Skip to main content
SpringerLink
Log in

An Abstract Semantics of Speculative Execution for Reasoning About Security Vulnerabilities

  • Conference paper
  • First Online:
Formal Methods. FM 2019 International Workshops (FM 2019)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 12233))

Included in the following conference series:

Abstract

Reasoning about correctness and security of software is increasingly difficult due to the complexity of modern microarchitectural features such as out-of-order execution. A class of security vulnerabilities termed Spectre that exploits side effects of speculative, out-of-order execution was announced in 2018 and has since drawn much attention. In this paper we formalise speculative execution and its side effects as an extension of a framework for reasoning about out-of-order execution in weak memory models. Our goal is to allow speculation to be reasoned about abstractly at the software level. To this end we encode speculative execution explicitly using a novel language construct and modify the definition of conditional statements correspondingly. Underlying this extension is a model that has sufficient detail to enable specification of the relevant microarchitectural features. We add an abstract cache to the global state of the system, and derive some general refinement rules that expose cache side effects due to speculative loads. The rules are encoded in a simulation tool, which we use to analyse an abstract specification of a Spectre attack and vulnerable code fragments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In this paper we assume a multicopy atomic storage system; for memory models which lack this (e.g., POWER) the storage system described in [12] may be used.

References

  1. Alglave, J., Maranget, L., Tautschnig, M.: Herding cats: Modelling, simulation, testing, and data mining for weak memory. ACM Trans. Program. Lang. Syst. 36(2), 7:1–7:74 (2014)

    Article  Google Scholar 

  2. Alglave, J., Maranget, L., Sarkar, S., Sewell, P.: Litmus: running tests against hardware. In: Abdulla, P.A., Leino, K.R.M. (eds.) TACAS 2011. LNCS, vol. 6605, pp. 41–44. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19835-9_5

    Chapter  Google Scholar 

  3. Back, R.J.R., von Wright, J.: Trace refinement of action systems. In: Jonsson, B., Parrow, J. (eds.) CONCUR 1994. LNCS, vol. 836, pp. 367–384. Springer, Heidelberg (1994). https://doi.org/10.1007/978-3-540-48654-1_28

    Chapter  Google Scholar 

  4. Bijo, S., Johnsen, E.B., Pun, K.I., Lizeth Tapia Tarifa, S.: An operational semantics of cache coherent multicore architectures. In: Proceedings of the 31st Annual ACM Symposium on Applied Computing, SAC 2016, pp. 1219–1224. ACM, New York (2016)

    Google Scholar 

  5. Van Bulck, J., et al.: Foreshadow: extracting the keys to the intel SGX kingdom with transient out-of-order execution. In: USENIX Security Symposium (2018)

    Google Scholar 

  6. Chattopadhyay, S., Roychoudhury, A.: Symbolic verification of cache side-channel freedom. CoRR, abs/1801.01203 (2018)

    Google Scholar 

  7. Cheang, K., Rasmussen, C., Seshia, S., Subramanyan, P.: A formal approach to secure speculation. Cryptology ePrint Archive, Report 2019/310 (2019). https://eprint.iacr.org/2019/310

  8. Clavel, M., et al.: Maude: specification and programming in rewriting logic. Theor. Comput. Sci. 285(2), 187–243 (2002)

    Article  MathSciNet  Google Scholar 

  9. Colvin, R., Hayes, I.J.: CSP with hierarchical state. In: Leuschel, M., Wehrheim, H. (eds.) IFM 2009. LNCS, vol. 5423, pp. 118–135. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00255-7_9

    Chapter  Google Scholar 

  10. Colvin, R.J., Hayes, I.J.: Structural operational semantics through context-dependent behaviour. J. Logic Algebraic Programm. 80(7), 392–426 (2011)

    Article  MathSciNet  Google Scholar 

  11. Colvin, R.J., Smith, G.: A high-level operational semantics for hardware weak memory models. CoRR, abs/1812.00996 (2018)

    Google Scholar 

  12. Colvin, R.J., Smith, G.: A wide-spectrum language for verification of programs on weak memory models. In: Havelund, K., Peleska, J., Roscoe, B., de Vink, E. (eds.) FM 2018. LNCS, vol. 10951, pp. 240–257. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-95582-7_14

    Chapter  Google Scholar 

  13. Disselkoen, C., Jagadeesan, R., Jeffrey, A., Riely, J.: Code that never ran: modeling attacks on speculative evaluation. In: Proceedings of IEEE Symposium on Security and Privacy (S&P) (2019)

    Google Scholar 

  14. Doychev, G., Köpf, B., Mauborgne, L., Reineke, J.: CacheAudit: a tool for the static analysis of cache side channels. ACM Trans. Inf. Syst. Secur. 18(1), 4:1–4:32 (2015)

    Article  Google Scholar 

  15. Flur, S., et al.: Modelling the ARMv8 architecture, operationally: concurrency and ISA. In: Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2016, pp. 608–621. ACM, New York (2016)

