Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing

Oleksii Oleksenko; Marco Guarnieri; Boris Köpf; Mark Silberstein

doi:10.1109/SP46215.2023.10179391

Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing

Oleksii Oleksenko, Marco Guarnieri, Boris Köpf, Mark Silberstein

Technion - Israel Institute of Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Attacks like Spectre abuse speculative execution, one of the key performance optimizations of modern CPUs. Recently, several testing tools have emerged to automatically detect speculative leaks in commercial (black-box) CPUs. However, the testing process is still slow, which has hindered in-depth testing campaigns, and so far prevented the discovery of new classes of leakage.In this paper, we identify the root causes of the performance limitations in existing approaches, and propose techniques to overcome these limitations. With these techniques, we improve the testing speed over the state-of-the-art by up to two orders of magnitude.These improvements enable us to run a testing campaign of unprecedented depth on Intel and AMD CPUs. As a highlight, we discover two types of previously unknown speculative leaks (affecting string comparison and division) that have escaped previous manual and automatic analyses.

Original language	English
Title of host publication	Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023
Pages	1737-1752
Number of pages	16
ISBN (Electronic)	9781665493369
DOIs	https://doi.org/10.1109/SP46215.2023.10179391
State	Published - 2023
Event	44th IEEE Symposium on Security and Privacy, SP 2023 - Hybrid, San Francisco, United States Duration: 22 May 2023 → 25 May 2023

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
Volume	2023-May

Conference

Conference	44th IEEE Symposium on Security and Privacy, SP 2023
Country/Territory	United States
City	Hybrid, San Francisco
Period	22/05/23 → 25/05/23

Keywords

Spectre
constrained random verification
random testing
side-channel-attack
speculative-execution

All Science Journal Classification (ASJC) codes

Safety, Risk, Reliability and Quality
Software
Computer Networks and Communications

Access to Document

10.1109/SP46215.2023.10179391

Cite this

Oleksenko, O., Guarnieri, M., Köpf, B., & Silberstein, M. (2023). Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing. In Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023 (pp. 1737-1752). (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2023-May). https://doi.org/10.1109/SP46215.2023.10179391

@inproceedings{1471f65819bd433a8c61f82330b38a2f,

title = "Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing",

abstract = "Attacks like Spectre abuse speculative execution, one of the key performance optimizations of modern CPUs. Recently, several testing tools have emerged to automatically detect speculative leaks in commercial (black-box) CPUs. However, the testing process is still slow, which has hindered in-depth testing campaigns, and so far prevented the discovery of new classes of leakage.In this paper, we identify the root causes of the performance limitations in existing approaches, and propose techniques to overcome these limitations. With these techniques, we improve the testing speed over the state-of-the-art by up to two orders of magnitude.These improvements enable us to run a testing campaign of unprecedented depth on Intel and AMD CPUs. As a highlight, we discover two types of previously unknown speculative leaks (affecting string comparison and division) that have escaped previous manual and automatic analyses.",

keywords = "Spectre, constrained random verification, random testing, side-channel-attack, speculative-execution",

author = "Oleksii Oleksenko and Marco Guarnieri and Boris K{\"o}pf and Mark Silberstein",

note = "Publisher Copyright: {\textcopyright} 2023 IEEE.; 44th IEEE Symposium on Security and Privacy, SP 2023 ; Conference date: 22-05-2023 Through 25-05-2023",

year = "2023",

doi = "10.1109/SP46215.2023.10179391",

language = "الإنجليزيّة",

series = "Proceedings - IEEE Symposium on Security and Privacy",

pages = "1737--1752",

booktitle = "Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023",

}

Oleksenko, O, Guarnieri, M, Köpf, B & Silberstein, M 2023, Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing. in Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023. Proceedings - IEEE Symposium on Security and Privacy, vol. 2023-May, pp. 1737-1752, 44th IEEE Symposium on Security and Privacy, SP 2023, Hybrid, San Francisco, United States, 22/05/23. https://doi.org/10.1109/SP46215.2023.10179391

Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing. / Oleksenko, Oleksii; Guarnieri, Marco; Köpf, Boris et al.
Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023. 2023. p. 1737-1752 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2023-May).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Hide and Seek with Spectres

T2 - 44th IEEE Symposium on Security and Privacy, SP 2023

AU - Oleksenko, Oleksii

AU - Guarnieri, Marco

AU - Köpf, Boris

AU - Silberstein, Mark

PY - 2023

Y1 - 2023

N2 - Attacks like Spectre abuse speculative execution, one of the key performance optimizations of modern CPUs. Recently, several testing tools have emerged to automatically detect speculative leaks in commercial (black-box) CPUs. However, the testing process is still slow, which has hindered in-depth testing campaigns, and so far prevented the discovery of new classes of leakage.In this paper, we identify the root causes of the performance limitations in existing approaches, and propose techniques to overcome these limitations. With these techniques, we improve the testing speed over the state-of-the-art by up to two orders of magnitude.These improvements enable us to run a testing campaign of unprecedented depth on Intel and AMD CPUs. As a highlight, we discover two types of previously unknown speculative leaks (affecting string comparison and division) that have escaped previous manual and automatic analyses.

AB - Attacks like Spectre abuse speculative execution, one of the key performance optimizations of modern CPUs. Recently, several testing tools have emerged to automatically detect speculative leaks in commercial (black-box) CPUs. However, the testing process is still slow, which has hindered in-depth testing campaigns, and so far prevented the discovery of new classes of leakage.In this paper, we identify the root causes of the performance limitations in existing approaches, and propose techniques to overcome these limitations. With these techniques, we improve the testing speed over the state-of-the-art by up to two orders of magnitude.These improvements enable us to run a testing campaign of unprecedented depth on Intel and AMD CPUs. As a highlight, we discover two types of previously unknown speculative leaks (affecting string comparison and division) that have escaped previous manual and automatic analyses.

KW - Spectre

KW - constrained random verification

KW - random testing

KW - side-channel-attack

KW - speculative-execution

UR - http://www.scopus.com/inward/record.url?scp=85162979297&partnerID=8YFLogxK

U2 - 10.1109/SP46215.2023.10179391

DO - 10.1109/SP46215.2023.10179391

M3 - منشور من مؤتمر

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 1737

EP - 1752

BT - Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023

Y2 - 22 May 2023 through 25 May 2023

ER -

Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing

Abstract

Publication series

Conference

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this