A Systematic Evaluation of Transient Execution Attacks and Defenses

Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, Daniel Gruss

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

Research on transient execution attacks including Spectre and Meltdown showed that exception or branch misprediction events might leave secret-dependent traces in the CPU’s microarchitectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches). Both the industry and academia are now focusing on finding effective defenses for known issues. However, we only have limited insight on residual attack surface and the completeness of the proposed defenses.

In this paper, we present a systematization of transient execution attacks. Our systematization uncovers 6 (new) transient execution attacks that have been overlooked and not been investigated so far: 2 new exploitable Meltdown effects: Meltdown-PK (Protection Key Bypass) on Intel, and Meltdown-BND (Bounds Check Bypass) on Intel and AMD; and 4 new Spectre mistraining strategies. We evaluate the attacks in our classification tree through proof-of-concept implementations on 3 major CPU vendors (Intel, AMD, ARM). Our Systematization yields a more complete picture of the attack surface and allows for a more systematic evaluation of defenses. Through this systematic evaluation, we discover that most defenses, including deployed ones, cannot fully mitigate all attack variants.
Originalspracheenglisch
TitelProceedings of the 28th USENIX Security Symposium
Herausgeber (Verlag)USENIX Association
Seiten249-266
Seitenumfang17
PublikationsstatusVeröffentlicht - 14 Aug 2019

Publikationsreihe

NamearXiv.org e-Print archive
Herausgeber (Verlag)Cornell University Library

Fingerprint

Program processors
Core meltdown
Firmware
Industry

Schlagwörter

    Dies zitieren

    Canella, C., Bulck, J. V., Schwarz, M., Lipp, M., Berg, B. V., Ortner, P., ... Gruss, D. (2019). A Systematic Evaluation of Transient Execution Attacks and Defenses. in Proceedings of the 28th USENIX Security Symposium (S. 249-266). (arXiv.org e-Print archive). USENIX Association.

    A Systematic Evaluation of Transient Execution Attacks and Defenses. / Canella, Claudio; Bulck, Jo Van; Schwarz, Michael; Lipp, Moritz; Berg, Benjamin von; Ortner, Philipp; Piessens, Frank; Evtyushkin, Dmitry; Gruss, Daniel.

    Proceedings of the 28th USENIX Security Symposium. USENIX Association, 2019. S. 249-266 (arXiv.org e-Print archive).

    Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

    Canella, C, Bulck, JV, Schwarz, M, Lipp, M, Berg, BV, Ortner, P, Piessens, F, Evtyushkin, D & Gruss, D 2019, A Systematic Evaluation of Transient Execution Attacks and Defenses. in Proceedings of the 28th USENIX Security Symposium. arXiv.org e-Print archive, USENIX Association, S. 249-266.
    Canella C, Bulck JV, Schwarz M, Lipp M, Berg BV, Ortner P et al. A Systematic Evaluation of Transient Execution Attacks and Defenses. in Proceedings of the 28th USENIX Security Symposium. USENIX Association. 2019. S. 249-266. (arXiv.org e-Print archive).
    Canella, Claudio ; Bulck, Jo Van ; Schwarz, Michael ; Lipp, Moritz ; Berg, Benjamin von ; Ortner, Philipp ; Piessens, Frank ; Evtyushkin, Dmitry ; Gruss, Daniel. / A Systematic Evaluation of Transient Execution Attacks and Defenses. Proceedings of the 28th USENIX Security Symposium. USENIX Association, 2019. S. 249-266 (arXiv.org e-Print archive).
    @inproceedings{407a60b30d1f46cf8b82002c24ebbca2,
    title = "A Systematic Evaluation of Transient Execution Attacks and Defenses",
    abstract = "Research on transient execution attacks including Spectre and Meltdown showed that exception or branch misprediction events might leave secret-dependent traces in the CPU’s microarchitectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches). Both the industry and academia are now focusing on finding effective defenses for known issues. However, we only have limited insight on residual attack surface and the completeness of the proposed defenses.In this paper, we present a systematization of transient execution attacks. Our systematization uncovers 6 (new) transient execution attacks that have been overlooked and not been investigated so far: 2 new exploitable Meltdown effects: Meltdown-PK (Protection Key Bypass) on Intel, and Meltdown-BND (Bounds Check Bypass) on Intel and AMD; and 4 new Spectre mistraining strategies. We evaluate the attacks in our classification tree through proof-of-concept implementations on 3 major CPU vendors (Intel, AMD, ARM). Our Systematization yields a more complete picture of the attack surface and allows for a more systematic evaluation of defenses. Through this systematic evaluation, we discover that most defenses, including deployed ones, cannot fully mitigate all attack variants.",
    keywords = "cs.CR",
    author = "Claudio Canella and Bulck, {Jo Van} and Michael Schwarz and Moritz Lipp and Berg, {Benjamin von} and Philipp Ortner and Frank Piessens and Dmitry Evtyushkin and Daniel Gruss",
    year = "2019",
    month = "8",
    day = "14",
    language = "English",
    series = "arXiv.org e-Print archive",
    publisher = "USENIX Association",
    pages = "249--266",
    booktitle = "Proceedings of the 28th USENIX Security Symposium",
    address = "United States",

