Microarchitectural attacks, such as Spectre and Meltdown, are a class of
security threats that affect almost all modern processors. These attacks exploit the side-effects resulting from processor optimizations to leak sensitive information and compromise a system’s security.
Over the years, a large number of hardware and software mechanisms for
preventing microarchitectural leaks have been proposed. Intuitively, more
defensive mechanisms are less efficient, while more permissive mechanisms may offer more performance but require more defensive programming. Unfortunately, there are no
hardware-software contracts that would turn this intuition into a basis for
principled co-design.
In this talk, we present a framework for specifying hardware/software security
contracts, an abstraction that captures a processor’s security guarantees in a
simple, mechanism-independent manner by specifying which program executions a
microarchitectural attacker can distinguish.
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Hardware/software security contracts: Principled foundations for building secure microarchitectures
1. Hardware-software security
contracts
Principled foundations for building secure microarchitectures
1
Marco Guarnieri
IMDEA Software Institute
Contacts:
marco.guarnieri@imdea.org
@MarcoGuarnier1
Based on joint work with
Boris Köpf @ Microsoft Research
Jan Reineke @ Saarland University
José F. Morales, Pepe Vila, Andrés Sánchez @ IMDEA Software Institute
Marco Patrignani @ CISPA
12. ISA: (security) pitfalls
6
High-level language
Microarchitecture
Instruction set architecture (ISA)
Can implement arbitrary insecure
optimizations as long as ISA
semantics are obeyed
No guarantees about timing
and side channels
13. ISA: (security) pitfalls
6
High-level language
Microarchitecture
Instruction set architecture (ISA)
Can implement arbitrary insecure
optimizations as long as ISA
semantics are obeyed
No guarantees about timing
and side channels
14. ISA: (security) pitfalls
6
High-level language
Microarchitecture
Instruction set architecture (ISA)
Can implement arbitrary insecure
optimizations as long as ISA
semantics are obeyed
No guarantees about timing
and side channels
Impossible to program securely
cryptographic algorithms?
sandboxing untrusted code?
15. A Way Forward: HW/SW Security Contracts
7
Succinctly captures
possible information leakage
Hw-Sw contract = ISA + X
16. A Way Forward: HW/SW Security Contracts
7
Can program securely on top contract
independently of microarchitecture
Succinctly captures
possible information leakage
Hw-Sw contract = ISA + X
17. A Way Forward: HW/SW Security Contracts
7
Can program securely on top contract
independently of microarchitecture
Can implement arbitrary insecure optimizations
as long as contract is obeyed
Succinctly captures
possible information leakage
Hw-Sw contract = ISA + X
18. A Way Forward: HW/SW Security Contracts
7
Can program securely on top contract
independently of microarchitecture
Can implement arbitrary insecure optimizations
as long as contract is obeyed
Succinctly captures
possible information leakage
Hw-Sw contract = ISA + X
In this talk
Proof-of-concept of HW/SW contracts
for secure speculation
20. Exploits speculative
execution
Almost all modern CPUs
are affected
P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, Y. Yarom — Spectre Attacks:
Exploiting Speculative Execution — S&P 2019 9
21. if (x < A_size)
y = B[A[x]]
Speculative execution + branch prediction
10
Size of array A
22. if (x < A_size)
y = B[A[x]]
Speculative execution + branch prediction
10
Size of array A
23. if (x < A_size)
y = B[A[x]]
Speculative execution + branch prediction
10
Size of array A
Branch predictor
24. if (x < A_size)
y = B[A[x]]
Speculative execution + branch prediction
10
Size of array A
Branch predictor
Prediction based on branch
history & program structure
25. if (x < A_size)
y = B[A[x]]
Speculative execution + branch prediction
10
Size of array A
Branch predictor
Prediction based on branch
history & program structure
26. if (x < A_size)
y = B[A[x]]
Speculative execution + branch prediction
10
Size of array A
Branch predictor
Prediction based on branch
history & program structure
Wrong predicton? Rollback changes!
