Formal Modeling of Transient Execution Attacks
The Spectre family of speculative execution attacks have required a rethinking of formal methods for security. The promise of formal methods is to provide guarantees of correctness and security in exchange for rigorous specifications and sound layering of abstractions. Unfortunately, the discovery of speculation-based vulnerabilities such as SPECTRE has shown that some of the most basic abstractions are broken at the microarchitectural level in today’s mainstream computing architectures. Modern processors execute code speculatively and may have to roll back state if a prediction turns out to be wrong; despite being rolled back, the transient execution can leave traces in the microarchitectural state that an attacker can abuse. By causing the processor to mispredict certain conditions, such as whether a branch is taken or not, an attacker can exfiltrate data despite system-level protection.
This project focuses on defining new types of semantics for speculative execution and related micro-architectural features, based on insights from formal methods for concurrency and weak memory models. We propose to specify speculative semantics using the CAT modeling language for memory consistency to specify execution models. We extend the Dartagnan Bounded Model Checker to directly process assembly code and interpret our new models. With this new framework, we validate attacks and defenses with respect to speculative semantics.
Hernán Ponce de León and Johannes Kinder. Cats vs. Spectre: An Axiomatic Approach to Modeling Speculative Execution Attacks. In Proc. IEEE Symp. Security and Privacy (S&P), pp. 1415–1428, IEEE, 2022. [ PDF]