Survey of Transient Execution Attacks and Their Mitigations

Authors:
Wenjie Xiong

Dept. of Electrical Engineering, Yale University, New Haven, CT

Dept. of Electrical Engineering, Yale University, New Haven, CT
View Profile

,
Jakub Szefer

Dept. of Electrical Engineering, Yale University, New Haven, CT

Dept. of Electrical Engineering, Yale University, New Haven, CT
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 54 Issue 3Article No.: 54pp 1–36https://doi.org/10.1145/3442479

Published:08 May 2021Publication History

ACM Computing Surveys

Abstract

Transient execution attacks, also known as speculative execution attacks, have drawn much interest in the last few years as they can cause critical data leakage. Since the first disclosure of Spectre and Meltdown attacks in January 2018, a number of new transient execution attack types have been demonstrated targeting different processors. A transient execution attack consists of two main components: transient execution itself and a covert channel that is used to actually exfiltrate the information.Transient execution is a result of the fundamental features of modern processors that are designed to boost performance and efficiency, while covert channels are unintended information leakage channels that result from temporal and spatial sharing of the micro-architectural components. Given the severity of the transient execution attacks, they have motivated computer architects in both industry and academia to rethink the design of the processors and to propose hardware defenses. To help understand the transient execution attacks, this survey summarizes the phases of the attacks and the security boundaries across which the information is leaked in different attacks.This survey further analyzes the causes of transient execution as well as the different types of covert channels and presents a taxonomy of the attacks based on the causes and types. This survey in addition presents metrics for comparing different aspects of the transient execution attacks and uses them to evaluate the feasibility of the different attacks. This survey especially considers both existing attacks and potential new attacks suggested by our analysis. This survey finishes by discussing different mitigations that have so far been proposed at the micro-architecture level and discusses their benefits and limitations.

