Abstract
We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets (sources) to those that leak them through the cache (sinks), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient, i.e., possibly containing speculative secrets or as being stable, and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect, to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protects to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically, without user intervention, and efficiently even when using fences to implement protect.
- Alex Aiken. 1996. Constraint-based program analysis. In Static Analysis, Radhia Cousot and David A. Schmidt (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 1-1.Google Scholar
- José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Arthur Blot, Benjamin Grégoire, Vincent Laporte, Tiago Oliveira, Hugo Pacheco, Benedikt Schmidt, and Pierre-Yves Strub. 2017. Jasmin: High-Assurance and High-Speed Cryptography. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) ( CCS '17). Association for Computing Machinery, New York, NY, USA, 1807-1823. https://doi.org/10.1145/3133956.3134078 Google Scholar
Digital Library
- Intel. 2020. An Optimized Mitigation Approach for Load Value Injection. https://software.intel.com/security-softwareguidance/insights/optimized-mitigation-approach-load-value-injection.Google Scholar
- Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative Bufer Overflows: Attacks and Defenses. CoRR abs/ 1807.03757 ( 2018 ). arXiv: 1807.03757 http://arxiv.org/abs/ 1807.03757Google Scholar
- Paul Kocher, Jann Horn, Anders Fogh,, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In 40th IEEE Symposium on Security and Privacy (S&P'19).Google Scholar
- Esmaeil Mohammadian Koruyeh, Khaled N. Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh. 2018. Spectre Returns! Speculation Attacks Using the Return Stack Bufer. In Proceedings of the 12th USENIX Conference on Ofensive Technologies (Baltimore, MD, USA) ( WOOT'18). USENIX Association, Berkeley, CA, USA, 3-3. http://dl.acm.org/citation.cfm?id= 3307423. 3307426Google Scholar
- J. Landauer and T. Redmond. 1993. A lattice of information. In Proceedings Computer Security Foundations Workshop VI. 65-70. https://doi.org/10.1109/CSFW. 1993.246638 Google Scholar
Cross Ref
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium (USENIX Security 18).Google Scholar
Digital Library
- Giorgi Maisuradze and Christian Rossow. 2018. Ret2Spec: Speculative Execution Using Return Stack Bufers. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) ( CCS '18). ACM, New York, NY, USA, 2109-2122. https://doi.org/10.1145/3243734.3243761 Google Scholar
Digital Library
- Ross McIlroy, Jaroslav Sevcík, Tobias Tebbi, Ben L. Titzer, and Toon Verwaest. 2019. Spectre is here to stay: An analysis of side-channels and speculative execution. CoRR abs/ 1902.05178 ( 2019 ). arXiv: 1902.05178 http://arxiv.org/abs/ 1902.05178Google Scholar
- Tyler McMullen. 2020. Lucet: A Compiler and Runtime for High-Concurrency Low-Latency Sandboxing. Principles of Secure Compilation (PriSC).Google Scholar
- Daniel Moghimi, Moritz Lipp, Berk Sunar, and Michael Schwarz. 2020. Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Boston, MA. https://www.usenix.org/conference/usenixsecurity20/presentation/moghimi-medusaGoogle Scholar
- Mozilla Wiki 2018. Security/Sandbox. https://wiki.mozilla.org/Security/Sandbox.Google Scholar
- A. C. Myers, A. Sabelfeld, and S. Zdancewic. 2004. Enforcing robust declassification. In Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004. 172-186. https://doi.org/10.1109/CSFW. 2004.1310740 Google Scholar
Cross Ref
- Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for c. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (Dublin, Ireland) ( PLDI '09). Association for Computing Machinery, New York, NY, USA, 245-258. https://doi.org/10.1145/1542476.1542504 Google Scholar
Digital Library
- Hanne Riis Nielson and Flemming Nielson. 1998. Flow logics for constraint based analysis. In Compiler Construction, Kai Koskimies (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 109-127.Google Scholar
- Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache attacks and countermeasures: the case of AES. In Proceedings of the 2006 The Cryptographers' Track at the RSA conference on Topics in Cryptology (CT-RSA'06). Springer-Verlag.Google Scholar
Digital Library
- Andrew Pardoe. 2018. Spectre mitigations in MSVC. https://devblogs.microsoft.com/cppblog/spectre-mitigations-in-msvc/.Google Scholar
- Jonathan Protzenko, Benjamin Beurdouche, Denis Merigoux, and Karthikeyan Bhargavan. 2019. Formally Verified Cryptographic Web Applications in WebAssembly. In Security and Privacy.Google Scholar
- Charles Reis, Alexander Moshchuk, and Nasko Oskov. 2019. Site Isolation: Process Separation for Web Sites within the Browser. In USENIX Security Symposium.Google Scholar
- Michael Schwarz, Moritz Lipp, Claudio Canella, Robert Schilling, Florian Kargl, and Daniel Gruss. 2020. ConTExT: A Generic Approach for Mitigating Spectre. In Proc. Network and Distributed System Security Symposium. https: //doi.org/10.14722/ndss. 2020.24271 Google Scholar
