AMuLeT: Automated Design-Time Testing of Secure Speculation Countermeasures

Bo Fu; Leo Tenenbaum; David Adler; Assaf Klein; Arpit Gogia; Alaa R. Alameldeen; Marco Guarnieri; Mark Silberstein; Oleksii Oleksenko; Gururaj Saileshwar

doi:10.1145/3676641.3716247

AMuLeT: Automated Design-Time Testing of Secure Speculation Countermeasures

Bo Fu, Leo Tenenbaum, David Adler, Assaf Klein, Arpit Gogia, Alaa R. Alameldeen, Marco Guarnieri, Mark Silberstein, Oleksii Oleksenko, Gururaj Saileshwar

Electrical and Computer Engineering

Technion - Israel Institute of Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In recent years, several hardware-based countermeasures proposed to mitigate Spectre attacks have been shown to be insecure. To enable the development of effective secure speculation countermeasures, we need easy-to-use tools that can automatically test their security guarantees early-on in the design phase to facilitate rapid prototyping. This paper develops AMuLeT, the first tool capable of testing secure speculation countermeasures for speculative leakage early in their design phase in simulators. Our key idea is to leverage model-based relational testing tools that can detect speculative leaks in commercial CPUs, and apply them to micro-architectural simulators to test secure speculation defenses. We identify and overcome several challenges, including designing an expressive yet realistic attacker observer model in a simulator, overcoming the slow simulation speed, and searching the vast micro-architectural state space for potential vulnerabilities. AMuLeT speeds up test throughput by more than 10x compared to a naive design and uses techniques to amplify vulnerabilities to uncover them within a limited test budget. Using AMuLeT, we launch for the first time, a systematic, large-scale testing campaign of four secure speculation countermeasures from 2018 to 2024-InvisiSpec, CleanupSpec, STT, and SpecLFB-and uncover 3 known and 6 unknown bugs and vulnerabilities, within 3 hours of testing. We also show for the first time that the open-source implementation of SpecLFB is insecure.

Original language	English
Title of host publication	ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
Pages	32-47
Number of pages	16
ISBN (Electronic)	9798400710797
DOIs	https://doi.org/10.1145/3676641.3716247
State	Published - 30 Mar 2025
Event	30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025 - Rotterdam, Netherlands Duration: 30 Mar 2025 → 3 Apr 2025

Publication series

Name	International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS
Volume	2

Conference

Conference	30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025
Country/Territory	Netherlands
City	Rotterdam
Period	30/03/25 → 3/04/25

Keywords

defenses
fuzzing
side channels
spectre

All Science Journal Classification (ASJC) codes

Software
Information Systems
Hardware and Architecture

Access to Document

10.1145/3676641.3716247

Cite this

Fu, B., Tenenbaum, L., Adler, D., Klein, A., Gogia, A., Alameldeen, A. R., Guarnieri, M., Silberstein, M., Oleksenko, O., & Saileshwar, G. (2025). AMuLeT: Automated Design-Time Testing of Secure Speculation Countermeasures. In ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (pp. 32-47). (International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS; Vol. 2). https://doi.org/10.1145/3676641.3716247

Fu, Bo ; Tenenbaum, Leo ; Adler, David et al. / AMuLeT : Automated Design-Time Testing of Secure Speculation Countermeasures. ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. 2025. pp. 32-47 (International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS).

@inproceedings{2f76199d28384845b9a513795d5b9e8f,

title = "AMuLeT: Automated Design-Time Testing of Secure Speculation Countermeasures",

abstract = "In recent years, several hardware-based countermeasures proposed to mitigate Spectre attacks have been shown to be insecure. To enable the development of effective secure speculation countermeasures, we need easy-to-use tools that can automatically test their security guarantees early-on in the design phase to facilitate rapid prototyping. This paper develops AMuLeT, the first tool capable of testing secure speculation countermeasures for speculative leakage early in their design phase in simulators. Our key idea is to leverage model-based relational testing tools that can detect speculative leaks in commercial CPUs, and apply them to micro-architectural simulators to test secure speculation defenses. We identify and overcome several challenges, including designing an expressive yet realistic attacker observer model in a simulator, overcoming the slow simulation speed, and searching the vast micro-architectural state space for potential vulnerabilities. AMuLeT speeds up test throughput by more than 10x compared to a naive design and uses techniques to amplify vulnerabilities to uncover them within a limited test budget. Using AMuLeT, we launch for the first time, a systematic, large-scale testing campaign of four secure speculation countermeasures from 2018 to 2024-InvisiSpec, CleanupSpec, STT, and SpecLFB-and uncover 3 known and 6 unknown bugs and vulnerabilities, within 3 hours of testing. We also show for the first time that the open-source implementation of SpecLFB is insecure.",

keywords = "defenses, fuzzing, side channels, spectre",

author = "Bo Fu and Leo Tenenbaum and David Adler and Assaf Klein and Arpit Gogia and Alameldeen, {Alaa R.} and Marco Guarnieri and Mark Silberstein and Oleksii Oleksenko and Gururaj Saileshwar",