Architectural (ISA) state
Microarchitectural state
31. Spectre 101
void f(int x)
if (x < A_size)
y = B[A[x]]
11
What is in A[128]?
A_size=16
B[0]B[1] ...
B
32. Spectre 101
void f(int x)
if (x < A_size)
y = B[A[x]]
What is in A[128]?
1) Train branch predicto
r
12
A_size=16
B[0]B[1] ...
B
33. Spectre 101
void f(int x)
if (x < A_size)
y = B[A[x]]
What is in A[128]?
1) Train branch predicto
r
2) Prepare cache
12
A_size=16
B[0]B[1] ...
B
34. Spectre 101
void f(int x)
if (x < A_size)
y = B[A[x]]
What is in A[128]?
1) Train branch predicto
r
2) Prepare cache
3) Run with x = 128
12
A_size=16
B[0]B[1] ...
B
35. Spectre 101
void f(int x)
if (x < A_size)
y = B[A[x]]
What is in A[128]?
1) Train branch predicto
r
2) Prepare cache
3) Run with x = 128
12
B[A[128]]
A_size=16
B[0]B[1] ...
B B[A[128]]
36. B[A[128]]
]
Spectre 101
void f(int x)
if (x < A_size)
y = B[A[x]]
What is in A[128]?
1) Train branch predicto
r
2) Prepare cache
3) Run with x = 128
12
B[A[128]]
A_size=16
B[0]B[1] ...
B B[A[128]]
37. B[A[128]]
]
Depends on
A[128]
Spectre 101
void f(int x)
if (x < A_size)
y = B[A[x]]
What is in A[128]?
1) Train branch predicto
r
2) Prepare cache
3) Run with x = 128
12
B[A[128]]
A_size=16
B[0]B[1] ...
B B[A[128]]
50. Hardware countermeasures
4
1. if (x < A_size)
2. y = A[x]
3. z = B[y]
4. end
Delay loads until
they can be retired
[Sakalis et al., ISCA’19]
Delay loads until they cannot
be squashed
[Sakalis et al., ISCA’19]
51. Hardware countermeasures
4
1. if (x < A_size)
2. y = A[x]
3. z = B[y]
4. end
Delay loads until
they can be retired
[Sakalis et al., ISCA’19]
Delay loads until they cannot
be squashed
[Sakalis et al., ISCA’19]
Taint speculatively loaded data
+ delay tainted loads
[STT and NDA, MICRO’19]
53. Hardware countermeasures
5
1. y = A[x]
2. if (x < A_size)
3. z = B[y]
4. end
Delay loads until
they can be retired
[Sakalis et al., ISCA'19]
Delay loads until they cannot
be squashed
[Sakalis et al., ISCA'19]
54. Hardware countermeasures
5
1. y = A[x]
2. if (x < A_size)
3. z = B[y]
4. end
Delay loads until
they can be retired
[Sakalis et al., ISCA'19]
Delay loads until they cannot
be squashed
[Sakalis et al., ISCA'19]
Taint speculatively loaded data
+ delay tainted loads
[STT and NDA, MICRO’19]
60. Contracts for side-channel-free systems
20
Contracts specify which program executions a side-channel
adversary can distinguish
61. Contracts for side-channel-free systems
20
Contracts specify which program executions a side-channel
adversary can distinguish
Goals
• Capture security guarantees of HW
• Basis for secure programming
69. Contract
ISA extended with
observations
Contracts
21
Contract satisfaction
Hardware satis
fi
es contract if for all programs and arch.
states , : if then
p
σ σ′

(p, σ)= (p, σ′

) (p, σ) = (p, σ′

)
Observations expose security-relevant
μarch events
Attacker observes
sequences of μarch states
Contract traces: (p, σ)
Hardware
Formal model of
processor
Hardware traces: (p, σ)
70. Contract
ISA extended with
observations
Contracts
21
Contract satisfaction
Hardware satis
fi
es contract if for all programs and arch.
