#### Eclipse

Preventing Speculative Memory-error Abuse with Artificial Data Dependencies

Neophytos Christou Alexander J. Gaidis Vaggelis Atlidakis Vasileios P. Kemerlis

October 17, 2024

Secure Systems Laboratory (SSL) Department of Computer Science Brown University



## Speculative Memory-error Abuse

## Speculative Memory-error Abuse (SMA) Attacks Overview

- Combine memory errors with speculative execution attacks
  - Leverage memory errors to architecturally corrupt memory
  - Cause the CPU to use the corrupted data during speculative execution
  - ▶ Bypass memory-safety-based mitigations while inhibiting detection (e.g., avoid crashes)



```
if (condition) {
    fptr();
}
```





0x10000



<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

```
if (condition) {
    fptr();
}
```

## Attack Steps

1. Train branch



0x10000



<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

```
if (condition) {
    fptr();
}
```

- 1. Train branch
- 2. Architecturally corrupt fptr, flip condition





<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

```
if (condition) {
    fptr();
}
```

- 1. Train branch
- 2. Architecturally corrupt fptr, flip condition
  - ► Corrupted fptr → speculatively deref.'d





<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

```
if (condition) {
    fptr();
}
```

- 1. Train branch
- 2. Architecturally corrupt fptr, flip condition
  - ► Corrupted fptr → speculatively deref.'d
- 3. Check for cache activity (side channel)





<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

```
if (condition) {
    fptr();
}
```

- 1. Train branch
- 2. Architecturally corrupt fptr, flip condition
  - ▶ Corrupted fptr → speculatively deref.'d
- 3. Check for cache activity (side channel)
- 4. Repeat until cache activity is detected



<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

```
if (condition) {
    fptr();
}
```

- 1. Train branch
- 2. Architecturally corrupt fptr, flip condition
  - ► Corrupted fptr → speculatively deref.'d
- 3. Check for cache activity (side channel)
- 4. Repeat until cache activity is detected





<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

```
if (condition) {
    fptr();
}
```

- 1. Train branch
- 2. Architecturally corrupt fptr, flip condition
  - ▶ Corrupted fptr → speculatively deref.'d
- 3. Check for cache activity (side channel)
- 4. Repeat until cache activity is detected





<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

```
if (condition) {
    fptr();
}
```

- 1. Train branch
- 2. Architecturally corrupt fptr, flip condition
  - ▶ Corrupted fptr → speculatively deref.'d
- 3. Check for cache activity (side channel)
- 4. Repeat until cache activity is detected





neophytos christou@brown.edu (Brown University)

```
if (condition) {
    fptr();
}
```

- 1. Train branch
- 2. Architecturally corrupt fptr, flip condition
  - ► Corrupted fptr → speculatively deref.'d
- 3. Check for cache activity (side channel)
- 4. Repeat until cache activity is detected





<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

```
if (condition) {
    fptr();
}
```

- 1. Train branch
- 2. Architecturally corrupt fptr, flip condition
  - ► Corrupted fptr → speculatively deref.'d
- 3. Check for cache activity (side channel)
- 4. Repeat until cache activity is detected





neophytos christou@brown.edu (Brown University)

```
if (condition) {
    fptr();
}
```

- 1. Train branch
- 2. Architecturally corrupt fptr, flip condition
  - ▶ Corrupted fptr → speculatively deref.'d
- 3. Check for cache activity (side channel)
- 4. Repeat until cache activity is detected



<sup>1</sup> Speculative Probing: Hacking Blind in the Spectre Era. Göktas. et al., CCS 2020.

ACM CCS 2024

```
if (condition) {
    fptr();
}
```

- 1. Train branch
- 2. Architecturally corrupt fptr, flip condition
  - Corrupted fptr → speculatively deref.'d
- 3. Check for cache activity (side channel)
- 4. Repeat until cache activity is detected





<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.



<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.





CPUs cannot execute instructions with unresolved data dependencies

• Even when executing speculatively





CPUs cannot execute instructions with unresolved data dependencies

• Even when executing speculatively





CPUs cannot execute instructions with unresolved data dependencies

• Even when executing speculatively

# Eclipse Approach

Compiler-assisted mitigation

### **9** Insight

CPUs cannot execute instructions with unresolved data dependencies

• Even when executing speculatively

## Eclipse Approach

- Compiler-assisted mitigation
- Analyze program to identify SMA-Capable (SMAC) instructions
  - → Instructions that can be leveraged to carry out a SMA attack
  - → Can be *speculatively executed* as a result of a misprediction of a *preceding conditional branch*

### 🥊 Insight

CPUs cannot execute instructions with unresolved data dependencies

• Even when executing speculatively

## 👬 Eclipse Approach

- Compiler-assisted mitigation
- Analyze program to identify SMA-Capable (SMAC) instructions
  - → Instructions that can be leveraged to carry out a SMA attack
  - → Can be *speculatively executed* as a result of a misprediction of a *preceding conditional branch*
  - Instrument code to introduce artificial data dependencies on the identified SMAC instructions
    - ➤ Prevent instructions from operating on attacker-controlled data during speculative execution

```
if (condition) {
    fptr();
}
...

target:
...
```

```
je no_call
callq *%rcx
.no_call:
...
target:
```

cmpl

\$0x0, %rax

```
♥° Register State
```



: Non-speculative execution : Speculative execution

```
if (condition) {
  fptr();
}
...
target:
...
```

```
rax (condition): unknown
rflags: unknown
```

```
cmpl $0x0, %rax

Je no_call
callq *%rcx
.no_call:
...

target:
...
```





```
if (condition) {
  fptr();
}
...

target:
...
```

```
Register State

rax (condition): unknown
rflags: unknown
```





```
if (condition) {
    fptr();
}
...

target:
...
```

```
cmpl $0x0, %rax
je no_call
callq *%rcx
.no_call:
...
```

```
Register State

rax (condition): unknown

rflags: unknown

rcx (fptr): target
```