    }

    TY - GEN

    T1 - A Systematic Evaluation of Transient Execution Attacks and Defenses

    AU - Canella, Claudio

    AU - Bulck, Jo Van

    AU - Schwarz, Michael

    AU - Lipp, Moritz

    AU - Berg, Benjamin von

    AU - Ortner, Philipp

    AU - Piessens, Frank

    AU - Evtyushkin, Dmitry

    AU - Gruss, Daniel

    PY - 2019/8/14

    Y1 - 2019/8/14

    N2 - Research on transient execution attacks including Spectre and Meltdown showed that exception or branch misprediction events might leave secret-dependent traces in the CPU’s microarchitectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches). Both the industry and academia are now focusing on finding effective defenses for known issues. However, we only have limited insight on residual attack surface and the completeness of the proposed defenses.In this paper, we present a systematization of transient execution attacks. Our systematization uncovers 6 (new) transient execution attacks that have been overlooked and not been investigated so far: 2 new exploitable Meltdown effects: Meltdown-PK (Protection Key Bypass) on Intel, and Meltdown-BND (Bounds Check Bypass) on Intel and AMD; and 4 new Spectre mistraining strategies. We evaluate the attacks in our classification tree through proof-of-concept implementations on 3 major CPU vendors (Intel, AMD, ARM). Our Systematization yields a more complete picture of the attack surface and allows for a more systematic evaluation of defenses. Through this systematic evaluation, we discover that most defenses, including deployed ones, cannot fully mitigate all attack variants.

    AB - Research on transient execution attacks including Spectre and Meltdown showed that exception or branch misprediction events might leave secret-dependent traces in the CPU’s microarchitectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches). Both the industry and academia are now focusing on finding effective defenses for known issues. However, we only have limited insight on residual attack surface and the completeness of the proposed defenses.In this paper, we present a systematization of transient execution attacks. Our systematization uncovers 6 (new) transient execution attacks that have been overlooked and not been investigated so far: 2 new exploitable Meltdown effects: Meltdown-PK (Protection Key Bypass) on Intel, and Meltdown-BND (Bounds Check Bypass) on Intel and AMD; and 4 new Spectre mistraining strategies. We evaluate the attacks in our classification tree through proof-of-concept implementations on 3 major CPU vendors (Intel, AMD, ARM). Our Systematization yields a more complete picture of the attack surface and allows for a more systematic evaluation of defenses. Through this systematic evaluation, we discover that most defenses, including deployed ones, cannot fully mitigate all attack variants.

    KW - cs.CR

    M3 - Conference contribution

    T3 - arXiv.org e-Print archive

    SP - 249

    EP - 266

    BT - Proceedings of the 28th USENIX Security Symposium

    PB - USENIX Association

    ER -