states , : if then
p
σ σ′

(p, σ)= (p, σ′

) (p, σ) = (p, σ′

)
Observations expose security-relevant
μarch events
Attacker observes
sequences of μarch states
Contract traces: (p, σ)
Hardware
Formal model of
processor
Hardware traces: (p, σ)
71. Contract
ISA extended with
observations
Contracts
21
Contract satisfaction
Hardware satis
fi
es contract if for all programs and arch.
states , : if then
p
σ σ′

(p, σ)= (p, σ′

) (p, σ) = (p, σ′

)
Observations expose security-relevant
μarch events
Attacker observes
sequences of μarch states
Contract traces: (p, σ)
Hardware
Formal model of
processor
Hardware traces: (p, σ)
77. pc — only program counter
ct — pc + addr. of loads and stores
arch — ct + loaded values
Contracts for secure speculation
24
Contract =
Execution Mode · Observer Mode
78. A lattice of contracts
25
Seq-ct
Spec-ct
Spec-arch
Seq-arch
Seq/spec-ct/pc
⊤
⊥
79. A lattice of contracts
25
Leaks “everything”
Seq-ct
Spec-ct
Spec-arch
Seq-arch
Seq/spec-ct/pc
⊤
⊥
80. A lattice of contracts
25
Leaks “everything”
Leaks “nothing”
Seq-ct
Spec-ct
Spec-arch
Seq-arch
Seq/spec-ct/pc
⊤
⊥
81. A lattice of contracts
25
Leaks “everything”
Leaks “nothing”
Leaks
addresses of
non-spec.
loads/stores/
instruction
fetches
Seq-ct
Spec-ct
Spec-arch
Seq-arch
Seq/spec-ct/pc
⊤
⊥
82. A lattice of contracts
25
Leaks “everything”
Leaks “nothing”
Leaks
addresses of
non-spec.
loads/stores/
instruction
fetches
Leaks all data
accessed non-
speculatively
Seq-ct
Spec-ct
Spec-arch
Seq-arch
Seq/spec-ct/pc
⊤
⊥
83. A lattice of contracts
25
Leaks “everything”
Leaks “nothing”
Leaks
addresses of
non-spec.
loads/stores/
instruction
fetches
Leaks all data
accessed non-
speculatively
Leaks addresses of all loads/
stores/instruction fetches
Seq-ct
Spec-ct
Spec-arch
Seq-arch
Seq/spec-ct/pc
⊤
⊥
106. A simple processor
Speculative and out-of-order
executions
30
See paper for: processor operational semantics and security proofs
107. A simple processor
3-stage pipeline
(fetch, execute, retire)
Speculative and out-of-order
executions
30
See paper for: processor operational semantics and security proofs
108. A simple processor
Parametric in branch predictor and
memory hierarchy
3-stage pipeline
(fetch, execute, retire)
Speculative and out-of-order
executions
30
See paper for: processor operational semantics and security proofs
109. A simple processor
Parametric in branch predictor and
memory hierarchy
3-stage pipeline
(fetch, execute, retire)
Speculative and out-of-order
executions
30
See paper for: processor operational semantics and security proofs
Modeled as operational semantics describing how
processor’s state changes
(inspired by [Cauligi et al. 2019])
⇒
120. Eager load delay [Sakalis et al., ISCA’19]
33
Delaying loads until all sources of
speculation are resolved
121. Eager load delay [Sakalis et al., ISCA’19]
33
Delaying loads until all sources of
speculation are resolved
Security guarantees?