Cross Ref
- Vedvyas Shanbhogue, Deepak Gupta, and Ravi Sahita. 2019. Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity. In International Workshop on Hardware and Architectural Support for Security and Privacy (HASP).Google Scholar
- Mohammadkazem Taram, Ashish Venkat, and Dean Tullsen. 2019. Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (Providence, RI, USA) ( ASPLOS '19). Association for Computing Machinery, New York, NY, USA, 395-410. https://doi.org/10.1145/3297858.3304060 Google Scholar
Digital Library
- Vadim Tkachenko. 2018. 20-30 % Performance Hit from the Spectre Bug Fix on Ubuntu. https://www.percona.com/blog/2018/01/23/20-30-performance-hit-spectre-bug-fix-ubuntu/.Google Scholar
- Eran Tromer, Dag Arne Osvik, and Adi Shamir. 2010. Eficient Cache Attacks on AES, and Countermeasures. J. Cryptol. 23, 1 (Jan. 2010 ), 37-71. https://doi.org/10.1007/s00145-009-9049-y Google Scholar
Cross Ref
- Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yarom Yuval, Berk Sunar, Daniel Gruss, and Frank Piessens. 2020. LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection. In 41th IEEE Symposium on Security and Privacy (S&P'20).Google Scholar
Cross Ref
- Marco Vassena, Craig Disselkoen, Klaus V. Gleissenthall, Sunjay Cauligi, Rami Gökhan Kici, Ranjit Jhala, Dean Tullsen, and Deian Stefan. 2020. Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade. CoRR abs/ 2005.00294 ( 2020 ). arXiv: 2005.00294 https://arxiv.org/abs/ 2005.00294Google Scholar
- Arnaud Venet and Guillaume Brat. 2004. Precise and Eficient Static Array Bound Checking for Large Embedded C Programs. SIGPLAN Not. 39, 6 ( June 2004 ), 231-242. https://doi.org/10.1145/996893.996869 Google Scholar
Digital Library
- D. Volpano, G. Smith, and C. Irvine. 1996. A Sound Type System for Secure Flow Analysis. J. Computer Security 4, 3 ( 1996 ), 167-187.Google Scholar
Digital Library
- Guanhua Wang, Sudipta Chattopadhyay, Ivan Gotovchits, Tulika Mitra, and Abhik Roychoudhury. 2018. oo7: Lowoverhead Defense against Spectre Attacks via Binary Analysis. CoRR abs/ 1807.05843 ( 2018 ). arXiv: 1807.05843 http://arxiv.org/abs/ 1807.05843Google Scholar
- Conrad Watt, John Renner, Natalie Popescu, Sunjay Cauligi, and Deian Stefan. 2019. CT-wasm: Type-driven Secure Cryptography for the Web Ecosystem. Proc. ACM Program. Lang. 3, POPL, Article 77 ( Jan. 2019 ), 29 pages. https: //doi.org/10.1145/3290390 Google Scholar
Digital Library
- Meng Wu and Chao Wang. 2019. Abstract Interpretation Under Speculative Execution. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation (Phoenix, AZ, USA) ( PLDI 2019). ACM, New York, NY, USA, 802-815. https://doi.org/10.1145/3314221.3314647 Google Scholar
Digital Library
- Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher W. Fletcher, and Josep Torrellas. 2018. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy. In Proceedings of the 51st Annual IEEE/ACM International Symposium on Microarchitecture (Fukuoka, Japan) (MICRO-51). IEEE Press, Piscataway, NJ, USA, 428-441. https: //doi.org/10.1109/MICRO. 2018.00042 Google Scholar
Digital Library
- Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 719-732. https: //www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yaromGoogle Scholar
Digital Library
- Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, and Christopher W. Fletcher. 2019. Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data. In Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2019, Columbus, OH, USA, October 12-16, 2019. 954-968. https://doi.org/10.1145/3352460.3358274 Google Scholar
Digital Library
- Jean-Karim Zinzindohoué, Karthikeyan Bhargavan, Jonathan Protzenko, and Benjamin Beurdouche. 2017. HACL * : A Verified Modern Cryptographic Library. In ACM Conference on Computer and Communications Security (CCS). Dallas, United States. https://hal.inria.fr/hal-01588421Google Scholar
Digital Library
Index Terms
Automatically eliminating speculative leaks from cryptographic code with blade
Recommendations
Automatic Detection of Speculative Execution Combinations
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecurityModern processors employ different speculation mechanisms to speculate over different kinds of instructions. Attackers can exploit these mechanisms simultaneously in order to trigger leaks of speculatively-accessed data. Thus, sound reasoning about such ...
Dynamic schemes for speculative execution of code
Speculative execution of code is becoming a key technique for enhancing the performance of pipeline processors. In this work we study schemes that predict the execution path of a program based on the history of branch executions. Building on previous ...
Three Architectural Models for Compiler-Controlled Speculative Execution
To effectively exploit instruction level parallelism, the compiler must move instructions across branches. When an instruction is moved above a branch that it is control dependent on, it is considered to be speculatively executed since it is executed ...






Comments