Projects per year
Abstract
Research on transient execution attacks including Spectre and Meltdown showed that exception or branch misprediction events might leave secret-dependent traces in the CPU’s microarchitectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches). Both the industry and academia are now focusing on finding effective defenses for known issues. However, we only have limited insight on residual attack surface and the completeness of the proposed defenses.
In this paper, we present a systematization of transient execution attacks. Our systematization uncovers 6 (new) transient execution attacks that have been overlooked and not been investigated so far: 2 new exploitable Meltdown effects: Meltdown-PK (Protection Key Bypass) on Intel, and Meltdown-BND (Bounds Check Bypass) on Intel and AMD; and 4 new Spectre mistraining strategies. We evaluate the attacks in our classification tree through proof-of-concept implementations on 3 major CPU vendors (Intel, AMD, ARM). Our Systematization yields a more complete picture of the attack surface and allows for a more systematic evaluation of defenses. Through this systematic evaluation, we discover that most defenses, including deployed ones, cannot fully mitigate all attack variants.
In this paper, we present a systematization of transient execution attacks. Our systematization uncovers 6 (new) transient execution attacks that have been overlooked and not been investigated so far: 2 new exploitable Meltdown effects: Meltdown-PK (Protection Key Bypass) on Intel, and Meltdown-BND (Bounds Check Bypass) on Intel and AMD; and 4 new Spectre mistraining strategies. We evaluate the attacks in our classification tree through proof-of-concept implementations on 3 major CPU vendors (Intel, AMD, ARM). Our Systematization yields a more complete picture of the attack surface and allows for a more systematic evaluation of defenses. Through this systematic evaluation, we discover that most defenses, including deployed ones, cannot fully mitigate all attack variants.
Original language | English |
---|---|
Title of host publication | Proceedings of the 28th USENIX Security Symposium |
Publisher | USENIX Association |
Pages | 249-266 |
Number of pages | 17 |
Publication status | Published - 14 Aug 2019 |
Keywords
- cs.CR
Fingerprint
Dive into the research topics of 'A Systematic Evaluation of Transient Execution Attacks and Defenses'. Together they form a unique fingerprint.Projects
- 4 Finished
-
Leakage-Free - Hardware-Software Information Flow Analysis for Leakage-Free Code Generation
1/10/18 → 30/09/20
Project: Research project
-
Espresso - Scalable hardware-secured authentication and personalization of intelligent sensor nodes
1/05/18 → 31/10/20
Project: Research project
-
Dessnet - Dependable, secure and time-aware sensor networks
Mangard, S., Glanzer, C., Görtschacher, L. J., Bösch, W., Grosinger, J., Fischbacher, R. B., Deutschmann, B. & Shetty, D.
1/06/17 → 31/07/21
Project: Research project
Activities
- 1 Talk at conference or symposium
-
A Systematic Evaluation of Transient Execution Attacks and Defenses
Claudio Alberto Canella (Speaker)
14 Aug 2019Activity: Talk or presentation › Talk at conference or symposium › Science to science