122. Eager load delay [Sakalis et al., ISCA’19]
34
if (x < A_size)
z = A[x]
y = B[z]
123. Eager load delay [Sakalis et al., ISCA’19]
34
if (x < A_size)
z = A[x]
y = B[z]
124. Eager load delay [Sakalis et al., ISCA’19]
34
if (x < A_size)
z = A[x]
y = B[z]
A[x]and B[z] delayed until
x < A_size is resolved
125. Eager load delay [Sakalis et al., ISCA’19]
34
if (x < A_size)
z = A[x]
y = B[z]
A[x]and B[z] delayed until
x < A_size is resolved
🥳 No speculative leaks 🥳
126. Eager load delay [Sakalis et al., ISCA’19]
35
z = A[x]
if(x < A_size)
if(z==0)
skip
127. Eager load delay [Sakalis et al., ISCA’19]
35
z = A[x]
if(x < A_size)
if(z==0)
skip
128. Eager load delay [Sakalis et al., ISCA’19]
35
z = A[x]
if(x < A_size)
if(z==0)
skip
if(z==0) is not delayed
129. Eager load delay [Sakalis et al., ISCA’19]
35
z = A[x]
if(x < A_size)
if(z==0)
skip
if(z==0) is not delayed
Program speculatively
leaks A[x] 😞
139. Hardware taint-tracking [Yu et al. 2019, Weisse et al. 2019]
38
if (x < A_size)
z = A[x]
y = B[z]
A[x]tainted as unsafe
B[z] delayed until
A[x] is safe
140. Hardware taint-tracking [Yu et al. 2019, Weisse et al. 2019]
38
if (x < A_size)
z = A[x]
y = B[z]
A[x]tainted as unsafe
B[z] delayed until
A[x] is safe
🥳 No speculative leaks 🥳
143. Hardware taint-tracking [Yu et al. 2019, Weisse et al. 2019]
39
z = A[x]
if (x < A_size)
y = B[z]
A[x]tagged as safe
B[z] not delayed
144. Hardware taint-tracking [Yu et al. 2019, Weisse et al. 2019]
39
z = A[x]
if (x < A_size)
y = B[z]
A[x]tagged as safe
B[z] not delayed
Program speculatively
leaks A[x] 😞
162. Contracts & Modeling
47
So far: toy ISA + observation modes for cache/control-
fl
ow leaks + execution modes for branch speculation
163. Contracts & Modeling
47
So far: toy ISA + observation modes for cache/control-
fl
ow leaks + execution modes for branch speculation
Challenge: scale to real-world ISAs
164. Contracts & Modeling
47
So far: toy ISA + observation modes for cache/control-
fl
ow leaks + execution modes for branch speculation
Challenge: scale to real-world ISAs
What do we need? Formal models of ISAs + adequate
extensions to capture leaks
169. Contracts & Hardware
49
So far: manual security proofs on toy CPU/ISA
Challenge: automation for realistic CPUs
170. Contracts & Hardware
49
So far: manual security proofs on toy CPU/ISA
Challenge: automation for realistic CPUs
What do we need? Automated veri
fi
cation and testing
techniques for contract satisfaction
174. Contracts & Software
51
So far: contracts as secure programming foundations +
tools targeting “
fi
xed contracts”
175. Contracts & Software
51
So far: contracts as secure programming foundations +
tools targeting “
fi
xed contracts”
Challenge: support for large classes of contracts
176. Contracts & Software
51
So far: contracts as secure programming foundations +
tools targeting “
fi
xed contracts”
Challenge: support for large classes of contracts
What do we need? Contract-aware program analyses
and secure compilation passes
178.
Contract
ISA extended with
observations
Contracts
Contract satisfaction
Hardware satisfies contract if for all programs and arch.
states , : if then
p
σ σ′ (p, σ)= (p, σ′) (p, σ) = (p, σ′)
Contract traces: (p, σ)
Hardware
Formal model of
processor
Hardware traces: (p, σ)
A lattice of contracts
Leaks “everything”
Leaks “nothing”
Leaks
addresses of
non-spec.
loads/stores/
instruction
fetches
Leaks all data
accessed non-
speculatively
Leaks addresses of all loads/
stores/instruction fetches
Seq-ct
Spec-ct
Spec-arch
Seq-arch
Seq/spec-ct/pc
⊤
⊥
Security guarantees
Seq-ct
Spec-ct
Spec-arch
Seq-arch
Seq/spec-ct/pc
OoO
NS
LD
TT
Vanilla OoO CPU +
spec. exec
In-order CPU
(no specExec)
OoO CPU+load delay
OoO CPU+taint tracking
OoO TT
LD
NS
TT
LD
Two flavors of secure programming
Sandboxing
Constant-time
179.