    Google Scholar 

  16. Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptographic Eng. 8(1), 1–27 (2016). https://doi.org/10.1007/s13389-016-0141-6

    Article  Google Scholar 

  17. Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 897–912. USENIX Association (2015)

    Google Scholar 

  18. Guarnieri, M., Köpf, B., Morales, J.F., Reineke, J., Sánchez, A.: SPECTECTOR: principled detection of speculative information flows. CoRR, abs/1812.08639 (2018)

    Google Scholar 

  19. He, J., Hoare, C.A.R., Sanders, J.W.: Data refinement refined resume. In: Robinet, B., Wilhelm, R. (eds.) ESOP 1986. LNCS, vol. 213, pp. 187–196. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-16442-1_14

    Chapter  Google Scholar 

  20. Hoare, C.A.R.: Communicating Sequential Processes. Prentice-Hall Inc, Upper Saddle River (1985)

    MATH  Google Scholar 

  21. Intel. Intel 64 and IA-32 Architectures Software Developers Manual, January 2019

    Google Scholar 

  22. Islam, S., et al.: SPOILER: Speculative Load Hazards Boost Rowhammer And Cache Attacks (2019)

    Google Scholar 

  23. Kang, J., Hur, C.-K., Lahav, O., Vafeiadis, V., Dreyer, D.: A promising semantics for relaxed-memory concurrency. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2017, pp. 175–189. ACM, New York (2017)

    Google Scholar 

  24. Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In 40th IEEE Symposium on Security and Privacy (S&P 2019) (2019)

    Google Scholar 

  25. Li, P., Zhao, L., Hou, R., Zhang, L., Meng, D.: Conditional speculation: an effective approach to safeguard out-of-order execution against Spectre attacks. In: 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA), pp. 264–276, February 2019

    Google Scholar 

  26. Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: Armageddon: cache attacks on mobile devices. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 549–564. USENIX Association (2016)

    Google Scholar 

  27. Lipp, M., et al.: Meltdown: reading kernel memory from user space. In USENIX Security Symposium (2018)

    Google Scholar 

  28. Lustig, D., Pellauer, M., Martonosi, M.: PipeCheck: specifying and verifying microarchitectural enforcement of memory consistency models. In: Proceedings of the 47th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO-47, pp. 635–646, Washington, DC, USA. IEEE Computer Society (2014)

    Google Scholar 

  29. Mcilroy, R., Sevcik, J., Tebbi, T., Titzer, B.L., Verwaest, B.L.: Spectre is here to stay: an analysis of side-channels and speculative execution. CoRR, abs/1902.05178 (2019)

    Google Scholar 

  30. Milner, R.: A Calculus of Communicating Systems. LNCS, vol. 92. Springer, Heidelberg (1980). https://doi.org/10.1007/3-540-10235-3

    Book  MATH  Google Scholar 

  31. Morgan, C., Gardiner, P.: Data refinement by calculation. Acta Informatica 27, 481–503 (1990)

    Article  MathSciNet  Google Scholar 

  32. Murray, T.C., Sison, R., Engelhardt, K.: COVERN: a logic for compositional verification of information flow control. In: 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018, pp. 16–30. IEEE (2018)

    Google Scholar 

  33. Murray, T.C., Sison, R., Pierzchalski, E., Rizkallah, C.: Compositional verification and refinement of concurrent value-dependent noninterference. In: IEEE 29th Computer Security Foundations Symposium, CSF 2016, pp. 417–431. IEEE Computer Society (2016)

    Google Scholar 

  34. Plotkin, G.D.: A structural approach to operational semantics. J. Logic Algebraic Program. 60–61, 17–139 (2004)

    MathSciNet  MATH  Google Scholar 

  35. Sarkar, S., Sewell, P., Alglave, J., Maranget, L., Williams, D.: Understanding POWER multiprocessors. SIGPLAN Not. 46(6), 175–186 (2011)

    Article  Google Scholar 

  36. Sewell, P., Sarkar, S., Owens, S., Nardelli, F.Z., Myreen, M.O.: X86-TSO: a rigorous and usable programmer’s model for x86 multiprocessors. Commun. ACM 53(7), 89–97 (2010)

    Article  Google Scholar 

  37. Smith, G., Coughlin, N., Murray, T.: Value-dependent information-flow security on weak memory models. In: ter Beek, M.H., McIver, A., Oliveira, J.N. (eds.) FM 2019. LNCS, vol. 11800, pp. 539–555. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30942-8_32

    Chapter  Google Scholar 

  38. Touzeau, V., Maïza, C., Monniaux, D., Reineke, J.: Fast and exact analysis for LRU caches. Proc. ACM Program. Lang. 3(POPL), 54:1–54:29 (2019)

    Article  Google Scholar 

  39. Trippel, C., Lustig, D., Martonosi, M.: Checkmate: automated synthesis of hardware exploits and security litmus tests. In: 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), pp. 947–960 (2018)