References

Sam Ainsworth and Timothy M. Jones. 2020. Muontrap: Preventing cross-domain spectre-like attacks by capturing speculative state. In Annual International Symposium on Computer Architecture. IEEE, 132--144.Google Scholar
Alejandro Cabrera Aldaya, Billy Bob Brumley, Sohaib ul Hassan, Cesar Pereida García, and Nicola Tuveri. 2019. Port contention for fun and profit. In Symposium on Security and Privacy. IEEE, 870--887.Google ScholarCross Ref
AMD. 2018. Software Techniques for Managing Speculation on AMD Processors. Retrieved May 2019 from https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AMD-Processors.pdf.Google Scholar
AMD. 2020. AMD Product Security. Retrieved July 2020 from https://www.amd.com/en/corporate/product-security.Google Scholar
Arm. 2020. Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism. Retrieved July 2020 from https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability.Google Scholar
Michael Backes, Markus Dürmuth, Sebastian Gerling, Manfred Pinkal, and Caroline Sporleder. 2010. Acoustic side-channel attacks on printers.. In USENIX Security Symposium. 307--322.Google ScholarDigital Library
Kristin Barber, Anys Bacha, Li Zhou, Yinqian Zhang, and Radu Teodorescu. 2019. SpecShield: Shielding speculative data from microarchitectural covert channels. In International Conference on Parallel Architectures and Compilation Techniques. 151--164.Google ScholarCross Ref
Kristin Barber, Li Zhou, Anys Bacha, Yinqian Zhang, and Radu Teodorescu. 2019. Isolating speculative data to prevent transient execution attacks. Computer Architecture Letters 18, 2 (2019), 178--181.Google ScholarDigital Library
Daniel J Bernstein. 2005. Cache-timing attacks on AES.Google Scholar
Atri Bhattacharyya, Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, Babak Falsafi, Mathias Payer, and Anil Kurmus. 2019. SMoTherSpectre: Exploiting speculative execution through port contention. In Conference on Computer and Communications Security. 785--800.Google ScholarDigital Library
Nathan Binkert, Bradford Beckmann, Gabriel Black, Steven K. Reinhardt, Ali Saidi, Arkaprava Basu, Joel Hestness, Derek R. Hower, Tushar Krishna, Somayeh Sardashti, et al. 2011. The gem5 simulator. SIGARCH Computer Architecture News 39, 2 (2011), 1--7.Google ScholarDigital Library
Bitdefender. 2019. Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction. Retrieved July 2020 from https://www.bitdefender.co.th/wp-content/uploads/gz/Bitdefender-WhitePaper-SWAPGS.pdf.Google Scholar
Joseph Bonneau and Ilya Mironov. 2006. Cache-collision timing attacks against AES. In International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 201--215.Google ScholarDigital Library
Thomas Bourgeat, Ilia Lebedev, Andrew Wright, Sizhuo Zhang, Srinivas Devadas, et al. 2019. Mi6: Secure enclaves in a speculative out-of-order processor. In International Symposium on Microarchitecture. ACM, 42--56.Google ScholarDigital Library
Samira Briongos, Pedro Malagón, José M. Moya, and Thomas Eisenbarth. 2020. RELOAD+REFRESH: Abusing cache replacement policies to perform stealthy cache attacks. In USENIX Security Symposium. 1967--1984.Google Scholar
Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin Von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A systematic evaluation of transient execution attacks and defenses. In USENIX Security Symposium. 249--266.Google Scholar
Chandler Carruth. 2018. Speculative Load Hardening (a Spectre Variant 1 Mitigation). Retrieved May 2019 from https://lists.llvm.org/pipermail/llvm-dev/2018-March/122085.html.Google Scholar
Microsoft Security Response Center. 2019. Retpoline: A Software Construct for Preventing Branch-target-injection. Retrieved October 2019 from https://support.google.com/faqs/answer/7625886.Google Scholar
David Champagne and Ruby B. Lee. 2010. Scalable architectural support for trusted software. In International Symposium on High Performance Computer Architecture. 1--12.Google Scholar
Kevin Cheang, Cameron Rasmussen, Sanjit Seshia, and Pramod Subramanyan. 2019. A formal approach to secure speculation. In 2019 IEEE 32nd Computer Security Foundations Symposium (CSF’19). IEEE, 288--303.Google ScholarCross Ref
Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, and Ten H. Lai. 2019. SgxPectre: Stealing Intel secrets from SGX enclaves via speculative execution. In European Symposium on Security and Privacy. IEEE, 142--157.Google Scholar
Md Hafizul Islam Chowdhuryy, Hang Liu, and Fan Yao. 2020. BranchSpec: Information leakage attacks exploiting speculative branch instruction executions. In International Conference on Computer Design. IEEE, 529--536.Google ScholarCross Ref
The MITRE Corporation. 2018. CVE-2018-3640. Retrieved July 2020 from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3640.Google Scholar
The MITRE Corporation. 2019. CVE Details. Retrieved July 2020 from https://www.cvedetails.com.Google Scholar
Victor Costan and Srinivas Devadas. 2016. Intel SGX explained.IACR Cryptology ePrint Archive 2016, 086 (2016).Google Scholar
Victor Costan, Ilia Lebedev, and Srinivas Devadas. 2016. Sanctum: Minimal hardware extensions for strong software isolation. In USENIX Security Symposium. 857--874.Google Scholar