ACM CCS 2024



```
if (condition) {
  fptr();
}
...
```

target:

### Register State

```
rax (condition): unknown
rflags: unknown
rcx (fptr): target
```

```
cmpl $0x0, %rax
je no_call
callq *%rcx
.no_call:
```

target:





```
state = 0;
poison = -1;
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...
target:
...
```

```
Ф<sup>o</sup> Register State
```

```
mov $0x0, %r11

mov $0xfffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rcx
callq *%rcx
.no_call:
...

target:
```





```
state = 0;
poison = -1;
if (condition) {
  state = (!condition) ? poison : state;
  fptr |= state;
  fptr();
}
...
target:
```

```
target:
```

```
r11 (state): 0
r12 (poison): -1
```

```
mov $0x0, %r11

mov $0xfffffffffffffff, %r12

cmpl $0x0, %rax

je no_call

cmove %r12, %r11

or %r11, %rcx

callq *%rcx

.no_call:
...
```

```
target:
```

```
: Non-speculative execution : Speculative execution
```



```
state = 0;
poison = -1;
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...
target:
```

```
Register State

r11 (state): 0

r12 (poison): -1

rax (condition): unknown

rflags: unknown
```





```
state = 0;
poison = -1;
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...
target:
...
```

## **♥** Register State

```
r11 (state): 0
r12 (poison): -1
rax (condition): unknown
rflags: unknown
```

```
$0x0, %r11
mov
      mov
      $0x0, %rax Modifies rflags
cmpl
                Depends on rflags
 jе
       no_call
      %r12, %r11
cmove
      %r11, %rcx
or
callq
     *%rcx
.no call:
```

target:





```
state = 0;
poison = -1;
if (condition) {
    state = (!condition) ? poison : state;
    fptr |= state;
    fptr();
}
...
target:
...
```

```
💠 Register State
```

```
r12 (poison): -1
rax (condition): unknown
rflags (impicit): unknown
r11 (state): unknown
```

```
$0x0, %r11
mov
        $0xfffffffffffffff, %r12
mov
        $0x0, %rax
cmpl
jе
        no_call Depends on rflags
        %r12, %r11
                     Depends on rflags
 CMOVE
        %r11, %rcx
or
callq *%rcx
.no call:
target:
```

```
: Non-speculative execution
: Speculative execution
```



```
state = 0;
poison = -1;
if (condition) {
    state = (!condition) ? poison : state;
    fptr |= state;
    fptr();
}
...
target:
...
```

## 💠 Register State

```
r12 (poison): -1
rax (condition): unknown
rflags: unknown
r11 (state): unknown
rcx (fptr): unknown
```

```
$0x0, %r11
mov
        $0xffffffffffffffff, %r12
mov
cmpl
        $0x0, %rax
ie
        no_call Depends on rflags
        %r12, %r11 Depends on rflags
cmove
        %r11, %rcx
                     Depends on r11
or
callq
       *%rcx
.no call:
target:
```





```
state = 0;
poison = -1;
if (condition) {
    state = (!condition) ? poison : state;
    fptr |= state;
    fptr();
}
...
target:
...
```

### **\$** Register State

```
r12 (poison): -1
rax (condition): unknown
rflags: unknown
rfl (state): unknown
rcx (fptr): unknown
```

```
$0x0, %r11
mov
        $0xffffffffffffffff, %r12
mov
cmpl
        $0x0, %rax
        no call Depends on rflags
ie
        %r12, %r11
                    Depends on rflags
cmove
or
        %r11, %rcx Depends on r11
 callq
        *%rcx
.no call:
target:
```



ACM CCS 2024



```
state = 0;
poison = -1;
if (condition) {
  state = (!condition) ? poison : state;
  fptr |= state;
  fptr();
}
...
target:
...
```

```
Register State

r12 (poison): -1

rax (condition): 0

rflags: resolved
```

```
mov $0x0, %r11
mov $0xfffffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rcx
callq *%rcx
.no_call:
...
```



ACM CCS 2024



target:

```
state = 0;
poison = -1;
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...
target:
...
```

## 💠 Register State

```
r12 (poison): -1
rax (condition): 0
rflags: resolved
```

```
mov $0x0, %r11
mov $0xffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rcx
callq *%rcx
.no_call:
...
```

target:





```
state = 0;
poison = -1;
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
```

```
target:
```

### Register State

```
r12 (poison): -1
rax (condition): 0
rflags: resolved
```

```
target:
```





## Eclipse Design – SMAC Instruction Identification

## 60 Eclipse Design – Identifying SMAC Indirect Branches

- Iterate each instruction in a function
- When encountering an indirect branch:
  - ▶ Remove block from the function's Control-flow Graph (CFG)
  - ▶ Is the CFG still fully connected?
    - If yes, classify the indirect branch as SMAC



## Eclipse Design – SMAC Instruction Identification

## 60 Eclipse Design – Identifying SMAC Indirect Branches

- Iterate each instruction in a function
- When encountering an indirect branch:
  - ▶ Remove block from the function's Control-flow Graph (CFG)
  - ▶ Is the CFG still fully connected?
    - If yes, classify the indirect branch as SMAC

# **the Identifying Preceding Conditional Branches**

- Reiterate the CFG backwards, starting from each block containing a SMAC indirect branch
  - ▶ Keep track of all encountered conditional branches







## Register Initialization

Initialize a state and a poison register ightarrow 0 and -1, respectively





## Register Initialization

Initialize a state and a poison register  $\rightarrow$  0 and -1, respectively

#### **Capturing Data Dependencies**

For each tracked conditional branch, inject a conditional move instruction at each edge

- Taken edge → opposite conditional code
- Not-taken edge → same conditional code





## Register Initialization

Initialize a state and a poison register ightarrow 0 and -1, respectively

## **Capturing Data Dependencies**

For each tracked conditional branch, inject a conditional move instruction at each edge

- Taken edge → opposite conditional code
- ullet Not-taken edge o same conditional code

#### **Linking Data Dependencies**

Before each SMAC indirect branch, inject an or instruction

- Source operand → state register
- Destination operand ightarrow register used by indirect branch





## Speculative Probing<sup>1</sup>

An SMA attack that can bypass certain information-hiding-based memory-error mitigations (e.g., (K)ASLR, XOM, etc.)