Contract
ISA extended with
observations
Contracts
Contract satisfaction
Hardware satisfies contract if for all programs and arch.
states , : if then
p
σ σ′ (p, σ)= (p, σ′) (p, σ) = (p, σ′)
Contract traces: (p, σ)
Hardware
Formal model of
processor
Hardware traces: (p, σ)
A lattice of contracts
Leaks “everything”
Leaks “nothing”
Leaks
addresses of
non-spec.
loads/stores/
instruction
fetches
Leaks all data
accessed non-
speculatively
Leaks addresses of all loads/
stores/instruction fetches
Seq-ct
Spec-ct
Spec-arch
Seq-arch
Seq/spec-ct/pc
⊤
⊥
Security guarantees
Seq-ct
Spec-ct
Spec-arch
Seq-arch
Seq/spec-ct/pc
OoO
NS
LD
TT
Vanilla OoO CPU +
spec. exec
In-order CPU
(no specExec)
OoO CPU+load delay
OoO CPU+taint tracking
OoO TT
LD
NS
TT
LD
Two flavors of secure programming
Sandboxing
Constant-time
marco.guarnieri@imdea.org @MarcoGuarnier1
Find out more in the paper:
https://arxiv.org/abs/2006.03841
187. Contracts @ Software
57
Program analysis
+
Guarnieri et al., Spectector: Principled detection of speculative leaks, S&P 2020
Program analyzers that work for
arbitrary contracts
188. Contracts @ Software
57
Secure compilation
Compiler
Source
program
Target
program
Contract
Compiler takes
contracts as input
Ensure security at
contract level
Patrignani and Guarnieri, Exorcising Spectre with secure compilers, CCS 2021
Program analysis
+
Guarnieri et al., Spectector: Principled detection of speculative leaks, S&P 2020
Program analyzers that work for
arbitrary contracts
191. Contracts @ Hardware
58
Veri
fi
cation
Tools for
checking
compliance
with contracts
(Partially) automate
contract satisfaction
proofs
Testing/Fuzzing
Contracts as test oracles
Black box: see Oleksenko et al.,
Revizor: Fuzzing for Leaks in
Black-box CPUs https://arxiv.org/
abs/2105.06872
White box: WIP!
193. A simple processor — Configurations
59
Configurations: State of the processor during computation
194. A simple processor — Configurations
59
Configurations: State of the processor during computation
⟨m, a, buf, cs, bp, sc⟩
195. A simple processor — Configurations
59
Configurations: State of the processor during computation
Memory
⟨m, a, buf, cs, bp, sc⟩
196. A simple processor — Configurations
59
Configurations: State of the processor during computation
Memory
Registers
⟨m, a, buf, cs, bp, sc⟩
197. A simple processor — Configurations
59
Configurations: State of the processor during computation
Memory
Registers Reorder
bu
ff
er
⟨m, a, buf, cs, bp, sc⟩
198. A simple processor — Configurations
59
Configurations: State of the processor during computation
Memory
Registers Reorder
bu
ff
er
Cache
(metadata)
⟨m, a, buf, cs, bp, sc⟩
199. A simple processor — Configurations
59
Configurations: State of the processor during computation
Memory
Registers Reorder
bu
ff
er
Cache
(metadata)
Branch
predictor
⟨m, a, buf, cs, bp, sc⟩
200. A simple processor — Configurations
59
Configurations: State of the processor during computation
Memory
Registers Reorder
bu
ff
er
Cache
(metadata)
Branch
predictor
Scheduler
⟨m, a, buf, cs, bp, sc⟩
