A Formal Approach for Detecting Vulnerabilities to Transient Execution Attacks in Out-of-Order Processors

2020 57th ACM/IEEE Design Automation Conference (DAC) Pub Date : 2020-07-01 DOI:10.1109/DAC18072.2020.9218572

M. R. Fadiheh, Johannes Müller, R. Brinkmann, S. Mitra, D. Stoffel, W. Kunz

{"title":"A Formal Approach for Detecting Vulnerabilities to Transient Execution Attacks in Out-of-Order Processors","authors":"M. R. Fadiheh, Johannes Müller, R. Brinkmann, S. Mitra, D. Stoffel, W. Kunz","doi":"10.1109/DAC18072.2020.9218572","DOIUrl":null,"url":null,"abstract":"Transient execution attacks, such as Spectre and Meltdown, create a new and serious attack surface in modern processors. In spite of all countermeasures taken during recent years, the cycles of alarm and patch are ongoing and call for a better formal understanding of the threat and possible preventions.This paper introduces a formal definition of security with respect to transient execution attacks, formulated as a HW property. We present a formal method for security verification by HW property checking based on extending Unique Program Execution Checking (UPEC) to out-of-order processors. UPEC can be used to systematically detect all vulnerabilities to transient execution attacks, including vulnerabilities unknown so far. The feasibility of our approach is demonstrated at the example of the BOOM processor, which is a design with more than 650,000 state bits. In BOOM our approach detects a new, so far unknown vulnerability, called Spectre-STC, indicating that also single-threaded processors can be vulnerable to contention-based Spectre attacks.","PeriodicalId":428807,"journal":{"name":"2020 57th ACM/IEEE Design Automation Conference (DAC)","volume":"105 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"22","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 57th ACM/IEEE Design Automation Conference (DAC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DAC18072.2020.9218572","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 22

Abstract

Transient execution attacks, such as Spectre and Meltdown, create a new and serious attack surface in modern processors. In spite of all countermeasures taken during recent years, the cycles of alarm and patch are ongoing and call for a better formal understanding of the threat and possible preventions.This paper introduces a formal definition of security with respect to transient execution attacks, formulated as a HW property. We present a formal method for security verification by HW property checking based on extending Unique Program Execution Checking (UPEC) to out-of-order processors. UPEC can be used to systematically detect all vulnerabilities to transient execution attacks, including vulnerabilities unknown so far. The feasibility of our approach is demonstrated at the example of the BOOM processor, which is a design with more than 650,000 state bits. In BOOM our approach detects a new, so far unknown vulnerability, called Spectre-STC, indicating that also single-threaded processors can be vulnerable to contention-based Spectre attacks.

查看原文本刊更多论文

一种检测乱序处理器瞬态执行攻击漏洞的形式化方法

瞬态执行攻击，如Spectre和Meltdown，在现代处理器中创造了一个新的、严重的攻击面。尽管近年来采取了各种对策，但警报和修补的循环仍在继续，需要对威胁和可能的预防措施有更正式的了解。本文介绍了一个关于暂态执行攻击的安全的正式定义，它被表述为一个HW属性。在将唯一程序执行检查(upc)扩展到无序处理器的基础上，提出了一种通过HW属性检查进行安全验证的形式化方法。upc可用于系统地检测瞬态执行攻击的所有漏洞，包括迄今为止未知的漏洞。我们的方法的可行性在BOOM处理器的例子中得到了证明，这是一个超过65万个状态位的设计。在BOOM中，我们的方法检测到一个新的，迄今为止未知的漏洞，称为Spectre- stc，这表明单线程处理器也容易受到基于争用的Spectre攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2020 57th ACM/IEEE Design Automation Conference (DAC)

自引率

0.00%

发文量