<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

<sup>&</sup>lt;sup>2</sup> PACMAN: Attacking ARM Pointer Authentication with Speculative Execution. Ravichandran et al., ISCA 2022.

<sup>&</sup>lt;sup>3</sup> Bypassing memory safety mechanisms through speculative control flow hijacks. Mambretti et al., EuroS&P 2021. Eclipse

## Speculative Probing<sup>1</sup>

An SMA attack that can bypass certain information-hiding-based memory-error mitigations (e.g., (K)ASLR, XOM, etc.)

#### PACMAN<sup>2</sup>

An SMA attack that can be used to bypass ARM's Pointer Authentication



<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

<sup>&</sup>lt;sup>2</sup> PACMAN: Attacking ARM Pointer Authentication with Speculative Execution. Ravichandran et al., ISCA 2022.

<sup>&</sup>lt;sup>3</sup> Bypassing memory safety mechanisms through speculative control flow hijacks. Mambretti et al., EuroS&P 2021. Eclipse

## Speculative Probing<sup>1</sup>

An SMA attack that can bypass certain information-hiding-based memory-error mitigations (e.g., (K)ASLR, XOM, etc.)

#### PACMAN<sup>2</sup>

An SMA attack that can be used to bypass ARM's Pointer Authentication

#### **SPEAR**<sup>3</sup>

Demonstrates how SMA attacks can be used to bypass several hardening schemes (e.g., LLVM's SSP, GCC's VTV, etc.)

Eclipse



<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

<sup>&</sup>lt;sup>2</sup>PACMAN: Attacking ARM Pointer Authentication with Speculative Execution. Ravichandran et al., ISCA 2022.

<sup>3</sup>Bypassing memory safety mechanisms through speculative control flow hijacks. Mambretti et al., EuroS&P 2021.

neophytos christou@brown.edu (Brown University)

# Speculative Probing<sup>1</sup>

An SMA attack that can bypass certain information-hiding-based

mem Common Pattern

An S

Attacker architecturally corrupts memory, then causes a SMAC instruction to be speculatively executed

Dem

schemes (e.g., LLVM's SSP, GCC's VTV, etc.)



<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

<sup>&</sup>lt;sup>2</sup> PACMAN: Attacking ARM Pointer Authentication with Speculative Execution. Ravichandran et al., ISCA 2022.

<sup>&</sup>lt;sup>3</sup> Bypassing memory safety mechanisms through speculative control flow hijacks. Mambretti et al., EuroS&P 2021. Eclipse

## **Generalizing Eclipse**

Eclipse is not tied to any particular architecture or SMA attack



<sup>&</sup>lt;sup>1</sup>PACMAN: Attacking ARM Pointer Authentication with Speculative Execution. Ravichandran et al., ISCA 2022.

## **Generalizing** Eclipse

Eclipse is not tied to any particular architecture or SMA attack

#### Other Architectures

- Eclipse can be applied to any architecture that provides instructions for *capturing* and *linking* data dependencies
  - ► e.g., Eclipse can be applied against SP on ARM using the csetm (capturing) and orr instructions (linking)



# **Generalizing** Eclipse

Eclipse is not tied to any particular architecture or SMA attack

#### Other Architectures

- Eclipse can be applied to any architecture that provides instructions for *capturing* and *linking* data dependencies
  - e.g., Eclipse can be applied against SP on ARM using the csetm (capturing) and orr instructions (linking)

#### Other SMA Attacks

- 👽 Eclipse can be deployed against any SMA attack
  - ▶ Data dependencies will be linked onto different SMAC instructions
- lacksquare Deployed Eclipse against the ARM-specific PACMAN<sup>1</sup> attack
  - ► SMAC are ARM PA authentication instructions (e.g., autia)

Eclipse



Alternative Mitigations



#### **Alternative Mitigations**

- ► Eclipse-lfence: Eclipse variant which mitigates SP by injecting serializing instructions (i.e., lfence) before SMAC indirect branches
  - ▶ Not out-of-the-box! Relies on Eclipse to identify SMAC instructions



#### **Alternative Mitigations**

- ► Eclipse-lfence: Eclipse variant which mitigates SP by injecting serializing instructions (i.e., lfence) before SMAC indirect branches
  - ▶ Not out-of-the-box! Relies on Eclipse to identify SMAC instructions
- ▶ Speculative Load Hardening (SLH): Out-of-the-box mitigation against Spectre-PHT, also prevents SP
  - ▶ More generic mitigation, hardens all load instructions in a function



## **Userland Performance: SPEC CPU 2017**

| Benchmark       | Eclipse | Eclipse-lfence | SLH     |
|-----------------|---------|----------------|---------|
| 600.perlbench_s | 4.31%   | 4.26%          | 50.82%  |
| 602.gcc_s       | 0.74%   | 0.76%          | 49.74%  |
| 605.mcf_s       | 6.52%   | 26.73%         | 58.59%  |
| 619.1bm_s       | 0.42%   | 0.35%          | 2.62%   |
| 620.omnetpp_s   | 9.05%   | 22.94%         | 33.49%  |
| 623.xalancbmk_s | 8.49%   | 11.69%         | 154.36% |
| 625.x264_s      | 3.85%   | 10.67%         | 26.58%  |
| 631.deepsjeng_s | 0.23%   | 0.19%          | 31.49%  |
| 638.imagick_s   | 9.53%   | ≈0%            | 97.74%  |
| 641.leela_s     | 1.21%   | 1.23%          | 20.03%  |
| 644.nab_s       | 0.29%   | 0.72%          | 31.36%  |
| 657.xz_s        | ≈0%     | 0.13%          | 54.26%  |