201. A simple processor — Configurations
59
Configurations: State of the processor during computation
Memory
Registers Reorder
bu
ff
er
Cache
(metadata)
Branch
predictor
Scheduler
😈
⟨m, a, buf, cs, bp, sc⟩
203. A simple processor — Semantics
60
Semantics: Describe how con
fi
gurations evolve
204. A simple processor — Semantics
60
Semantics: Describe how con
fi
gurations evolve
Hardware semantics
We formalize the hardware semantics of a µASM program
ng a binary relation ) ✓ HwStates ⇥ HwStates that ma
dware states to their successors:
STEP
hm,a,buf,cs,bpi
d
=
)hm0
,a0
,buf0
,cs0
,bp0
i
d = next(sc) sc0
= update(sc,buf0
#)
hm,a,buf,cs,bp,sci)hm0
,a0
,buf0
,cs0
,bp0
,sc0
i
e rule captures one execution step at the µarch. level. T
205. A simple processor — Semantics
60
Semantics: Describe how con
fi
gurations evolve
Hardware semantics
We formalize the hardware semantics of a µASM program
ng a binary relation ) ✓ HwStates ⇥ HwStates that ma
dware states to their successors:
STEP
hm,a,buf,cs,bpi
d
=
)hm0
,a0
,buf0
,cs0
,bp0
i
d = next(sc) sc0
= update(sc,buf0
#)
hm,a,buf,cs,bp,sci)hm0
,a0
,buf0
,cs0
,bp0
,sc0
i
e rule captures one execution step at the µarch. level. T
Current state
206. A simple processor — Semantics
60
Semantics: Describe how con
fi
gurations evolve
Hardware semantics
We formalize the hardware semantics of a µASM program
ng a binary relation ) ✓ HwStates ⇥ HwStates that ma
dware states to their successors:
STEP
hm,a,buf,cs,bpi
d
=
)hm0
,a0
,buf0
,cs0
,bp0
i
d = next(sc) sc0
= update(sc,buf0
#)
hm,a,buf,cs,bp,sci)hm0
,a0
,buf0
,cs0
,bp0
,sc0
i
e rule captures one execution step at the µarch. level. T
Current state Next state
207. A simple processor — Semantics
60
Semantics: Describe how con
fi
gurations evolve
Hardware semantics
We formalize the hardware semantics of a µASM program
ng a binary relation ) ✓ HwStates ⇥ HwStates that ma
dware states to their successors:
STEP
hm,a,buf,cs,bpi
d
=
)hm0
,a0
,buf0
,cs0
,bp0
i
d = next(sc) sc0
= update(sc,buf0
#)
hm,a,buf,cs,bp,sci)hm0
,a0
,buf0
,cs0
,bp0
,sc0
i
e rule captures one execution step at the µarch. level. T
Current state Next state
Directive from scheduler
fetch, execute i, retire
208. A simple processor — Semantics
60
Semantics: Describe how con
fi
gurations evolve
Hardware semantics
We formalize the hardware semantics of a µASM program
ng a binary relation ) ✓ HwStates ⇥ HwStates that ma
dware states to their successors:
STEP
hm,a,buf,cs,bpi
d
=
)hm0
,a0
,buf0
,cs0
,bp0
i
d = next(sc) sc0
= update(sc,buf0
#)
hm,a,buf,cs,bp,sci)hm0
,a0
,buf0
,cs0
,bp0
,sc0
i
e rule captures one execution step at the µarch. level. T
Current state Next state
Directive from scheduler
fetch, execute i, retire
Semantics for pipeline stages
209. Rules capture effect of directives - Fetch
61
nents
reted
s) 2
ad-
miss
state
that
ocks
ction
edic-
been
ictor
For each directive, i.e., fetch,execute i, and retire, we
sketch below the rules that govern the definition of the
auxiliary relations
fetch
=
=
),
execute i
=
=
=
=
=
), and
retire
=
=
=
).