Sanjeev Das, Jan Werner, Manos Antonakakis, Michalis Polychronakis, and Fabian Monrose. 2019. SoK: The challenges, pitfalls, and perils of using hardware performance counters for security. In Symposium on Security and Privacy. 20--38.Google ScholarCross Ref
Shuwen Deng, Doğuhan Gümüşoğlu, Wenjie Xiong, Y. Serhan Gener, Onur Demir, and Jakub Szefer. 2019. SecChisel framework for security verification of secure processor architectures. In Workshop on Hardware and Architectural Support for Security and Privacy.Google ScholarDigital Library
Shuwen Deng, Wenjie Xiong, and Jakub Szefer. 2019. Secure TLBs. In International Symposium on Computer Architecture. 346--259.Google Scholar
Craig Disselkoen, David Kohlbrenner, Leo Porter, and Dean Tullsen. 2017. Prime+ Abort: A timer-free high-precision L3 cache attack using Intel TSX. In USENIX Security Symposium. 51--67.Google Scholar
Leonid Domnitser, Aamer Jaleel, Jason Loew, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2012. Non-monopolizable caches: Low-complexity mitigation of cache side channel attacks. Transactions on Architecture and Code Optimization 8, 4, (2012), Article 35.Google Scholar
Marius Evers, Po-Yung Chang, and Yale N. Patt. 1996. Using hybrid branch predictors to improve branch prediction accuracy in the presence of context switches. In SIGARCH Computer Architecture News, Vol. 24. ACM, 3--11.Google Scholar
Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2015. Covert channels through branch predictors: A feasibility study. In Workshop on Hardware and Architectural Support for Security and Privacy. ACM.Google ScholarDigital Library
Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2016. Jump over ASLR: Attacking branch predictors to bypass ASLR. In International Symposium on Microarchitecture. IEEE.Google ScholarCross Ref
Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2016. Understanding and mitigating covert channels through branch predictors. Transactions on Architecture and Code Optimization 13, 1 (2016), 10.Google ScholarDigital Library
Dmitry Evtyushkin, Ryan Riley, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2018. BranchScope: A new side-channel attack on directional branch predictor. In International Conference on Architectural Support for Programming Languages and Operating Systems. ACM, 693--707.Google ScholarDigital Library
Jacob Fustos, Michael Bechtel, and Heechul Yun. 2020. SpectreRewind: Leaking secrets to past instructions. In Workshop on Attacks and Solutions in Hardware Security. 117--126.Google ScholarDigital Library
Jacob Fustos, Farzad Farshchi, and Heechul Yun. 2019. SpectreGuard: An efficient data-centric defense mechanism against spectre attacks. In Annual Design Automation Conference. 1--6.Google ScholarDigital Library
Daniel Genkin, Itamar Pipman, and Eran Tromer. 2015. Get your hands off my laptop: Physical side-channel key-extraction attacks on PCs. Journal of Cryptographic Engineering 5, 2 (2015), 95--112.Google ScholarCross Ref
Daniel Genkin, Adi Shamir, and Eran Tromer. 2014. RSA key extraction via low-bandwidth acoustic cryptanalysis. In Annual Cryptology Conference. Springer, 444--461.Google ScholarCross Ref
Abraham Gonzalez, Ben Korpan, Jerry Zhao, Ed Younis, and Krste Asanović. 2019. Replicating and mitigating spectre attacks on an open source RISC-V microarchitecture. In Workshop on Computer Architecture Research with RISC-V.Google Scholar
Ben Gras, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2018. Translation leak-aside buffer: Defeating cache side-channel protections with TLB attacks. In USENIX Security Symposium. USENIX, 955--972.Google Scholar
Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+ Flush: A fast and stealthy cache attack. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 279--299.Google ScholarDigital Library
Daniel Gruss, Raphael Spreitzer, and Stefan Mangard. 2015. Cache template attacks: Automating attacks on inclusive last-level caches. In USENIX Security Symposium. 897--912.Google ScholarDigital Library
Roberto Guanciale, Hamed Nemati, Christoph Baumann, and Mads Dam. 2016. Cache storage channels: Alias-driven attacks and verified countermeasures. In Symposium on Security and Privacy. IEEE, 38--55.Google ScholarCross Ref
M. Guarnieri, B. Köpf, J. F. Morales, J. Reineke, and A. Sánchez. 2020. SPECTECTOR: Principled detection of speculative information flows. In Symposium on Security and Privacy. IEEE, 160--178.Google Scholar
Marco Guarnieri, Boris Köpf, Jan Reineke, and Pepe Vila. 2021. Hardware/software contracts for secure speculation. In Symposium on Security and Privacy. IEEE.Google ScholarCross Ref
Austin Harris, Shijia Wei, Prateek Sahu, Pranav Kumar, Todd Austin, and Mohit Tiwari. 2019. Cyclone: Detecting contention-based cache information leaks through cyclic interference. In International Symposium on Microarchitecture. ACM, 57--72.Google ScholarDigital Library
Zecheng He, Guangyuan Hu, and Ruby Lee. 2020. New models for understanding and reasoning about speculative execution attacks. arXiv preprint arXiv:2009.07998 (2020).Google Scholar