## **Userland Performance: SPEC CPU 2017**

| Benchmark       | Eclipse | Eclipse-lfence | SLH     |
|-----------------|---------|----------------|---------|
| 600.perlbench_s | 4.31%   | 4.26%          | 50.82%  |
| 602.gcc_s       | 0.74%   | 0.76%          | 49.74%  |
| 605.mcf_s       | 6.52%   | 26.73%         | 58.59%  |
| 619.1bm_s       | 0.42%   | 0.35%          | 2.62%   |
| 620.omnetpp_s   | 9.05%   | 22.94%         | 33.49%  |
| 623.xalancbmk_s | 8.49%   | 11.69%         | 154.36% |
| 625.x264_s      | 3.85%   | 10.67%         | 26.58%  |
| 631.deepsjeng_s | 0.23%   | 0.19%          | 31.49%  |
| 638.imagick_s   | 9.53%   | ≈0%            | 97.74%  |
| 641.leela_s     | 1.21%   | 1.23%          | 20.03%  |
| 644.nab_s       | 0.29%   | 0.72%          | 31.36%  |
| 657.xz_s        | ≈0%     | 0.13%          | 54.26%  |

► Eclipse outperforms alternative approaches, incurring up to 9.53% overhead



| Application   | Eclipse | Eclipse-lfence | SLH    |
|---------------|---------|----------------|--------|
| SQLite        | 8.61%   | 12.72%         | 55.11% |
| Redis (GET/s) | ≈0%     | 0.17%          | 3.20%  |
| Redis (SET/s) | ≈0%     | 0.17%          | 3.20%  |
| Nginx (1KB)   | 1.00%   | 0.67%          | 2.00%  |
| Nginx (100KB) | 0.65%   | 0.10%          | 3.73%  |
| Nginx (1MB)   | 0.36%   | 0.78%          | 3.52%  |
| MariaDB       | 0.42%   | 1.60%          | 10.16% |



## **Userland Performance: Real-world Applications**

| Application   | Eclipse      | Eclipse-lfence | SLH    |
|---------------|--------------|----------------|--------|
| SQLite        | 8.61%        | 12.72%         | 55.11% |
| Redis (GET/s) | ≈0%          | 0.17%          | 3.20%  |
| Redis (SET/s) | $\approx$ 0% | 0.17%          | 3.20%  |
| Nginx (1KB)   | 1.00%        | 0.67%          | 2.00%  |
| Nginx (100KB) | 0.65%        | 0.10%          | 3.73%  |
| Nginx (1MB)   | 0.36%        | 0.78%          | 3.52%  |
| MariaDB       | 0.42%        | 1.60%          | 10.16% |

 $\blacktriangleright$  Eclipse incurs up to 8.61% overhead in real-world applications



#### **Kernel Performance**

- LMBench kernel microbenchmarks
  - ► ≈0%–7.95% latency overhead
  - ► < 3.04% bandwidth degradation
- Phoronix Test Suite macrobenchmarks
  - ▶ Negligible overhead (< 2%) on various benchmarks (Nginx, MariaDB, TensorFlow, Linux kernel build, OpenSSL, Glibc)



## **Security Evaluation**



<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

 $<sup>{}^2\</sup>textit{PACMAN: Attacking ARM Pointer Authentication with Speculative Execution.} \ \ \text{Ravichandran et al., ISCA 2022}.$ 

# **Security Evaluation**

#### x86-64

- Applied Eclipse to the Linux kernel
- $\checkmark$  Demonstrated that Eclipse blocks the original Speculative Probing (SP) $^1$  attack that de-randomizes KASLR



<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

<sup>&</sup>lt;sup>2</sup> PACMAN: Attacking ARM Pointer Authentication with Speculative Execution. Ravichandran et al., ISCA 2022.

# **Security Evaluation**

#### x86-64

- Applied Eclipse to the Linux kernel
- $\checkmark$  Demonstrated that Eclipse blocks the original Speculative Probing (SP)<sup>1</sup> attack that de-randomizes KASLR

#### **ARM**

- Applied Eclipse against original PACMAN<sup>2</sup> attack
- Deployed Eclipse on a proof-of-concept userland SP attack on ARM
- ✓ Demonstrated that Eclipse stops both PACMAN and SP on ARM



<sup>&</sup>lt;sup>1</sup>Speculative Probing: Hacking Blind in the Spectre Era. Göktas, et al., CCS 2020.

<sup>&</sup>lt;sup>2</sup>PACMAN: Attacking ARM Pointer Authentication with Speculative Execution. Ravichandran et al., ISCA 2022.

#### **Conclusion**

- $lackbox{$lackbox{$\Gamma$}$}$  Eclipse: compiler-assisted mitigation against SMA attacks
  - Introduce artificial data dependencies to prevent SMAC instructions from using attacker-controlled data during speculative execution



#### **Conclusion**

- ₱ Eclipse: compiler-assisted mitigation against SMA attacks
  - Introduce artificial data dependencies to prevent SMAC instructions from using attacker-controlled data during speculative execution
- Evaluated security effectiveness and performance overhead
  - ✓ Sucessfully prevents SMA attacks such as SP and PACMAN
  - ✓ Real-world applications  $\rightarrow$  up to  $\approx$ 8.6% overhead
  - ✓ Linux kernel → negligible overhead