    Google Scholar 

  40. Trippel, C., Lustig, D., Martonosi, M.: MeltdownPrime and SpectrePrime: automatically-synthesized attacks exploiting invalidation-based coherence protocols. CoRR, abs/1802.03802 (2018)

    Google Scholar 

  41. Verdejo, A., Mart-Oliet, N.: Executable structural operational semantics in Maude. J. Logic Algebraic Programm. 67(1–2), 226–293 (2006)

    Article  MathSciNet  Google Scholar 

  42. Wang, G., Chattopadhyay, S., Gotovchits, I., Mitra, T., Roychoudhury, A.: oo7: low-overhead defense against spectre attacks via binary analysis. CoRR, abs/1807.05843 (2018)

    Google Scholar 

  43. Wang, S., Wang, P., Liu, X., Zhang, D., Wu, D.: CacheD: identifying cache-based timing channels in production software. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 235–252. USENIX Association (2017)

    Google Scholar 

  44. Wu, M., Wang, C.: Abstract interpretation under speculative execution. In: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, pp. 802–815. ACM, New York (2019)

    Google Scholar 

  45. Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium (USENIX Security 2014), pp. 719–732. USENIX Association (2014)

    Google Scholar 

  46. Zhang, Y.: Cache side channels: state of the art and research opportunities. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 2617–2619. ACM (2017)

    Google Scholar 

Download references

Acknowledgements

We thank Samuel Chenoweth, Patrick Meiring, Mark Beaumont, Harrison Cusack and the anonymous reviewers for helping us improve the paper.

Author information

Authors and Affiliations

  1. Defence Science and Technology Group, Brisbane, Australia

    Robert J. Colvin & Kirsten Winter

  2. School of Information Technology and Electrical Engineering, University of Queensland, Brisbane, Australia

    Robert J. Colvin & Kirsten Winter

Authors
  1. Robert J. Colvin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kirsten Winter
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Robert J. Colvin .

Editor information

Editors and Affiliations

  1. McMaster University, Hamilton, ON, Canada

    Emil Sekerinski

  2. University of Porto, Porto, Portugal

    Nelma Moreira

  3. University of Minho, Braga, Portugal

    José N. Oliveira

  4. Argo Ai, Munich, Germany

    Daniel Ratiu

  5. University of Pisa, Pisa, Italy

    Riccardo Guidotti

  6. University of Liverpool, Liverpool, UK

    Marie Farrell

  7. University of Liverpool, Liverpool, UK

    Matt Luckcuck

  8. University of Exeter, Exeter, UK

    Diego Marmsoler

  9. University of Minho, Braga, Portugal

    José Campos

  10. University of Newcastle, Newcastle upon Tyne, UK

    Troy Astarte

  11. Claude Bernard University, Lyon, France

    Laure Gonnord

  12. Nazarbayev University, Nur-Sultan, Kazakhstan

    Antonio Cerone

  13. University of Surrey, Guildford, UK

    Luis Couto

  14. University of Surrey, Guildford, UK

    Brijesh Dongol

  15. University of Giessen, Giessen, Germany

    Martin Kutrib

  16. University of Lisbon, Lisbon, Portugal

    Pedro Monteiro

  17. Airbus Operations S.A.S., Toulouse, France

    David Delmas

A Speculation Down the Correct Branch; Parallel Speculation

A Speculation Down the Correct Branch; Parallel Speculation

As far as is currently known correct speculation has no security implications, and therefore we do not model such behaviours explicitly. However if needed we can capture this in several ways. For instance, a cache fetch can be associated with every load, whether inside or outside a speculation, similarly to Rule 25(a). Such semantics can be given by annotating each load that may exhibit this side effect.

Alternatively we could add the possibility of speculation down the eventually chosen branch as a choice.

$$ \mathbf{spec}(c_2 \sqcap c_1) \mathbin {\triangle } ([b] \mathbin {\mathtt {;}}c_1) ~ \sqcap ~ \mathbf{spec}(c_1 \sqcap c_2) \mathbin {\triangle } ([\lnot b] \mathbin {\mathtt {;}}c_2) $$

A more precise model that commits the transient context when correct speculation is found is possible, though significantly more complicated.

The concept of speculation down either branch can be extended straightforwardly to parallel speculation down multiple branches, for instance,

$$ (\mathbf{spec}(c_1) \parallel \mathbf{spec}(c_2)) \mathbin {\triangle } ([b] \mathbin {\mathtt {;}}c_1) $$

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Colvin, R.J., Winter, K. (2020). An Abstract Semantics of Speculative Execution for Reasoning About Security Vulnerabilities. In: Sekerinski, E., et al. Formal Methods. FM 2019 International Workshops. FM 2019. Lecture Notes in Computer Science(), vol 12233. Springer, Cham. https://doi.org/10.1007/978-3-030-54997-8_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-54997-8_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-54996-1

  • Online ISBN: 978-3-030-54997-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation