Filters








13 Hits in 1.6 sec

SMoTherSpectre: exploiting speculative execution through port contention [article]

Atri Bhattacharyya and Alexandra Sandulescu and Matthias Neugschwandtner and Alessandro Sorniotti and Babak Falsafi and Mathias Payer and Anil Kurmus
2019 arXiv   pre-print
We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process  ...  Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses  ...  We then exploit port contention as a side channel to transmit information during speculative execution (SMoTherSpectre).  ... 
arXiv:1903.01843v2 fatcat:iw3nidkuazc7rhrp56z2zlp3fa

SMoTherSpectre

Atri Bhattacharyya, Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, Babak Falsafi, Mathias Payer, Anil Kurmus
2019 Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security - CCS '19  
We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multithreaded processors (SMoTher) as a side channel to leak information from a victim process  ...  Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses  ...  We then exploit port contention as a side channel to transmit information during speculative execution (SMoTherSpectre).  ... 
doi:10.1145/3319535.3363194 dblp:conf/ccs/BhattacharyyaSN19 fatcat:oqwoc6b63rajvm75wbuj6g3234

Leaking Secrets through Modern Branch Predictor in the Speculative World [article]

Md Hafizul Islam Chowdhuryy, Fan Yao
2021 arXiv   pre-print
Transient execution attacks that exploit speculation have raised significant concerns in computer systems.  ...  Such characteristic allows attackers to exploit BPU as the secret transmitting medium in transient execution attacks.  ...  SmotherSpectre [7] illustrates a noncache speculation attack that exploits contention on ports of function units as leakage source in transient execution.  ... 
arXiv:2107.09833v1 fatcat:3fovrjwoxnglla6g53cwcutqcu

DOLMA: Securing Speculation with the Principle of Transient Non-Observability

Kevin Loughlin, Ian Neal, Jiacheng Ma, Elisa Tsai, Ofir Weisse, Satish Narayanasamy, Baris Kasikci
2021 USENIX Security Symposium  
., mis-speculated) execution through microarchitectural covert timing channels.  ...  However, we demonstrate that the current state-of-the-art defense fails to mitigate attacks using speculative stores, still allowing arbitrary data leakage during transient execution.  ...  In order to create reliable contention on issue ports, SMotherSpectre uses a secret-dependent speculative redirect to fetch and issue micro-ops.  ... 
dblp:conf/uss/LoughlinNMTWNK21 fatcat:klkyenfxszb5dpjml7el2gjzxa

Exploiting Security Dependence for Conditional Speculation against Spectre Attacks

Lutan Zhao, Peinan Li, Rui Hou, Michael Huang, Peng Liu, Lixin Zhang, Dan Meng
2020 IEEE transactions on computers  
Our design philosophy is to speculatively execute safe instructions to maintain the performance benefits of out-of-order execution while delaying the cache updates for speculative execution of unsafe instructions  ...  Otherwise, they are considered as unsafe instructions and thus not allowed to execute speculatively.  ...  One case study is to extend conditional speculation to defend the Spectre variants based on port-contention side channel, such as SMoTherSpectre [29] .  ... 
doi:10.1109/tc.2020.2997555 fatcat:ks6trs4urnb5xi3wp5xl43trfe

SPECCFI: Mitigating Spectre Attacks using CFI Informed Speculation [article]

Esmaeil Mohammadian Koruyeh, Shirin Haji Amin Shirazi, Khaled N. Khasawneh, Chengyu Song, Nael Abu-Ghazaleh
2019 arXiv   pre-print
The attacks rely on the ability to misguide speculative execution, generally by exploiting the branch prediction structures, to execute a vulnerable code sequence speculatively.  ...  With the CFI information, we apply CFI principles to also constrain illegal control-flow during speculative execution.  ...  The SMoTHer Gadget starts with a comparison based on the target register followed by a conditional jump which enables SMoTherSpectre to leak the secret through a port contention side-channel.  ... 
arXiv:1906.01345v2 fatcat:mml4274srjb3zfi3pmi7bo6wiu

Breaking and Fixing Speculative Load Hardening [article]

Zhiyuan Zhang, Gilles Barthe, Chitchanok Chuengsatiansup, Peter Schwabe, Yuval Yarom
2022 IACR Cryptology ePrint Archive  
execution.  ...  We do this by demonstrating, for the first time, that variable-time arithmetic instructions leak secret information even if they are executed only speculatively.  ...  Port contention spy. To distinguish the execution paths, we rely on port contention [19] .  ... 
dblp:journals/iacr/ZhangBCSY22 fatcat:vgvpj2jbrjd53bfp27gbzm24kq