#### **Conclusion**

- ▼ Eclipse: compiler-assisted mitigation against SMA attacks
  - Introduce artificial data dependencies to prevent SMAC instructions from using attacker-controlled data during speculative execution
- Evaluated security effectiveness and performance overhead
  - ✓ Sucessfully prevents SMA attacks such as SP and PACMAN
  - **✓** Real-world applications  $\rightarrow$  up to  $\approx$ 8.6% overhead
  - ✓ Linux kernel → negligible overhead
- ★ https://gitlab.com/brown-ssl/eclipse/





▶ Optimization technique in modern CPUs



# **\$** Speculative Execution

- ▶ Optimization technique in modern CPUs
  - lackbox Control-flow target not resolved yet ightarrow predict outcome of control-flow



## **\$** Speculative Execution

- Optimization technique in modern CPUs
  - lacktriangle Control-flow target not resolved yet ightarrow predict outcome of control-flow
    - $\bullet \ \ \mathsf{Correct} \ \mathsf{prediction} \ \to \ \mathsf{gained} \ \mathsf{cycles}$



## **Ф**<sup>o</sup> Speculative Execution

- Optimization technique in modern CPUs
  - ightharpoonup Control-flow target not resolved yet ightharpoonup predict outcome of control-flow
    - $\bullet \ \, \mathsf{Correct} \,\, \mathsf{prediction} \, \to \mathsf{gained} \,\, \mathsf{cycles}$
    - Wrong prediction → architectural state (e.g., registers) is rolled back, but leaves traces on micro-architectural buffers (e.g., cache)



# **\$** Speculative Execution

- Optimization technique in modern CPUs
  - lackbox Control-flow target not resolved yet ightarrow predict outcome of control-flow
    - Correct prediction  $\rightarrow$  gained cycles
    - Wrong prediction → architectural state (e.g., registers) is rolled back, but leaves traces on micro-architectural buffers (e.g., cache)

# **Spectre Attacks**

Take advantage of speculative execution to leak sensitive program data:

# **\$** Speculative Execution

- Optimization technique in modern CPUs
  - lackbox Control-flow target not resolved yet ightarrow predict outcome of control-flow
    - ullet Correct prediction o gained cycles
    - Wrong prediction  $\rightarrow$  architectural state (e.g., registers) is rolled back, but leaves traces on micro-architectural buffers (e.g., cache)

# Spectre Attacks

Take advantage of speculative execution to leak sensitive program data:

1. Mistrain or tamper-with a CPU predictor

# **‡**<sup>a</sup> <sup>a</sup> Speculative Execution

- Optimization technique in modern CPUs
  - lackbox Control-flow target not resolved yet ightarrow predict outcome of control-flow
    - ullet Correct prediction o gained cycles
    - Wrong prediction  $\rightarrow$  architectural state (e.g., registers) is rolled back, but leaves traces on micro-architectural buffers (e.g., cache)

# Spectre Attacks

Take advantage of speculative execution to leak sensitive program data:

- 1. Mistrain or tamper-with a CPU predictor
- 2. Speculatively execute attacker-chosen code that accesses secret data
  - ▶ Prediction was wrong, roll back  $\rightarrow$  data remains in micro-architectural buffers (e.g., cache)

# **\$** Speculative Execution

- Optimization technique in modern CPUs
  - ightharpoonup Control-flow target not resolved yet ightharpoonup predict outcome of control-flow
    - Correct prediction  $\rightarrow$  gained cycles
    - Wrong prediction → architectural state (e.g., registers) is rolled back, but leaves traces on micro-architectural buffers (e.g., cache)

# **Spectre Attacks**

Take advantage of speculative execution to leak sensitive program data:

- 1. Mistrain or tamper-with a CPU predictor
- 2. Speculatively execute attacker-chosen code that accesses secret data
  - ightharpoonup Prediction was wrong, roll back ightharpoonup data remains in micro-architectural buffers (e.g., cache)
- 3. Extract data using a micro-architectural side channel

## **Speculative Probing Attacks**

- The vulnerable program contains:
  - ► A bug which allows an attacker to arbitrarily corrupt memory
  - ► A code pointer that is dereferenced conditionally

```
if (condition) { fptr(); }
```



### **Speculative Probing Attacks**

- The vulnerable program contains:
  - ► A bug which allows an attacker to arbitrarily corrupt memory
  - ► A code pointer that is dereferenced conditionally

```
if (condition) { fptr(); }
```

 The attacker can control both the code pointer and the conditional branch



### **Speculative Probing Attacks**

- The vulnerable program contains:
  - ► A bug which allows an attacker to arbitrarily corrupt memory
  - ► A code pointer that is dereferenced conditionally

```
if (condition) { fptr(); }
```

- The attacker can control both the code pointer and the conditional branch
- Attacker's goal is to bypass memory corruption mitigations and carry out an end-to-end exploit
  - Achieves this by combining the memory corruption with Spectre-like primitives

# Eclipse Approach: Artificial Data Dependencies

- CPUs do not speculatively execute instructions if they rely on unresolved data dependencies
  - ▶ Only the outcomes of control-flow instructions will be speculated



# Eclipse Approach: Artificial Data Dependencies

- CPUs do not speculatively execute instructions if they rely on unresolved data dependencies
  - ▶ Only the outcomes of control-flow instructions will be speculated
- Introduce artificial data dependencies
  - ▶ Prevent CPU from *speculatively* dereferencing code pointers



# Eclipse Approach: Artificial Data Dependencies

- CPUs do not speculatively execute instructions if they rely on unresolved data dependencies
  - Only the outcomes of control-flow instructions will be speculated
- Introduce artificial data dependencies
  - Prevent CPU from speculatively dereferencing code pointers
- Speculative execution was caused because the conditional branch had an unresolved data dependency
  - ► Make value of code pointer dependent on the same data
  - lackbox Force CPU to wait until data dependency is resolved ightarrow speculation stops