1) Fetch: Instructions are fetched in-order. Here we present
selected rules modeling instruction fetch:
FETCH-BRANCH-HIT
a0
= apl(buf,a) |buf| < w a0
(pc) 6= ?
p(a0
(pc)) = beqz x,` `0
= predict(bp,a0
(pc))
access(cs,a0
(pc)) = Hit update(cs,a0
(pc)) = cs0
hm,a,buf,cs,bpi
fetch
=
=
)hm,a,buf ·pc `0
@a0
(pc),cs0
,bpi
FETCH-MISS
|buf| < w a0
= apl(buf,a) a0
(pc) 6= ?
access(cs,a0
(pc)) = Miss update(cs,a0
(pc)) = cs0
210. Rules capture effect of directives - Fetch
61
nents
reted
s) 2
ad-
miss
state
that
ocks
ction
edic-
been
ictor
For each directive, i.e., fetch,execute i, and retire, we
sketch below the rules that govern the definition of the
auxiliary relations
fetch
=
=
),
execute i
=
=
=
=
=
), and
retire
=
=
=
).
1) Fetch: Instructions are fetched in-order. Here we present
selected rules modeling instruction fetch:
FETCH-BRANCH-HIT
a0
= apl(buf,a) |buf| < w a0
(pc) 6= ?
p(a0
(pc)) = beqz x,` `0
= predict(bp,a0
(pc))
access(cs,a0
(pc)) = Hit update(cs,a0
(pc)) = cs0
hm,a,buf,cs,bpi
fetch
=
=
)hm,a,buf ·pc `0
@a0
(pc),cs0
,bpi
FETCH-MISS
|buf| < w a0
= apl(buf,a) a0
(pc) 6= ?
access(cs,a0
(pc)) = Miss update(cs,a0
(pc)) = cs0
applying reorder buffer
to register state
211. Rules capture effect of directives - Fetch
61
nents
reted
s) 2
ad-
miss
state
that
ocks
ction
edic-
been
ictor
For each directive, i.e., fetch,execute i, and retire, we
sketch below the rules that govern the definition of the
auxiliary relations
fetch
=
=
),
execute i
=
=
=
=
=
), and
retire
=
=
=
).
1) Fetch: Instructions are fetched in-order. Here we present
selected rules modeling instruction fetch:
FETCH-BRANCH-HIT
a0
= apl(buf,a) |buf| < w a0
(pc) 6= ?
p(a0
(pc)) = beqz x,` `0
= predict(bp,a0
(pc))
access(cs,a0
(pc)) = Hit update(cs,a0
(pc)) = cs0
hm,a,buf,cs,bpi
fetch
=
=
)hm,a,buf ·pc `0
@a0
(pc),cs0
,bpi
FETCH-MISS
|buf| < w a0
= apl(buf,a) a0
(pc) 6= ?
access(cs,a0
(pc)) = Miss update(cs,a0
(pc)) = cs0
applying reorder buffer
to register state
reorder buffer
is not full
212. Rules capture effect of directives - Fetch
61
nents
reted
s) 2
ad-
miss
state
that
ocks
ction
edic-
been
ictor
For each directive, i.e., fetch,execute i, and retire, we
sketch below the rules that govern the definition of the
auxiliary relations
fetch
=
=
),
execute i
=
=
=
=
=
), and
retire
=
=
=
).
1) Fetch: Instructions are fetched in-order. Here we present
selected rules modeling instruction fetch:
FETCH-BRANCH-HIT
a0
= apl(buf,a) |buf| < w a0
(pc) 6= ?
p(a0
(pc)) = beqz x,` `0
= predict(bp,a0
(pc))
access(cs,a0
(pc)) = Hit update(cs,a0
(pc)) = cs0
hm,a,buf,cs,bpi
fetch
=
=
)hm,a,buf ·pc `0
@a0
(pc),cs0
,bpi
FETCH-MISS
|buf| < w a0
= apl(buf,a) a0
(pc) 6= ?
access(cs,a0
(pc)) = Miss update(cs,a0
(pc)) = cs0
instruction is a
branch
instruction is a
branch
applying reorder buffer
to register state
reorder buffer
is not full
213. Rules capture effect of directives - Fetch
61
nents
reted
s) 2
ad-
miss
state
that
ocks
ction
edic-
been
ictor
For each directive, i.e., fetch,execute i, and retire, we
sketch below the rules that govern the definition of the
auxiliary relations
fetch
=
=
),
execute i
=
=
=
=
=
), and
retire
=
=
=
).
