across security domains both from unprivileged nativecode, as well as from portable JavaScript using Native a proof-of-concept, wecreate a simple victim program that contains secret data withinits memory address space.

10 Next, we search the compiledvictim binary and the operating system s shared libraries forinstruction sequences that can be used to leak informationfrom the victim s address space. Finally, we write an attackerprogram that exploits the CPU s Speculative Execution featureto execute the previously-found sequences as transient instruc-tions. Using this technique, we are able to read memory fromthe victim s address space, including the secrets stored using JavaScript and addition to violatingprocess isolation boundaries using native code, Spectre attackscan also be used to violate sandboxing, , by mountingthem via portable JavaScript code.