## **Conditional Moves: Common Data Dependency**

- Speculative execution was caused because of the unresolved value of the rflags register
  - ► Implicitly read by conditional branches to determine whether or not the branch should be taken



## **Conditional Moves: Common Data Dependency**

- Speculative execution was caused because of the unresolved value of the rflags register
  - ► Implicitly read by conditional branches to determine whether or not the branch should be taken
- The x86 conditional move instruction also reads the rflags register
  - ▶ Determine whether or not the move should be performed
  - ► e.g., cmove %reg1, %reg2



### **Conditional Moves: Common Data Dependency**

- Speculative execution was caused because of the unresolved value of the rflags register
  - ► Implicitly read by conditional branches to determine whether or not the branch should be taken
- The x86 conditional move instruction also reads the rflags register
  - ▶ Determine whether or not the move should be performed
  - ► e.g., cmove %reg1, %reg2
- Conditional moves are the main building block of our mitigation



```
$0x0, %r11
                                                   mov
state = 0: /* Whu 0? */
                                                           $0xffffffffffffffff, %r12
                                                   mov
poison = -1:
                                                   cmpl
                                                          $0x0, %rax
if (condition) {
                                                         no_call
                                                   ie
  state = (!condition) ? poison : state;
                                                   cmove %r12, %r11
 fptr |= state;
                                                          %r11. %rcx
                                                   or
 fptr();
                                                   callq *%rcx
                                                   .no call:
target:
                                                   target:
```







```
$0x0, %r11
                                                       mov
state = 0; /* Why 0? */
                                                              $0xfffffffffffffff, %r12
poison = -1:
                                                              $0x0, %rax
                                                      cmpl
if (condition) {
                                                      ie
                                                             no_call
  state = (!condition) ? poison : state;
                                                             %r12, %r11
                                                      cmove
 fptr |= state;
                                                             %r11. %rcx
                                                      or
 fptr();
                                                      callq *%rcx
                                                      .no_call:
target:
                                                      target:
```

```
r11 (state): 0
r12 (poison): -1
```





```
state = 0; /* Why 0? */
poison = -1;
if (condition) {
  state = (!condition) ? poison : state;
  fptr |= state;
  fptr();
}
...
target:
...
```

```
Register State

r11 (state): 0

r12 (poison): -1

rax (condition): 1

rflags: resolved
```





```
state = 0; /* Why 0? */
poison = -1;
if (condition) {
  state = (!condition) ? poison : state;
  fptr |= state;
  fptr();
}
...
target:
...
```

```
♥ Register State
```

```
ri1 (state): 0
ri2 (poison): -1
rax (condition): 1
rflags: resolved
```

```
mov $0x0, %r11
mov $0xfffffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rcx
callq *%rcx
.no_call:
...
target:
```





```
state = 0; /* Why 0? */
poison = -1;
if (condition) {
    state = (!condition) ? poison : state;
    fptr |= state;
    fptr();
}
...
target:
...
```

\$0xffffffffffffffff, %r12

\$0x0, %r11

mov

mov

```
"Register State

r12 (poison): -1
rax (condition): 1
rflags: resolved
r11 (state): 0
```





```
state = 0; /* Why 0? */
poison = -1;
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...
target:
...
```

```
💠 Register State
```

```
r12 (poison): -1
rax (condition): 1
rflags: resolved
r11 (state): 0
rcx (fptr): target
```

```
mov $0x0, %r11
mov $0xfffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rex
callq *%rex
.no_call:
...
target:
```





```
state = 0; /* Why 0? */
poison = -1;
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...
target:
...
```

```
Ф<sup>o</sup> Register State
```

```
r12 (poison): -1
rax (condition): 1
rflags: resolved
r11 (state): 0
rcx (fptr): target
```

```
mov $0x0, %r11
mov $0xfffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rcx
callq *%rcx
...
target:
```





```
state = 0; /* Why O? */
poison = -1;
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
```

```
mov $0x0, %r11
mov $0xfffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rcx
callq *%rcx
.no_call:
```

target:

```
target:
```

```
💠 Register State
```

```
r12 (poison): -1
rax (condition): 1
rflags: resolved
r11 (state): 0
rcx (fptr): target
```

```
: Non-speculative execution : Speculative execution
```



```
$0x0, %r11
                                                   mov
state = 0;
                                                         $0xffffffffffffffff, %r12
                                                   mov
poison = -1; /* Why -1? */
                                                   cmpl
                                                         $0x0, %rax
if (condition) {
                                                   je no_call
  state = (!condition) ? poison : state;
                                                   cmove %r12, %r11
 fptr |= state;
                                                         %r11, %rcx
                                                   or
 fptr():
                                                   callq *%rcx
                                                   .no call:
target:
                                                   target:
```







```
state = 0;
poison = -1; /* Why -1? */
if (condition) {
  state = (!condition) ? poison : state;
  fptr |= state;
  fptr();
}
...
target:
...
```

```
Register State

r11 (state): 0
r12 (poison): -1
```

```
mov $0x0, %r11

mov $0xffffffffffffff, %r12

cmpl $0x0, %rax
je no_call

cmove %r12, %r11

or %r11, %rcx

callq *%rcx
.no_call:
...

target:
```





```
state = 0;
poison = -1; /* Why -1? */
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...

target:
...
```

```
Register State

r11 (state): 0

r12 (poison): -1

rax (condition): unknown

rflags: unknown
```

```
mov $0x0, %r11
mov $0xfffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rcx
callq *%rcx
.no_call:
...
target:
```





```
state = 0;
poison = -1; /* Why -1? */
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...
target:
...
```

```
Register State

r11 (state): 0

r12 (poison): -1

rax (condition): unknown

rflags: unknown
```

```
mov $0x0, %r11
mov $0xffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rcx
callq *%rcx
.no_call:
...
target:
```





```
state = 0;
poison = -1; /* Why -1? */
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...
target:
...
```

```
💠 Register State
```

```
r12 (poison): -1
rax (condition): unknown
rflags: unknown
r11 (state): unknown
```

```
mov $0x0, %r11
mov $0xffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rcx
callq *%rcx
.no_call:
....
```





```
state = 0;
poison = -1; /* Why -1? */
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...
target:
...
```

```
Register State

r12 (poison): -1
r11 (state): unknown
rflags: unknown
rax (condition): 0
```

```
mov $0x0, %r11
mov $0xffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rcx
callq *%rcx
.no_call:
...
target:
```





```
state = 0;
poison = -1; /* Why -1? */
if (condition) {
  state = (lcondition) ? poison : state;
  fptr |= state;
  fptr();
}
...

target:
...
```

```
mov $0xffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rcx
callq *%rcx
.no_call:
...

target:
...
```

