A Systematic Evaluation of Transient Execution Attacks and Defenses

Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, Daniel Gruss

Publikation: Beitrag in einer FachzeitschriftArtikelForschung

Abstract

Modern processor optimizations such as branch prediction and out-of-order execution are crucial for performance. Recent research on transient execution attacks including Spectre and Meltdown showed, however, that exception or branch misprediction events may leave secret-dependent traces in the CPU's microarchitectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches). Unfortunately, both the industry and academia are now focusing on finding efficient defenses that mostly address only one specific variant or exploitation methodology. This is highly problematic, as the state-of-the-art provides only limited insight on residual attack surface and the completeness of the proposed defenses. In this paper, we present a sound and extensible systematization of transient execution attacks. Our systematization uncovers 7 (new) transient execution attacks that have been overlooked and not been investigated so far. This includes 2 new Meltdown variants: Meltdown-PK on Intel, and Meltdown-BR on Intel and AMD. It also includes 5 new Spectre mistraining strategies. We evaluate all 7 attacks in proof-of-concept implementations on 3 major processor vendors (Intel, AMD, ARM). Our systematization does not only yield a complete picture of the attack surface, but also allows a systematic evaluation of defenses. Through this systematic evaluation, we discover that we can still mount transient execution attacks that are supposed to be mitigated by rolled out patches.
Originalspracheenglisch
FachzeitschriftarXiv.org e-Print archive
PublikationsstatusVeröffentlicht - 13 Nov 2018

Fingerprint

Core meltdown
Firmware
Program processors
Acoustic waves
Industry

Schlagwörter

    Dies zitieren

    A Systematic Evaluation of Transient Execution Attacks and Defenses. / Canella, Claudio; Bulck, Jo Van; Schwarz, Michael; Lipp, Moritz; Berg, Benjamin von; Ortner, Philipp; Piessens, Frank; Evtyushkin, Dmitry; Gruss, Daniel.

    in: arXiv.org e-Print archive, 13.11.2018.

    Publikation: Beitrag in einer FachzeitschriftArtikelForschung

    Canella, Claudio ; Bulck, Jo Van ; Schwarz, Michael ; Lipp, Moritz ; Berg, Benjamin von ; Ortner, Philipp ; Piessens, Frank ; Evtyushkin, Dmitry ; Gruss, Daniel. / A Systematic Evaluation of Transient Execution Attacks and Defenses. in: arXiv.org e-Print archive. 2018.
    @article{407a60b30d1f46cf8b82002c24ebbca2,
    title = "A Systematic Evaluation of Transient Execution Attacks and Defenses",
    abstract = "Modern processor optimizations such as branch prediction and out-of-order execution are crucial for performance. Recent research on transient execution attacks including Spectre and Meltdown showed, however, that exception or branch misprediction events may leave secret-dependent traces in the CPU's microarchitectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches). Unfortunately, both the industry and academia are now focusing on finding efficient defenses that mostly address only one specific variant or exploitation methodology. This is highly problematic, as the state-of-the-art provides only limited insight on residual attack surface and the completeness of the proposed defenses. In this paper, we present a sound and extensible systematization of transient execution attacks. Our systematization uncovers 7 (new) transient execution attacks that have been overlooked and not been investigated so far. This includes 2 new Meltdown variants: Meltdown-PK on Intel, and Meltdown-BR on Intel and AMD. It also includes 5 new Spectre mistraining strategies. We evaluate all 7 attacks in proof-of-concept implementations on 3 major processor vendors (Intel, AMD, ARM). Our systematization does not only yield a complete picture of the attack surface, but also allows a systematic evaluation of defenses. Through this systematic evaluation, we discover that we can still mount transient execution attacks that are supposed to be mitigated by rolled out patches.",
    keywords = "cs.CR",
    author = "Claudio Canella and Bulck, {Jo Van} and Michael Schwarz and Moritz Lipp and Berg, {Benjamin von} and Philipp Ortner and Frank Piessens and Dmitry Evtyushkin and Daniel Gruss",
    year = "2018",
    month = "11",
    day = "13",
    language = "English",
    journal = "arXiv.org e-Print archive",
    publisher = "Cornell University Library",

    }

    TY - JOUR

    T1 - A Systematic Evaluation of Transient Execution Attacks and Defenses

    AU - Canella, Claudio

    AU - Bulck, Jo Van

    AU - Schwarz, Michael

    AU - Lipp, Moritz

    AU - Berg, Benjamin von

    AU - Ortner, Philipp

    AU - Piessens, Frank

    AU - Evtyushkin, Dmitry

    AU - Gruss, Daniel

    PY - 2018/11/13

    Y1 - 2018/11/13

    N2 - Modern processor optimizations such as branch prediction and out-of-order execution are crucial for performance. Recent research on transient execution attacks including Spectre and Meltdown showed, however, that exception or branch misprediction events may leave secret-dependent traces in the CPU's microarchitectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches). Unfortunately, both the industry and academia are now focusing on finding efficient defenses that mostly address only one specific variant or exploitation methodology. This is highly problematic, as the state-of-the-art provides only limited insight on residual attack surface and the completeness of the proposed defenses. In this paper, we present a sound and extensible systematization of transient execution attacks. Our systematization uncovers 7 (new) transient execution attacks that have been overlooked and not been investigated so far. This includes 2 new Meltdown variants: Meltdown-PK on Intel, and Meltdown-BR on Intel and AMD. It also includes 5 new Spectre mistraining strategies. We evaluate all 7 attacks in proof-of-concept implementations on 3 major processor vendors (Intel, AMD, ARM). Our systematization does not only yield a complete picture of the attack surface, but also allows a systematic evaluation of defenses. Through this systematic evaluation, we discover that we can still mount transient execution attacks that are supposed to be mitigated by rolled out patches.

    AB - Modern processor optimizations such as branch prediction and out-of-order execution are crucial for performance. Recent research on transient execution attacks including Spectre and Meltdown showed, however, that exception or branch misprediction events may leave secret-dependent traces in the CPU's microarchitectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches). Unfortunately, both the industry and academia are now focusing on finding efficient defenses that mostly address only one specific variant or exploitation methodology. This is highly problematic, as the state-of-the-art provides only limited insight on residual attack surface and the completeness of the proposed defenses. In this paper, we present a sound and extensible systematization of transient execution attacks. Our systematization uncovers 7 (new) transient execution attacks that have been overlooked and not been investigated so far. This includes 2 new Meltdown variants: Meltdown-PK on Intel, and Meltdown-BR on Intel and AMD. It also includes 5 new Spectre mistraining strategies. We evaluate all 7 attacks in proof-of-concept implementations on 3 major processor vendors (Intel, AMD, ARM). Our systematization does not only yield a complete picture of the attack surface, but also allows a systematic evaluation of defenses. Through this systematic evaluation, we discover that we can still mount transient execution attacks that are supposed to be mitigated by rolled out patches.

    KW - cs.CR

    M3 - Article

    JO - arXiv.org e-Print archive

    JF - arXiv.org e-Print archive

    ER -