Zecheng He and Ruby B. Lee. 2017. How secure is your cache against side-channel attacks? In International Symposium on Microarchitecture. ACM, 341--353.Google Scholar
John L. Hennessy and David A. Patterson. 2011. Computer Architecture: A Quantitative Approach. Elsevier.Google ScholarDigital Library
John L. Henning. 2006. SPEC CPU2006 benchmark descriptions. SIGARCH Computer Architecture News 34, 4 (2006), 1--17.Google ScholarDigital Library
Ralf Hund, Carsten Willems, and Thorsten Holz. 2013. Practical timing side channel attacks against kernel space ASLR. In Symposium on Security and Privacy. IEEE, 191--205.Google ScholarDigital Library
Intel. 2018. Speculative Execution Side Channel Mitigations. Retrieved May 2019 from https://software.intel.com/security-software-guidance/api-app/sites/default/files/336996-Speculative-Execution-Side-Channel-Mitigations.pdf.Google Scholar
Intel. 2019. Intel Transactional Synchronization Extensions (Intel TSX) Overview. Retrieved May 2019 from https://software.intel.com/en-us/cpp-compiler-developer-guide-and-reference-intel-transactional-synchronization-extensions-intel-tsx-overview.Google Scholar
Saad Islam, Ahmad Moghimi, Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, and Berk Sunar. 2019. SPOILER: Speculative load hazards boost rowhammer and cache attacks. In USENIX Security Symposium. USENIX, 621--637.Google Scholar
Daniel A. Jiménez and Calvin Lin. 2001. Dynamic branch prediction with Perceptrons. In International Symposium on High Performance Computer Architecture. IEEE, 197--206.Google Scholar
Kekai Hu, Ke Sun, and Rodrigo Branco. 2019. A New Memory Type against Speculative Side Channel Attacks. Retrieved May 2019 from https://blogs.technet.microsoft.com/srd/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities/.Google Scholar
Georgios Keramidas, Alexandros Antonopoulos, Dimitrios N. Serpanos, and Stefanos Kaxiras. 2008. Non deterministic caches: A simple and effective defense against side channel attacks. Design Automation for Embedded Systems 12, 3 (2008), 221--230.Google ScholarDigital Library
Khaled N. Khasawneh, Esmaeil Mohammadian Koruyeh, Chengyu Song, Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2019. SafeSpec: Banishing the spectre of a meltdown with leakage-free speculation. In Annual Design Automation Conference. ACM, 1--6.Google ScholarDigital Library
Sungkeun Kim, Farabi Mahmud, Jiayi Huang, Pritam Majumder, Neophytos Christou, Abdullah Muzahid, Chia-Che Tsai, and Eun Jung Kim. 2020. ReViCe: Reusing victim cache to prevent speculative cache leakage. In Secure Development. IEEE, 96--107.Google Scholar
Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, and Joel Emer. 2018. DAWG: A defense against cache timing attacks in speculative execution processors. In International Symposium on Microarchitecture. IEEE, 974--987.Google ScholarDigital Library
Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative buffer overflows: Attacks and defenses. arXiv preprint arXiv:1807.03757 (2018).Google Scholar
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre attacks: Exploiting speculative execution. In Symposium on Security and Privacy. 1--19.Google ScholarCross Ref
Esmaeil Mohammadian Koruyeh, Khaled N. Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh. 2018. Spectre returns! speculation attacks using the return stack buffer. In Workshop on Offensive Technologies. USENIX.Google Scholar
Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song. 2020. Keystone: An open framework for architecting trusted execution environments. In European Conference on Computer Systems.Google ScholarDigital Library
Ruby B. Lee, Peter Kwan, John P. McGregor, Jeffrey Dwoskin, and Zhenghong Wang. 2005. Architecture for protecting critical secrets in microprocessors. In 32nd International Symposium on Computer Architecture. 2--13.Google ScholarDigital Library
Peinan Li, Lutan Zhao, Rui Hou, Lixin Zhang, and Dan Meng. 2019. Conditional speculation: An effective approach to safeguard out-of-order execution against spectre attacks. In International Symposium on High Performance Computer Architecture. IEEE, 264--276.Google ScholarCross Ref
David Lie, Chandramohan Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell, and Mark Horowitz. 2000. Architectural support for copy and tamper resistant software. SIGPLAN Notices 35, 11 (2000), 168--177.Google ScholarDigital Library
Mikko H. Lipasti and John Paul Shen. 1996. Exceeding the dataflow limit via value prediction. In International Symposium on Microarchitecture. IEEE, 226--237.Google Scholar
Mikko H. Lipasti, Christopher B. Wilkerson, and John Paul Shen. 1996. Value locality and load value prediction. SIGPLAN Notices 31, 9 (1996), 138--147.Google ScholarDigital Library
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading kernel memory from user space. In 27th USENIX Security Symposium. 973--990.Google ScholarDigital Library
Fangfei Liu, Qian Ge, Yuval Yarom, Frank Mckeen, Carlos Rozas, Gernot Heiser, and Ruby B. Lee. 2016. Catalyst: Defeating last-level cache side channel attacks in cloud computing. In International Symposium on High Performance Computer Architecture. IEEE, 406--418.Google Scholar
