Abstract
Reasoning about correctness and security of software is increasingly difficult due to the complexity of modern microarchitectural features such as out-of-order execution. A class of security vulnerabilities termed Spectre that exploits side effects of speculative, out-of-order execution was announced in 2018 and has since drawn much attention. In this paper we formalise speculative execution and its side effects as an extension of a framework for reasoning about out-of-order execution in weak memory models. Our goal is to allow speculation to be reasoned about abstractly at the software level. To this end we encode speculative execution explicitly using a novel language construct and modify the definition of conditional statements correspondingly. Underlying this extension is a model that has sufficient detail to enable specification of the relevant microarchitectural features. We add an abstract cache to the global state of the system, and derive some general refinement rules that expose cache side effects due to speculative loads. The rules are encoded in a simulation tool, which we use to analyse an abstract specification of a Spectre attack and vulnerable code fragments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In this paper we assume a multicopy atomic storage system; for memory models which lack this (e.g., POWER) the storage system described in [12] may be used.
References
Alglave, J., Maranget, L., Tautschnig, M.: Herding cats: Modelling, simulation, testing, and data mining for weak memory. ACM Trans. Program. Lang. Syst. 36(2), 7:1–7:74 (2014)
Alglave, J., Maranget, L., Sarkar, S., Sewell, P.: Litmus: running tests against hardware. In: Abdulla, P.A., Leino, K.R.M. (eds.) TACAS 2011. LNCS, vol. 6605, pp. 41–44. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19835-9_5
Back, R.J.R., von Wright, J.: Trace refinement of action systems. In: Jonsson, B., Parrow, J. (eds.) CONCUR 1994. LNCS, vol. 836, pp. 367–384. Springer, Heidelberg (1994). https://doi.org/10.1007/978-3-540-48654-1_28
Bijo, S., Johnsen, E.B., Pun, K.I., Lizeth Tapia Tarifa, S.: An operational semantics of cache coherent multicore architectures. In: Proceedings of the 31st Annual ACM Symposium on Applied Computing, SAC 2016, pp. 1219–1224. ACM, New York (2016)
Van Bulck, J., et al.: Foreshadow: extracting the keys to the intel SGX kingdom with transient out-of-order execution. In: USENIX Security Symposium (2018)
Chattopadhyay, S., Roychoudhury, A.: Symbolic verification of cache side-channel freedom. CoRR, abs/1801.01203 (2018)
Cheang, K., Rasmussen, C., Seshia, S., Subramanyan, P.: A formal approach to secure speculation. Cryptology ePrint Archive, Report 2019/310 (2019). https://eprint.iacr.org/2019/310
Clavel, M., et al.: Maude: specification and programming in rewriting logic. Theor. Comput. Sci. 285(2), 187–243 (2002)
Colvin, R., Hayes, I.J.: CSP with hierarchical state. In: Leuschel, M., Wehrheim, H. (eds.) IFM 2009. LNCS, vol. 5423, pp. 118–135. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00255-7_9
Colvin, R.J., Hayes, I.J.: Structural operational semantics through context-dependent behaviour. J. Logic Algebraic Programm. 80(7), 392–426 (2011)
Colvin, R.J., Smith, G.: A high-level operational semantics for hardware weak memory models. CoRR, abs/1812.00996 (2018)
Colvin, R.J., Smith, G.: A wide-spectrum language for verification of programs on weak memory models. In: Havelund, K., Peleska, J., Roscoe, B., de Vink, E. (eds.) FM 2018. LNCS, vol. 10951, pp. 240–257. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-95582-7_14
Disselkoen, C., Jagadeesan, R., Jeffrey, A., Riely, J.: Code that never ran: modeling attacks on speculative evaluation. In: Proceedings of IEEE Symposium on Security and Privacy (S&P) (2019)
Doychev, G., Köpf, B., Mauborgne, L., Reineke, J.: CacheAudit: a tool for the static analysis of cache side channels. ACM Trans. Inf. Syst. Secur. 18(1), 4:1–4:32 (2015)
Flur, S., et al.: Modelling the ARMv8 architecture, operationally: concurrency and ISA. In: Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2016, pp. 608–621. ACM, New York (2016)
Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptographic Eng. 8(1), 1–27 (2016). https://doi.org/10.1007/s13389-016-0141-6
Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 897–912. USENIX Association (2015)
Guarnieri, M., Köpf, B., Morales, J.F., Reineke, J., Sánchez, A.: SPECTECTOR: principled detection of speculative information flows. CoRR, abs/1812.08639 (2018)
He, J., Hoare, C.A.R., Sanders, J.W.: Data refinement refined resume. In: Robinet, B., Wilhelm, R. (eds.) ESOP 1986. LNCS, vol. 213, pp. 187–196. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-16442-1_14
Hoare, C.A.R.: Communicating Sequential Processes. Prentice-Hall Inc, Upper Saddle River (1985)
Intel. Intel 64 and IA-32 Architectures Software Developers Manual, January 2019
Islam, S., et al.: SPOILER: Speculative Load Hazards Boost Rowhammer And Cache Attacks (2019)
Kang, J., Hur, C.-K., Lahav, O., Vafeiadis, V., Dreyer, D.: A promising semantics for relaxed-memory concurrency. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2017, pp. 175–189. ACM, New York (2017)
Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In 40th IEEE Symposium on Security and Privacy (S&P 2019) (2019)