SpecCFI: Mitigating Spectre Attacks using CFI Informed Speculation

Esmaeil Mohammadian Koruyeh, Shirin Haji Amin Shirazi, Khaled N. Khasawneh, Chengyu Song, Nael Abu-Ghazaleh
2020 2020 IEEE Symposium on Security and Privacy (SP)  
The attacks rely on the ability to misguide speculative execution, generally by exploiting the branch prediction structures, to execute a vulnerable code sequence speculatively.  ...  With the CFI information, we apply CFI principles to also constrain illegal control-flow during speculative execution.  ...  The SMoTHer Gadget starts with a comparison based on the target register followed by a conditional jump which enables SMoTherSpectre to leak the secret through a port contention side-channel.  ... 
doi:10.1109/sp40000.2020.00033 dblp:conf/sp/KoruyehSKSA20 fatcat:et2rhhu72vaz5nooi3c3ftnyre

Speculative Interference Attacks: Breaking Invisible Speculation Schemes [article]

Mohammad Behnia, Prateek Sahu, Riccardo Paccagnella, Jiyong Yu, Zirui Zhao, Xiang Zou, Thomas Unterluggauer, Josep Torrellas, Carlos Rozas, Adam Morrison, Frank Mckeen, Fangfei Liu (+4 others)
2021 arXiv   pre-print
The highly publicized vulnerability uses speculative execution to learn victim secrets by changing cache state.  ...  Recent security vulnerabilities that target speculative execution (e.g., Spectre) present a significant challenge for processor design.  ...  To our knowledge, only SMoTherSpectre [8] and NetSpectre [44] make use of alternative covert channels, such as port contention, for speculative execution attacks.  ... 
arXiv:2007.11818v4 fatcat:mijmtovhzfdjhd3xiamgus4mqe

Speculative taint tracking (STT)

Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, Christopher W. Fletcher
2021 Communications of the ACM  
Speculative execution attacks present an enormous security threat, capable of reading arbitrary program data under malicious speculation, and later exfiltrating that data over microarchitectural covert  ...  The main idea is that it is safe to execute and selectively forward the results of speculative instructions that read secrets, as long as we can prove that the forwarded results do not reach potential  ...  Type Branch type Cache timing 17, 26 Spectre V1 15 Exp - Execution unit timing 3, 10 - Exp - SIMD utilization NetSpectre 20 Imp Exp Port contention 2 SmotherSpectre 4 Imp Exp Store-load forwarding - Imp  ... 
doi:10.1145/3491201 fatcat:wbtpbqwnpvdrdcgmjxgasgsw5i

FastSpec: Scalable Generation and Detection of Spectre Gadgets Using Neural Embeddings [article]

M. Caner Tol, Berk Gulmezoglu, Koray Yurtseven, Berk Sunar
2021 arXiv   pre-print
The other class is Spectre-type attacks [1] , [3] , [33] - [35] that exploit the speculative execution.  ...  The exploitable gadgets in the commercial software have many instructions that are speculatively executed until the secret is leaked.  ... 
arXiv:2006.14147v2 fatcat:ioglqzk2xjdwrl75cvbrioowxu

Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade [article]

Marco Vassena, Craig Disselkoen, Sunjay Cauligi, Klaus V. Gleissenthall, Rami Gökhan Kici, Ranjit Jhala, Deian Stefan, Dean Tullsen
2020 arXiv   pre-print
BLADE is built on the insight that to stop leaks via speculation, it suffices to cut the dataflow from expressions that speculatively introduce secrets (sources) to those that leak them through the cache  ...  (sinks), rather than prohibit speculation altogether.  ...  We similarly do not consider Meltdown attacks [Lipp et al. 2018] or attacks that do not use the cache to exfiltrate data, e.g., port contention (SMoTherSpectre [Bhattacharyya et al. 2019] ).  ... 
arXiv:2005.00294v2 fatcat:ntuxqd5uuzeghax62lkqjiclxq

Μελέτη και αξιολόγηση μηχανισμών προστασίας από επιθέσεις παράπλευρων καναλιών υποθετικής εκτέλεσης [article]

Theodoros Trochatos, National Technological University Of Athens
2022
Smotherspectre: Exploiting speculative execution through port contention. CCS ’19, New York, NY, USA, 2019.  ...  Efficient invisible speculative execution through selective delay and value prediction.  ... 
doi:10.26240/heal.ntua.21984 fatcat:t3cnbxtvcnbyni3oy766balv6a