Fangfei Liu and Ruby B. Lee. 2014. Random fill cache architecture. In International Symposium on Microarchitecture. IEEE, 203--215.Google Scholar
Fangfei Liu, Hao Wu, Kenneth Mai, and Ruby B. Lee. 2016. Newcache: Secure cache architecture thwarting cache side-channel attacks. Micro 36, 5 (2016), 8--16.Google ScholarDigital Library
Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. 2015. Last-level cache side-channel attacks are practical. In Symposium on Security and Privacy. IEEE, 605--622.Google Scholar
Google Project-Zero mailing list. 2018. Speculative Execution, Variant 4: Speculative Store Bypass. Retrieved May 2020 from https://bugs.chromium.org/p/project-zero/issues/detail?id=1528.Google Scholar
Giorgi Maisuradze and Christian Rossow. 2018. ret2spec: Speculative execution using return stack buffers. In Conference on Computer and Communications Security. ACM, 2109--2122.Google ScholarDigital Library
Andrea Mambretti, Matthias Neugschwandtner, Alessandro Sorniotti, Engin Kirda, William Robertson, and Anil Kurmus. 2019. Speculator: A tool to analyze speculative execution attacks and mitigations. In Annual Computer Security Applications Conference. 747--761.Google ScholarDigital Library
Nikolay Matyunin, Jakub Szefer, Sebastian Biedermann, and Stefan Katzenbeisser. 2016. Covert channels using mobile device’s magnetic field sensors. In Asia and South Pacific Design Automation Conference. IEEE, 525--532.Google ScholarDigital Library
Scott McFarling. 1993. Combining Branch Predictors. Technical Report TN-36, Digital Western Research Laboratory.Google Scholar
Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer, and Toon Verwaest. 2019. Spectre is here to stay: An analysis of side-channels and speculative execution. arXiv preprint arXiv:1902.05178 (2019).Google Scholar
Pierre Michaud, André Seznec, and Richard Uhlig. 1997. Trading conflict and capacity aliasing in conditional branch predictors. International Symposium on Computer Architecture 25, 2 (1997), 292--303.Google ScholarDigital Library
Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Frank Piessens, Berk Sunar, and Yuval Yarom. 2019. Fallout: Reading kernel writes from user space. arXiv preprint arXiv:1905.12701 (2019).Google Scholar
Samira Mirbagher-Ajorpaz, Gilles Pokam, Esmaeil Mohammadian-Koruyeh, Elba Garza, Nael Abu-Ghazaleh, and Daniel A. Jiménez. 2020. PerSpectron: Detecting invariant footprints of microarchitectural attacks with perceptron. In International Symposium on Microarchitecture. IEEE, 1124--1137.Google Scholar
Ahmad Moghimi, Thomas Eisenbarth, and Berk Sunar. 2018. MemJam: A false dependency attack against constant-time crypto implementations in SGX. In Cryptographers’ Track at the RSA Conference. Springer, 21--44.Google ScholarCross Ref
Donald A. Neamen. 2012. Semiconductor Physics and Devices: Basic Principles. McGraw-Hill, New York.Google Scholar
Oleksii Oleksenko, Bohdan Trach, Tobias Reiher, Mark Silberstein, and Christof Fetzer. 2018. You shall not bypass: Employing data dependencies to prevent bounds check bypass. arXiv preprint arXiv:1805.08506 (2018).Google Scholar
Oleksii Oleksenko, Bohdan Trach, Mark Silberstein, and Christof Fetzer. 2020. SpecFuzz: Bringing spectre-type vulnerabilities to the surface. In USENIX Security Symposium. 1481--1498.Google Scholar
Hamza Omar, Brandon D’Agostino, and Omer Khan. 2020. OPTIMUS: A security-centric dynamic hardware partitioning scheme for processors that prevent microarchitecture state attacks. Transactions on Computers 69, 11 (2020), 1558--1570.Google ScholarCross Ref
Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache attacks and countermeasures: The case of AES. In Cryptographers’ Track at the RSA Conference. Springer.Google Scholar
Colin Percival. 2005. Cache missing for fun and profit.Google Scholar
Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz, and Stefan Mangard. 2016. DRAMA: Exploiting DRAM addressing for cross-CPU attacks. In USENIX Security Symposium. 565--581.Google ScholarDigital Library
Filip Pizlo. 2018. What Spectre and Meltdown Mean For WebKit. Retrieved May 2019 from https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/.Google Scholar
Moinuddin K. Qureshi. 2018. CEASER: Mitigating conflict-based cache attacks via encrypted-address and remapping. In International Symposium on Microarchitecture. IEEE, 775--787.Google ScholarDigital Library
Hany Ragab, Alyssa Milburn, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2021. CROSSTALK: Speculative data leaks across cores are real. In Symposium on Security and Privacy. IEEE.Google ScholarCross Ref
Gururaj Saileshwar and Moinuddin K. Qureshi. 2019. CleanupSpec: An undo approach to safe speculation. In International Symposium on Microarchitecture. ACM, 73--86.Google Scholar
Christos Sakalis, Stefanos Kaxiras, Alberto Ros, Alexandra Jimborean, and Magnus Själander. 2019. Efficient invisible speculative execution through selective delay and value prediction. In International Symposium on Computer Architecture. ACM, 723--735.Google ScholarDigital Library