\$0x0, %r11

mov

```
Register State

r12 (poison): -1
rax (condition): 0
rflags: resolved
```





```
state = 0;
poison = -1; /* Why -1? */
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...
target:
...
```

\$0xffffffffffffffff, %r12

\$0x0, %r11

mov

mov

```
r12 (poison): -1
rax (condition): 0
rflags: resolved
r11 (state): -1
```





```
state = 0;
poison = -1; /* Why -1? */
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...
target:
...
```

```
**Register State

r12 (poison): -1
rax (condition): 0
rflags: resolved
r11 (state): -1
rex (fptr): -1
```

```
mov $0x0, %r11
mov $0xfffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rcx
callq *%rcx
.no_call:
...
```





```
state = 0;
poison = -1; /* Why -1? */
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...
```

```
Register State

r12 (poison): -1
rax (condition): 0
rflags: resolved
```

r11 (state): -1 rcx (fptr): -1





```
state = 0;
poison = -1; /* Why -1? */
if (condition) {
   state = (!condition) ? poison : state;
   fptr |= state;
   fptr();
}
...

target:
...
```

```
mov $0xffffffffffffff, %r12
cmpl $0x0, %rax
je no_call
cmove %r12, %r11
or %r11, %rcx
callq *%rcx
.no_call:
...

target:
```

\$0x0, %r11

mov

```
Contract Register State
```

```
r12 (poison): -1
rax (condition): 0
rflags: resolved
```

```
: Non-speculative execution : Speculative execution
```



```
poison = -1; /* Why -1? */
if (condition) {
    state = (!condition) ? poison : state;
    fptr |= state;
    fptr();
}
...
target:
...
```

state = 0;

\$0xffffffffffffffff, %r12

\$0x0, %r11

mov

mov

```
Register State
```

```
r12 (poison): -1
rax (condition): 0
rflags: resolved
```





### Why Poison the Branch Target?

- The data dependency we introduce delays the execution of the indirect branch until rflags is resolved
  - ▶ Poisoning seems redundant since when rflags is resolved, the target of conditional branch becomes known



### Why Poison the Branch Target?

- The data dependency we introduce delays the execution of the indirect branch until rflags is resolved
  - ► Poisoning seems redundant since when rflags is resolved, the target of conditional branch becomes known
- However, the ordering of the instructions is not guaranteed
  - ► When rflags is resolved, the conditional move and the indirect branch may execute before the conditional branch
  - Corrupted pointer may still be dereferenced



### Why Poison the Branch Target?

- The data dependency we introduce delays the execution of the indirect branch until rflags is resolved
  - ▶ Poisoning seems redundant since when rflags is resolved, the target of conditional branch becomes known
- However, the ordering of the instructions is not guaranteed
  - ► When rflags is resolved, the conditional move and the indirect branch may execute before the conditional branch
  - Corrupted pointer may still be dereferenced
- Poisoning the pointer guarantees it will dereference a bad address



- Reduce the effectiveness of side-channels
  - $\,\blacktriangleright\,$  Prevent speculative execution from leaving traces in cache



- Reduce the effectiveness of side-channels
  - ▶ Prevent speculative execution from leaving traces in cache
- Prevent speculative execution
  - ► LFENCEs, Retpolines, ...



- Reduce the effectiveness of side-channels
  - ▶ Prevent speculative execution from leaving traces in cache
- Prevent speculative execution
  - ► LFENCEs, Retpolines, ...
- Prevent predictor poisoning
  - ► Indirect Branch Restricted Speculation (IBRS), Single Thread Indirect Branch Prediction (STIBP), ...



- Reduce the effectiveness of side-channels
  - ▶ Prevent speculative execution from leaving traces in cache
- Prevent speculative execution
  - ► LFENCEs, Retpolines, ...
- Prevent predictor poisoning
  - ► Indirect Branch Restricted Speculation (IBRS), Single Thread Indirect Branch Prediction (STIBP), ...
- Prevent access to secret data during speculative execution
  - ► Isolate secret data to protected regions



# Memory corruption & mitigations

 $\bullet$  Attacker  $\mathit{corrupts}$  memory  $\to$  takes control over the control-flow of the program



- $\bullet$  Attacker corrupts memory  $\to$  takes control over the control-flow of the program
- Mitigations:



- ullet Attacker corrupts memory o takes control over the control-flow of the program
- Mitigations:
  - ► Address space layout randomization
    - Randomizes the address where various memory segments are loaded



- ullet Attacker corrupts memory o takes control over the control-flow of the program
- Mitigations:
  - Address space layout randomization
    - Randomizes the address where various memory segments are loaded
  - Control flow integrity
    - Verifies that control flow is only transferred to valid targets



- ullet Attacker corrupts memory o takes control over the control-flow of the program
- Mitigations:
  - ► Address space layout randomization
    - Randomizes the address where various memory segments are loaded
  - ► Control flow integrity
    - Verifies that control flow is only transferred to valid targets
  - ► Stack canaries, Non-executable memory, ...



