Abstract
We study the formal verification of information-flow properties in the presence of speculative execution and side-channels. First, we present a formal model of speculative execution semantics. This model can be parameterized by the depth of speculative execution and is amenable to a range of verification techniques. Second, we introduce a novel notion of information leakage under speculation, which is parameterized by the information that is available to an attacker through side-channels. Finally, we present one verification technique that uses our formalism and can be used to detect information leaks under speculation through cache side-channels, and can decide whether these are only possible under speculative execution. We implemented an instance of this verification technique that combines taint analysis and safety model checking. We evaluated this approach on a range of examples that have been proposed as benchmarks for mitigations of the Spectre vulnerability, and show that our approach correctly identifies all information leaks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
It is, in fact, the basic example used in the Spectre paper [22].
- 2.
If it does not hold, then the transition relation will evaluate to false for all post-states, i.e., the program halts.
- 3.
We assume that the compiler separates nested array reads into two separate reads.
References
Agat, J.: Transforming out timing leaks. In: POPL, pp. 40–53. ACM (2000). https://doi.org/10.1145/325694.325702
Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F., Emmi, M.: Verifying constant-time implementations. In: USENIX Security, pp. 53–70. USENIX Association (2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/almeida
Almeida, J.B., Barbosa, M., Pinto, J.S., Vieira, B.: Formal verification of side-channel countermeasures using self-composition. Sci. Comput. Program. 78(7), 796–812 (2013). https://doi.org/10.1016/j.scico.2011.10.008
Arons, T., Pnueli, A.: A comparison of two verification methods for speculative instruction execution. In: Graf, S., Schwartzbach, M. (eds.) TACAS 2000. LNCS, vol. 1785, pp. 487–502. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-46419-0_33
Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. In: Computer Security Foundations Workshop, (CSFW-17), pp. 100–114 (2004)
Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. Math. Struct. Comput. Sci. 21(6), 1207–1252 (2011). https://doi.org/10.1017/S0960129511000193
Bhattacharyya, A., et al.: Smotherspectre: exploiting speculative execution through port contention. CoRR abs/1903.01843 (2019). http://arxiv.org/abs/1903.01843
Boudol, G., Petri, G.: A theory of speculative computation. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 165–184. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11957-6_10
Canella, C., et al.: A systematic evaluation of transient execution attacks and defenses. CoRR. https://arxiv.org/abs/1811.05441 (2018)
Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Cambridge (2001)
Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., Sánchez, C.: Temporal logics for hyperproperties. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 265–284. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54792-8_15
Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)
Guarnieri, M., Köpf, B., Morales, J.F., Reineke, J., Sánchez, A.: SPECTECTOR: principled detection of speculative information flows. CoRR. http://arxiv.org/abs/1812.08639 (2018)
Gurfinkel, A., Kahsai, T., Komuravelli, A., Navas, J.A.: The seahorn verification framework. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 343–361. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_20
Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Secur. 8(6), 399–422 (2009)
Hosabettu, R., Gopalakrishnan, G., Srivas, M.: Verifying advanced microarchitectures that support speculation and exceptions. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 521–537. Springer, Heidelberg (2000). https://doi.org/10.1007/10722167_39
Intel: White paper: intel analysis of speculative execution side channels. Tech. Rep. 336983–001, Revision 1.0. https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf
Intel: Q2 2018 speculative execution side channel update (2018). https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html. Accessed May 2019
Jhala, R., McMillan, K.L.: Microarchitecture verification by compositional model checking. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 396–410. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44585-4_40
Kiriansky, V., Waldspurger, C.: Speculative buffer overflows: attacks and defenses. CoRR. http://arxiv.org/abs/1807.03757 (2018)
Kocher, P.: Spectre Mitigations in Microsoft’s C/C++ Compiler. https://www.paulkocher.com/doc/MicrosoftCompilerSpectreMitigation.html
Kocher, P., et al.: Spectre attacks: exploiting speculative execution. CoRR. http://arxiv.org/abs/1801.01203 (2018)
Lahiri, S.K., Bryant, R.E.: Deductive verification of advanced out-of-order microprocessors. In: Hunt, W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 341–354. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45069-6_33
Maisuradze, G., Rossow, C.: ret2spec: speculative execution using return stack buffers. In: CCS, pp. 2109–2122. ACM (2018). https://doi.org/10.1145/3243734.3243761
Pardoe, A.: Spectre mitigations in MSVC (2018). https://blogs.msdn.microsoft.com/vcblog/2018/01/15/spectre-mitigations-in-msvc/. Accessed May 2019
Pistoia, M., Flynn, R.J., Koved, L., Sreedhar, V.C.: Interprocedural analysis for privileged code placement and tainted variable detection. In: Black, A.P. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 362–386. Springer, Heidelberg (2005). https://doi.org/10.1007/11531142_16
Rodrigues, B., Pereira, F.M.Q., Aranha, D.F.: Sparse representation of implicit flows with applications to side-channel detection. In: CC, pp. 110–120. ACM (2016). https://doi.org/10.1145/2892208.2892230
Sawada, J., Hunt, W.A.: Processor verification with precise exceptions and speculative execution. In: Hu, A.J., Vardi, M.Y. (eds.) CAV 1998. LNCS, vol. 1427, pp. 135–146. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0028740
Stecklina, J., Prescher, T.: Lazyfp: leaking FPU register state using microarchitectural side-channels. CoRR. http://arxiv.org/abs/1806.07480 (2018)
Taram, M., Venkat, A., Tullsen, D.M.: Context-sensitive fencing: Securing speculative execution via microcode customization. In: ASPLOS, pp. 395–410. ACM (2019). https://doi.org/10.1145/3297858.3304060
Terauchi, T., Aiken, A.: Secure information flow as a safety problem. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 352–367. Springer, Heidelberg (2005). https://doi.org/10.1007/11547662_24
Velev, M.N.: Formal verification of VLIW microprocessors with speculative execution. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 296–311. Springer, Heidelberg (2000). https://doi.org/10.1007/10722167_24
Wang, G., Chattopadhyay, S., Gotovchits, I., Mitra, T., Roychoudhury, A.: oo7: low-overhead defense against spectre attacks via binary analysis. CoRR. http://arxiv.org/abs/1807.05843 (2018)
Yang, W., Vizel, Y., Subramanyan, P., Gupta, A., Malik, S.: Lazy self-composition for security verification. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10982, pp. 136–156. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96142-2_11
Acknowledgements
Additional funding was provided by a generous gift from Intel. Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of the funding parties.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Bloem, R., Jacobs, S., Vizel, Y. (2019). Efficient Information-Flow Verification Under Speculative Execution. In: Chen, YF., Cheng, CH., Esparza, J. (eds) Automated Technology for Verification and Analysis. ATVA 2019. Lecture Notes in Computer Science(), vol 11781. Springer, Cham. https://doi.org/10.1007/978-3-030-31784-3_29
Download citation
DOI: https://doi.org/10.1007/978-3-030-31784-3_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31783-6
Online ISBN: 978-3-030-31784-3
eBook Packages: Computer ScienceComputer Science (R0)