Michael Schwarz, Claudio Canella, Lukas Giner, and Daniel Gruss. 2019. Store-to-leak forwarding: Leaking data on meltdown-resistant CPUs. arXiv preprint arXiv:1905.05725 (2019).Google Scholar
Michael Schwarz, Moritz Lipp, Claudio Canella, Robert Schilling, Florian Kargl, and Daniel Gruss. 2020. Context: A generic approach for mitigating spectre. In Network and Distributed System Security Symposium.Google ScholarCross Ref
Michael Schwarz, Moritz Lipp, and Daniel Gruss. 2018. JavaScript zero: Real JavaScript and zero side-channel attacks. In Network and Distributed System Security Symposium.Google ScholarCross Ref
Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, and Daniel Gruss. 2019. ZombieLoad: Cross-privilege-boundary data sampling. In Conference on Computer and Communications Security. 753--768.Google ScholarDigital Library
Michael Schwarz, Clémentine Maurice, Daniel Gruss, and Stefan Mangard. 2017. Fantastic timers and where to find them: High-resolution microarchitectural attacks in JavaScript. In International Conference on Financial Cryptography and Data Security. Springer, 247--267.Google ScholarDigital Library
Michael Schwarz, Martin Schwarzl, Moritz Lipp, Jon Masters, and Daniel Gruss. 2019. Netspectre: Read arbitrary memory over network. In European Symposium on Research in Computer Security. Springer, 279--299.Google ScholarDigital Library
Peter Sewell, Susmit Sarkar, Scott Owens, Francesco Zappa Nardelli, and Magnus O. Myreen. 2010. x86-TSO: A rigorous and usable programmer’s model for x86 multiprocessors. Communications of the ACM 53, 7 (2010), 89--97.Google ScholarDigital Library
Eric Sprangle, Robert S. Chappell, Mitch Alsup, and Yale N. Patt. 1997. The agree predictor: A mechanism for reducing negative branch history interference. International Symposium on Computer Architecture 25, 2 (1997), 284--291.Google Scholar
Julian Stecklina and Thomas Prescher. 2018. LazyFP: Leaking FPU register state using microarchitectural side-channels. arXiv preprint arXiv:1806.07480 (2018).Google Scholar
G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten Van Dijk, and Srinivas Devadas. 2014. AEGIS: Architecture for tamper-evident and tamper-resistant processing. In International Conference on Supercomputing. ACM, 357--368.Google ScholarDigital Library
Jakub Szefer. 2019. Survey of microarchitectural side and covert channels, attacks, and defenses. Journal of Hardware and Systems Security 3, 3 (2019), 219--234.Google ScholarCross Ref
Mohammadkazem Taram, Ashish Venkat, and Dean Tullsen. 2019. Context-sensitive fencing: Securing speculative execution via microcode customization. In International Conference on Architectural Support for Programming Languages and Operating Systems. ACM, 395--410.Google ScholarDigital Library
Caroline Trippel, Daniel Lustig, and Margaret Martonosi. 2018. MeltdownPrime and SpectrePrime: Automatically-synthesized attacks exploiting invalidation-based coherence protocols. arXiv preprint arXiv:1802.03802 (2018).Google Scholar
Paul Turner. 2018. Mitigating Speculative Execution Side Channel Hardware Vulnerabilities. Retrieved October 2019 from https://github.com/intelstormteam/Papers.Google Scholar
Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In USENIX Security Symposium. 991--1008.Google Scholar
Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens. 2020. LVI: Hijacking transient execution through microarchitectural load value injection. In Symposium on Security and Privacy. 1399--1417.Google Scholar
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2019. RIDL: Rogue in-flight data load. In Symposium on Security and Privacy. IEEE, 88--105.Google ScholarCross Ref
Guanhua Wang, Sudipta Chattopadhyay, Arnab Kumar Biswas, Tulika Mitra, and Abhik Roychoudhury. 2020. Kleespectre: Detecting information leakage through speculative cache attacks via symbolic execution. Transactions on Software Engineering and Methodology 29, 3, Article 14 (2020), 31.Google Scholar
Guanhua Wang, Sudipta Chattopadhyay, Ivan Gotovchits, Tulika Mitra, and Abhik Roychoudhury. 2019. oo7: Low-overhead defense against spectre attacks via program analysis. Transactions on Software Engineering (2019).Google Scholar
Yao Wang, Andrew Ferraiuolo, Danfeng Zhang, Andrew C. Myers, and G. Edward Suh. 2016. SecDCP: Secure dynamic cache partitioning for efficient timing channel protection. In Design Automation Conference. IEEE.Google Scholar
Zhenghong Wang and Ruby B. Lee. 2006. Covert and side channels due to processor architecture. In Annual Computer Security Applications Conference. IEEE, 473--482.Google Scholar
Zhenghong Wang and Ruby B. Lee. 2007. New cache designs for thwarting software cache-based side channel attacks. In ACM SIGARCH Computer Architecture News, Vol. 35. ACM, 494--505.Google Scholar
Zhenghong Wang and Ruby B. Lee. 2008. A novel cache architecture with enhanced performance and security. In International Symposium on Microarchitecture. IEEE, 83--93.Google Scholar
