Spectre Attack

Exploiting Speculative Execution

In the era of computer systems, time and performance is very important. To achieve that, computer scientists works hard to make CPUs better and faster. Most of the modern CPUs in present devices around the world make use of a performance feature called speculative execution. Speculative execution improves the performance of the CPU. It does that by guessing future tasks and executing the instruction. In normal cases, the task comes from the memory and it is executed by CPU, and results are stored in the storage. For better performance using speculative execution, the task is guessed by CPU and executed. When the task comes from memory, the CPU makes sure the correctness of its initial guess. If the guess was incorrect, the CPU reverts speculative execution. If the guess was correct, a significant performance gain is achieved.

As the idiom says that every coin has two sides, in the same way, there are also some disadvantages of speculative execution. These are called spectre attacks. Spectre attacks are performed by attackers to manipulate the CPU to execute tasks speculatively. Sequences of instructions are sent to the CPU by attackers to execute task a speculatively. These instructions are called transient instructions. By carefully choosing this instruction, attackers can leak sensitive data.

Spectre attacks leak victims' confidential data by executing speculative operations that would not occur during correct program execution. This attack is performed in three phases: (1) Setup phase, (2) Speculative (mis-)execution of instructions (3) Sensitive data recovery. In the first phase, attacker performs the operations which mistrain the processor so that later it will (mis-)execute instructions speculatively. The second phase is the (mis-)execution of instruction speculatively. In the third phase, sensitive data is recovered which is leaked by the processor because of speculative (mis-)execution. This can also leverage exploitation of conditional branches and indirect branches. According to the research paper, to misuse conditional branches, the assailant needs the branch indicator to mispredict the heading of the branch. At that point, the CPU should theoretically execute code that would not be generally executed, which releases the data.

If they stop using speculative execution on sensitive execution paths, then conditional branch vulnerability can be less severe. Indirect branch poisoning vulnerability is difficult to mitigate; if they disable hyperthreading and flush branch prediction state during context switches then it can also be less severe, but there is no architecturally defined method to do that. They can also disable speculative execution, but that brings a significant decrease in performance.

The solution given in the research paper is not convincing, but they don’t have any other solution to completely solve the issue of spectre attacks. Researchers are still working on it. We cannot stop using speculative execution feature till researchers find a solution for this problem, since it will significantly decrease performance of all devices.

Some Questions for You:

  • If spectre attacks are really serious, then why don’t we just stop using the speculative execution feature?
  • Under section 1.2, sub-section “Exploiting Indirect Branches,” the paper talks about gadgets; what are gadgets?
  • What is browser sandboxing?
  • What are memory isolation and process isolation boundaries?
  • What are covert channels?
  • What is flush+reload?
  • What is evict+reload
  • What are mfence, lfence, and sfence?
  • Is there any other technology that can decrease the gap between processor and memory?
  • What is everyone’s opinion on the solution provided by researchers to mitigate spectre attacks?

Reference Material