• Spectre mitigations are ineffective



- Spectre mitigations are ineffective
  - lackbox Does not use out-of-bounds values to exploit Spectre v1



- Spectre mitigations are ineffective
  - Does not use out-of-bounds values to exploit Spectre v1
  - ► Does not rely on indirect branch mispredictions (Spectre v2) since the pointer is already architecturally corrupted



- Spectre mitigations are ineffective
  - Does not use out-of-bounds values to exploit Spectre v1
  - Does not rely on indirect branch mispredictions (Spectre v2) since the pointer is already architecturally corrupted
- Other strong defenses also bypassed



- Spectre mitigations are ineffective
  - ▶ Does not use out-of-bounds values to exploit Spectre v1
  - Does not rely on indirect branch mispredictions (Spectre v2) since the pointer is already architecturally corrupted
- Other strong defenses also bypassed
  - ► (K)ASLR even fine grained bypassed with speculative probing



### **Spectre attacks details** — **Training phase**

#### Victim:

```
void foo(int idx)
{
    char array1[5];
    char array2[256]; // Att. controled
    /* ... */
    if (idx < array1_len) {
        x = array2[array1[idx]];
    }
}</pre>
```

#### Attacker:

```
foo(1);
foo(1);
foo(1);
foo(1);
// Predictor is now trained
// to take the branch
// array1[1235] will be
// speculatively fetched
foo(1235);
```



• Different variants depending on which CPU predictor they mistrain



- Different variants depending on which CPU predictor they mistrain
- Spectre-v1 (aka Spectre-BCB)
  - ► Mistrain conditional branch, access out-of-bounds data

```
if (x < array1_size)
    y = array2[array1[x] * 4096];</pre>
```



- Different variants depending on which CPU predictor they mistrain
- Spectre-v1 (aka Spectre-BCB)
  - ► Mistrain conditional branch, access out-of-bounds data

```
if (x < array1_size)
    y = array2[array1[x] * 4096];</pre>
```

- Spectre-v2 (aka Spectre-BTB)
  - Mistrain Branch Target Buffer, indirect call executes attacker-controlled target



- Different variants depending on which CPU predictor they mistrain
- Spectre-v1 (aka Spectre-BCB)
  - ► Mistrain conditional branch, access out-of-bounds data

```
if (x < array1_size)
    y = array2[array1[x] * 4096];</pre>
```

- Spectre-v2 (aka Spectre-BTB)
  - Mistrain Branch Target Buffer, indirect call executes attacker-controlled target
- Spectre-RSB (aka ret2spec), Spectre-STL, ...



# Spectre attacks details — Speculative execution phase



# Spectre attacks details — Exfiltration phase

Attacker times cache accesses to deduce value of secret byte



#### **Prevent Side channels and transient execution**

- Speculative execution does not influence the cache/TLB etc.
- Hold speculatively accessed data in separate cache
- Prevent speculatively cached data from being accessed
- Reduce the accuracy of timing mechanisms
- Limit sharing of CPU prediction units between users/cores/security domains
- Mask out-of-bounds array indices



### Side channels — Common techniques

- Cache side channels
  - ► Prime+Probe: Attacker fills cache, victim accesses secret and evicts some value from cache, attacker times for cache misses
  - ► Flush+Reload: Attacker cleans cache, victim accesses shared data, attacker times for cache hits
- Timing of other CPU components
  - AVX2 Units power-on timings
  - ► Memory buses



# Speculative probing — Gadget probing





# **Speculative probing** — Data region probing





# **Speculative probing** — Object probing





## **Speculative probing** — **Spectre gadget probing**





# Speculative probing — Memory corruption

- Vulnerability: Heap buffer overflow in Linux kernel
- Can corrupt a struct that:
  - ► Contains a function pointer
  - ► Contains data that can influence a conditional branch before the function pointer is derefernced
- Several vulnerabilities with similar primitives were reported



# Speculative probing — Breaking Coarse-grained ASLR

- 1. Use code region probing to discover where kernel image was loaded
- 2. Use data region probing to discover the kernel heap
- 3. Use object probing to locate payload in heap
- 4. Trigger the control-flow hijack non-speculatively to mount a ret2usr attack



## Speculative probing — Data-only attack

- 1. Use code region probing to discover where kernel image was loaded
- 2. Use spectre gadget probing to locate a spectre gadget
- 3. Use the spectre gadget to leak the root password hash from memory
- 4. Crack root password hash



# Speculative probing — Breaking Software-based XoM

- 1. Use code region probing to discover where kernel image was loaded
- 2. Use spectre gadget probing to locate a spectre gadget
- 3. Use the spectre gadget to leak kernel code
- 4. Use data region probing to discover the kernel heap
- 5. Use object probing to locate payload in heap
- 6. Trigger the control-flow hijack non-speculatively to mount a ret2usr attack



## **Speculative probing** — **Exploit time**

- Locating kernel image  $\rightarrow$  0.7s
- Locating kernel heap  $\rightarrow$  49.2s
- Locating ROP payload in heap  $\rightarrow$  67.0s
- Locating a Spectre gadget  $\rightarrow$  76.7s
- ullet Leaking root password hash ightarrow 107.4s
- ullet Leaking entire kernel code ightarrow 56m



#### **SPEAR** attacks — Bypassing stack canaries

- 1. Call target function multiple times to train canary check branch
- Overwrite saved return address with speculative ROP payload, corrupting stack canary
- 3. Evict global canary value to extend speculation window
- 4. Speculatively return to attacker chosen address
- 5. Side-channel to extract accessed data



## SPEAR attacks — Bypassing CFI (GCC-VTV)

GCC Virtual Table Verification looks up target of indirect branch in a table containing valid targets

- 1. Corrupt indirect pointer
- 2. Evict lookup table address from cache to extend speculation window
- 3. Perform indirect call, speculatively transferring control flow to attacker address
- 4. Extract data with side-channel