note = "Publisher Copyright: {\textcopyright} 2025 ACM.; 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025 ; Conference date: 30-03-2025 Through 03-04-2025",

year = "2025",

month = mar,

day = "30",

doi = "10.1145/3676641.3716247",

language = "الإنجليزيّة",

series = "International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS",

pages = "32--47",

booktitle = "ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems",

}

Fu, B, Tenenbaum, L, Adler, D, Klein, A, Gogia, A, Alameldeen, AR, Guarnieri, M, Silberstein, M, Oleksenko, O & Saileshwar, G 2025, AMuLeT: Automated Design-Time Testing of Secure Speculation Countermeasures. in ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS, vol. 2, pp. 32-47, 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025, Rotterdam, Netherlands, 30/03/25. https://doi.org/10.1145/3676641.3716247

AMuLeT: Automated Design-Time Testing of Secure Speculation Countermeasures. / Fu, Bo; Tenenbaum, Leo; Adler, David et al.
ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. 2025. p. 32-47 (International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS; Vol. 2).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - AMuLeT

T2 - 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025

AU - Fu, Bo

AU - Tenenbaum, Leo

AU - Adler, David

AU - Klein, Assaf

AU - Gogia, Arpit

AU - Alameldeen, Alaa R.

AU - Guarnieri, Marco

AU - Silberstein, Mark

AU - Oleksenko, Oleksii

AU - Saileshwar, Gururaj

PY - 2025/3/30

Y1 - 2025/3/30

N2 - In recent years, several hardware-based countermeasures proposed to mitigate Spectre attacks have been shown to be insecure. To enable the development of effective secure speculation countermeasures, we need easy-to-use tools that can automatically test their security guarantees early-on in the design phase to facilitate rapid prototyping. This paper develops AMuLeT, the first tool capable of testing secure speculation countermeasures for speculative leakage early in their design phase in simulators. Our key idea is to leverage model-based relational testing tools that can detect speculative leaks in commercial CPUs, and apply them to micro-architectural simulators to test secure speculation defenses. We identify and overcome several challenges, including designing an expressive yet realistic attacker observer model in a simulator, overcoming the slow simulation speed, and searching the vast micro-architectural state space for potential vulnerabilities. AMuLeT speeds up test throughput by more than 10x compared to a naive design and uses techniques to amplify vulnerabilities to uncover them within a limited test budget. Using AMuLeT, we launch for the first time, a systematic, large-scale testing campaign of four secure speculation countermeasures from 2018 to 2024-InvisiSpec, CleanupSpec, STT, and SpecLFB-and uncover 3 known and 6 unknown bugs and vulnerabilities, within 3 hours of testing. We also show for the first time that the open-source implementation of SpecLFB is insecure.

AB - In recent years, several hardware-based countermeasures proposed to mitigate Spectre attacks have been shown to be insecure. To enable the development of effective secure speculation countermeasures, we need easy-to-use tools that can automatically test their security guarantees early-on in the design phase to facilitate rapid prototyping. This paper develops AMuLeT, the first tool capable of testing secure speculation countermeasures for speculative leakage early in their design phase in simulators. Our key idea is to leverage model-based relational testing tools that can detect speculative leaks in commercial CPUs, and apply them to micro-architectural simulators to test secure speculation defenses. We identify and overcome several challenges, including designing an expressive yet realistic attacker observer model in a simulator, overcoming the slow simulation speed, and searching the vast micro-architectural state space for potential vulnerabilities. AMuLeT speeds up test throughput by more than 10x compared to a naive design and uses techniques to amplify vulnerabilities to uncover them within a limited test budget. Using AMuLeT, we launch for the first time, a systematic, large-scale testing campaign of four secure speculation countermeasures from 2018 to 2024-InvisiSpec, CleanupSpec, STT, and SpecLFB-and uncover 3 known and 6 unknown bugs and vulnerabilities, within 3 hours of testing. We also show for the first time that the open-source implementation of SpecLFB is insecure.

KW - defenses

KW - fuzzing

KW - side channels

KW - spectre

UR - http://www.scopus.com/inward/record.url?scp=105002563252&partnerID=8YFLogxK

U2 - 10.1145/3676641.3716247

DO - 10.1145/3676641.3716247

M3 - منشور من مؤتمر

T3 - International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS

SP - 32

EP - 47

BT - ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

Y2 - 30 March 2025 through 3 April 2025

ER -

Fu B, Tenenbaum L, Adler D, Klein A, Gogia A, Alameldeen AR et al. AMuLeT: Automated Design-Time Testing of Secure Speculation Countermeasures. In ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. 2025. p. 32-47. (International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS). doi: 10.1145/3676641.3716247

AMuLeT: Automated Design-Time Testing of Secure Speculation Countermeasures

Abstract

Publication series

Conference

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this