Li, P., Zhao, L., Hou, R., Zhang, L., Meng, D.: Conditional speculation: an effective approach to safeguard out-of-order execution against Spectre attacks. In: 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA), pp. 264–276, February 2019
Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: Armageddon: cache attacks on mobile devices. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 549–564. USENIX Association (2016)
Lipp, M., et al.: Meltdown: reading kernel memory from user space. In USENIX Security Symposium (2018)
Lustig, D., Pellauer, M., Martonosi, M.: PipeCheck: specifying and verifying microarchitectural enforcement of memory consistency models. In: Proceedings of the 47th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO-47, pp. 635–646, Washington, DC, USA. IEEE Computer Society (2014)
Mcilroy, R., Sevcik, J., Tebbi, T., Titzer, B.L., Verwaest, B.L.: Spectre is here to stay: an analysis of side-channels and speculative execution. CoRR, abs/1902.05178 (2019)
Milner, R.: A Calculus of Communicating Systems. LNCS, vol. 92. Springer, Heidelberg (1980). https://doi.org/10.1007/3-540-10235-3
Morgan, C., Gardiner, P.: Data refinement by calculation. Acta Informatica 27, 481–503 (1990)
Murray, T.C., Sison, R., Engelhardt, K.: COVERN: a logic for compositional verification of information flow control. In: 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018, pp. 16–30. IEEE (2018)
Murray, T.C., Sison, R., Pierzchalski, E., Rizkallah, C.: Compositional verification and refinement of concurrent value-dependent noninterference. In: IEEE 29th Computer Security Foundations Symposium, CSF 2016, pp. 417–431. IEEE Computer Society (2016)
Plotkin, G.D.: A structural approach to operational semantics. J. Logic Algebraic Program. 60–61, 17–139 (2004)
Sarkar, S., Sewell, P., Alglave, J., Maranget, L., Williams, D.: Understanding POWER multiprocessors. SIGPLAN Not. 46(6), 175–186 (2011)
Sewell, P., Sarkar, S., Owens, S., Nardelli, F.Z., Myreen, M.O.: X86-TSO: a rigorous and usable programmer’s model for x86 multiprocessors. Commun. ACM 53(7), 89–97 (2010)
Smith, G., Coughlin, N., Murray, T.: Value-dependent information-flow security on weak memory models. In: ter Beek, M.H., McIver, A., Oliveira, J.N. (eds.) FM 2019. LNCS, vol. 11800, pp. 539–555. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30942-8_32
Touzeau, V., Maïza, C., Monniaux, D., Reineke, J.: Fast and exact analysis for LRU caches. Proc. ACM Program. Lang. 3(POPL), 54:1–54:29 (2019)
Trippel, C., Lustig, D., Martonosi, M.: Checkmate: automated synthesis of hardware exploits and security litmus tests. In: 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), pp. 947–960 (2018)
Trippel, C., Lustig, D., Martonosi, M.: MeltdownPrime and SpectrePrime: automatically-synthesized attacks exploiting invalidation-based coherence protocols. CoRR, abs/1802.03802 (2018)
Verdejo, A., Mart-Oliet, N.: Executable structural operational semantics in Maude. J. Logic Algebraic Programm. 67(1–2), 226–293 (2006)
Wang, G., Chattopadhyay, S., Gotovchits, I., Mitra, T., Roychoudhury, A.: oo7: low-overhead defense against spectre attacks via binary analysis. CoRR, abs/1807.05843 (2018)
Wang, S., Wang, P., Liu, X., Zhang, D., Wu, D.: CacheD: identifying cache-based timing channels in production software. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 235–252. USENIX Association (2017)
Wu, M., Wang, C.: Abstract interpretation under speculative execution. In: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, pp. 802–815. ACM, New York (2019)
Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium (USENIX Security 2014), pp. 719–732. USENIX Association (2014)
Zhang, Y.: Cache side channels: state of the art and research opportunities. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 2617–2619. ACM (2017)
Acknowledgements
We thank Samuel Chenoweth, Patrick Meiring, Mark Beaumont, Harrison Cusack and the anonymous reviewers for helping us improve the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Speculation Down the Correct Branch; Parallel Speculation
A Speculation Down the Correct Branch; Parallel Speculation
As far as is currently known correct speculation has no security implications, and therefore we do not model such behaviours explicitly. However if needed we can capture this in several ways. For instance, a cache fetch can be associated with every load, whether inside or outside a speculation, similarly to Rule 25(a). Such semantics can be given by annotating each load that may exhibit this side effect.
Alternatively we could add the possibility of speculation down the eventually chosen branch as a choice.
A more precise model that commits the transient context when correct speculation is found is possible, though significantly more complicated.
The concept of speculation down either branch can be extended straightforwardly to parallel speculation down multiple branches, for instance,
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Colvin, R.J., Winter, K. (2020). An Abstract Semantics of Speculative Execution for Reasoning About Security Vulnerabilities. In: Sekerinski, E., et al. Formal Methods. FM 2019 International Workshops. FM 2019. Lecture Notes in Computer Science(), vol 12233. Springer, Cham. https://doi.org/10.1007/978-3-030-54997-8_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-54997-8_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-54996-1
Online ISBN: 978-3-030-54997-8
eBook Packages: Computer ScienceComputer Science (R0)