Ofir Weisse, Ian Neal, Kevin Loughlin, Thomas F. Wenisch, and Baris Kasikci. 2019. NDA: Preventing speculative execution attacks at their source. In International Symposium on Microarchitecture. ACM, 572--586.Google ScholarDigital Library
Ofir Weisse, Jo Van Bulck, Marina Minkin, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Raoul Strackx, Thomas F. Wenisch, and Yuval Yarom. 2018. Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution.Google Scholar
Mario Werner, Thomas Unterluggauer, Lukas Giner, Michael Schwarz, Daniel Gruss, and Stefan Mangard. 2019. Scattercache: Thwarting cache attacks via cache set randomization. In USENIX Security Symposium. 675--692.Google Scholar
You Wu and Xuehai Qian. 2020. ReversiSpec: Reversible coherence protocol for defending transient attacks. arXiv preprint arXiv:2006.16535 (2020).Google Scholar
Zhenyu Wu, Zhang Xu, and Haining Wang. 2014. Whispers in the hyper-space: High-bandwidth and reliable covert channel attacks inside the cloud. Transactions on Networking 23, 2 (2014), 603--615.Google ScholarDigital Library
Yuan Xiao, Yinqian Zhang, and Radu Teodorescu. 2020. SPEECHMINER: A framework for investigating and measuring speculative execution vulnerabilities. In Network and Distributed System Security Symposium.Google ScholarCross Ref
Wenjie Xiong, Nikolaos Athanasios Anagnostopoulos, André Schaller, Stefan Katzenbeisser, and Jakub Szefer. 2019. Spying on temperature using DRAM. In Design Automation and Test in Europe. 13--18.Google Scholar
Wenjie Xiong and Jakub Szefer. 2020. Leaking information through cache LRU states. In International Symposium on High Performance Computer Architecture. IEEE, 139--152.Google ScholarCross Ref
Yunjing Xu, Michael Bailey, Farnam Jahanian, Kaustubh Joshi, Matti Hiltunen, and Richard Schlichting. 2011. An exploration of L2 cache covert channels in virtualized environments. In Workshop on Cloud Computing Security. ACM, 29--40.Google ScholarDigital Library
Mengjia Yan. 2019. Cache-based side channels: Modern attacks and defenses. Ph.D. Dissertation. University of Illinois at Urbana-Champaign.Google Scholar
Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher Fletcher, and Josep Torrellas. 2018. InvisiSpec: Making speculative execution invisible in the cache hierarchy. In International Symposium on Microarchitecture. IEEE, 428--441.Google ScholarDigital Library
Mengjia Yan, Bhargava Gopireddy, Thomas Shull, and Josep Torrellas. 2017. Secure hierarchy-aware cache replacement policy (SHARP): Defending against cache-based side channel attacks. In International Symposium on Computer Architecture. ACM, 347--360.Google ScholarDigital Library
Mengjia Yan, Read Sprabery, Bhargava Gopireddy, Christopher Fletcher, Roy Campbell, and Josep Torrellas. 2019. Attack directories, not caches: Side channel attacks in a non-inclusive world. In Symposium on Security and Privacy. IEEE, 888--904.Google ScholarCross Ref
Fan Yao, Milos Doroslovacki, and Guru Venkataramani. 2018. Are coherence protocol states vulnerable to information leakage? In International Symposium on High Performance Computer Architecture. IEEE, 168--179.Google ScholarCross Ref
Yuval Yarom and Katrina Falkner. 2014. FLUSH+ RELOAD: A high resolution, low noise, L3 cache side-channel attack. In 23rd USENIX Security Symposium. 719--732.Google Scholar
Yuval Yarom, Daniel Genkin, and Nadia Heninger. 2017. CacheBleed: A timing attack on OpenSSL constant-time RSA. Journal of Cryptographic Engineering 7, 2 (2017), 99--112.Google ScholarCross Ref
Jiyong Yu, Namrata Mantri, Josep Torrellas, Adam Morrison, and Christopher W. Fletcher. 2020. Speculative data-oblivious execution: Mobilizing safe prediction for safe and efficient speculative execution. In International Symposium on Computer Architecture. IEEE, 707--720.Google Scholar
Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, and Christopher W. Fletcher. 2019. Speculative taint tracking (STT): A comprehensive protection for speculatively accessed data. In International Symposium on Microarchitecture. ACM, 954--968.Google Scholar
Danfeng Zhang, Aslan Askarov, and Andrew C. Myers. 2012. Language-based control and mitigation of timing channels. SIGPLAN Notices 47, 6 (2012), 99--110.Google ScholarDigital Library
Danfeng Zhang, Yao Wang, G. Edward Suh, and Andrew C. Myers. 2015. A hardware design language for timing-sensitive information-flow security. In ACM SIGARCH Computer Architecture News, Vol. 43. ACM, 503--516.Google Scholar
Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2014. Cross-tenant side-channel attacks in PaaS clouds. In Conference on Computer and Communications Security. ACM, 990--1003.Google ScholarDigital Library
Lutan Zhao, Peinan Li, Rui Hou, Jiazhen Li, Michael C. Huang, Lixin Zhang, Xuehai Qian, and Dan Meng. 2020. A lightweight isolation mechanism for secure branch predictors. arXiv preprint arXiv:2005.08183 (2020).Google Scholar
Zirui Neil Zhao, Houxiang Ji, Mengjia Yan, Jiyong Yu, Christopher W. Fletcher, Adam Morrison, Darko Marinov, and Josep Torrellas. 2020. Speculation invariance (invarspec): Faster safe execution through program analysis. In International Symposium on Microarchitecture. IEEE, 1138--1152.Google ScholarCross Ref

Index Terms

Survey of Transient Execution Attacks and Their Mitigations
1. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures
      1. Side-channel analysis and countermeasures
    2. Hardware security implementation

Recommendations

The Evolution of Transient-Execution Attacks
GLSVLSI '20: Proceedings of the 2020 on Great Lakes Symposium on VLSI

Historically, non-architectural state was considered non-observable. Side-channel attacks, in particular on caches, already showed that this is not entirely correct and meta-information, such as the cache state, can be extracted. Transient-execution ...
Read More
Timing Side-channel Attacks and Countermeasures in CPU Microarchitectures
Microarchitectural vulnerabilities, such as Meltdown and Spectre, exploit subtle microarchitecture state to steal the user’s secret data and even compromise the operating systems. In recent years, considerable discussion lies in understanding the attack-...
Read More
Performance evolution of mitigating transient execution attacks
EuroSys '22: Proceedings of the Seventeenth European Conference on Computer Systems

Today's applications pay a performance penalty for mitigations to protect against transient execution attacks such as Meltdown [32] and Spectre [25]. Such a reduction in performance directly translates to higher operating costs and degraded user ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 54, Issue 3
April 2022
836 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3461619
Editor:
Albert Zomaya
University of Sydney, Australia
Issue’s Table of Contents
Copyright © 2021 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 May 2021
- Accepted: 1 December 2020
- Revised: 1 August 2020
- Received: 1 December 2019
Published in csur Volume 54, Issue 3

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Transient execution
covert channels
secure processor architectures
speculative execution
timing channels
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 14
  Total Citations
  View Citations
- 2,393
  Total Downloads
- Downloads (Last 12 months)1,173
- Downloads (Last 6 weeks)128
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Survey of Transient Execution Attacks and Their Mitigations

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

The Evolution of Transient-Execution Attacks

Timing Side-channel Attacks and Countermeasures in CPU Microarchitectures

Performance evolution of mitigating transient execution attacks