Litcius/Paper detail

A Formal Approach for Detecting Vulnerabilities to Transient Execution Attacks in Out-of-Order Processors

Mohammad Rahmani Fadiheh, Muller Johannes, Raik Brinkmann, Subhasish Mitra, Dominik Stoffel, Wolfgang Kunz

202038 citationsDOI

Abstract

Transient execution attacks, such as Spectre and Meltdown, create a new and serious attack surface in modern processors. In spite of all countermeasures taken during recent years, the cycles of alarm and patch are ongoing and call for a better formal understanding of the threat and possible preventions.This paper introduces a formal definition of security with respect to transient execution attacks, formulated as a HW property. We present a formal method for security verification by HW property checking based on extending Unique Program Execution Checking (UPEC) to out-of-order processors. UPEC can be used to systematically detect all vulnerabilities to transient execution attacks, including vulnerabilities unknown so far. The feasibility of our approach is demonstrated at the example of the BOOM processor, which is a design with more than 650,000 state bits. In BOOM our approach detects a new, so far unknown vulnerability, called Spectre-STC, indicating that also single-threaded processors can be vulnerable to contention-based Spectre attacks.

Topics & Concepts

Computer scienceTransient (computer programming)Vulnerability (computing)Model checkingComputer securityBoomFormal methodsState (computer science)Property (philosophy)Formal verificationEmbedded systemProgramming languageEngineeringEpistemologyPhilosophyEnvironmental engineeringSecurity and Verification in ComputingAdvanced Memory and Neural ComputingPhysical Unclonable Functions (PUFs) and Hardware Security