1) Fetch: Instructions are fetched in-order. Here we present
selected rules modeling instruction fetch:
FETCH-BRANCH-HIT
a0
= apl(buf,a) |buf| < w a0
(pc) 6= ?
p(a0
(pc)) = beqz x,` `0
= predict(bp,a0
(pc))
access(cs,a0
(pc)) = Hit update(cs,a0
(pc)) = cs0
hm,a,buf,cs,bpi
fetch
=
=
)hm,a,buf ·pc `0
@a0
(pc),cs0
,bpi
FETCH-MISS
|buf| < w a0
= apl(buf,a) a0
(pc) 6= ?
access(cs,a0
(pc)) = Miss update(cs,a0
(pc)) = cs0
instruction is a
branch
instruction is a
branch
applying reorder buffer
to register state
reorder buffer
is not full
branch predictor
says is next
ℓ′

214. Rules capture effect of directives - Fetch
61
nents
reted
s) 2
ad-
miss
state
that
ocks
ction
edic-
been
ictor
For each directive, i.e., fetch,execute i, and retire, we
sketch below the rules that govern the definition of the
auxiliary relations
fetch
=
=
),
execute i
=
=
=
=
=
), and
retire
=
=
=
).
1) Fetch: Instructions are fetched in-order. Here we present
selected rules modeling instruction fetch:
FETCH-BRANCH-HIT
a0
= apl(buf,a) |buf| < w a0
(pc) 6= ?
p(a0
(pc)) = beqz x,` `0
= predict(bp,a0
(pc))
access(cs,a0
(pc)) = Hit update(cs,a0
(pc)) = cs0
hm,a,buf,cs,bpi
fetch
=
=
)hm,a,buf ·pc `0
@a0
(pc),cs0
,bpi
FETCH-MISS
|buf| < w a0
= apl(buf,a) a0
(pc) 6= ?
access(cs,a0
(pc)) = Miss update(cs,a0
(pc)) = cs0
instruction is a
branch
instruction is a
branch
applying reorder buffer
to register state
reorder buffer
is not full
branch predictor
says is next
ℓ′

Cache hit
+ updating
cache state
215. Rules capture effect of directives - Fetch
61
nents
reted
s) 2
ad-
miss
state
that
ocks
ction
edic-
been
ictor
For each directive, i.e., fetch,execute i, and retire, we
sketch below the rules that govern the definition of the
auxiliary relations
fetch
=
=
),
execute i
=
=
=
=
=
), and
retire
=
=
=
).
1) Fetch: Instructions are fetched in-order. Here we present
selected rules modeling instruction fetch:
FETCH-BRANCH-HIT
a0
= apl(buf,a) |buf| < w a0
(pc) 6= ?
p(a0
(pc)) = beqz x,` `0
= predict(bp,a0
(pc))
access(cs,a0
(pc)) = Hit update(cs,a0
(pc)) = cs0
hm,a,buf,cs,bpi
fetch
=
=
)hm,a,buf ·pc `0
@a0
(pc),cs0
,bpi
FETCH-MISS
|buf| < w a0
= apl(buf,a) a0
(pc) 6= ?
access(cs,a0
(pc)) = Miss update(cs,a0
(pc)) = cs0
instruction is a
branch
instruction is a
branch
applying reorder buffer
to register state
reorder buffer
is not full
branch predictor
says is next
ℓ′

Cache hit
+ updating
cache state
add change of pc
to reorder buffer
216. Rules capture effect of directive - Retire
62
retiring only commands i@T at the head of the reorder buffer
where the instruction i has been resolved, and the tag T is e
indicating that there are no unresolved predictions. Selected
rules for the retire directive are given below:
RETIRE-ASSIGNMENT
buf = x v@e ·buf0
v 2 Vals
hm,a,buf,cs,bpi
retire
=
=
=
)hm,a[x 7! v],buf0
,cs,bpi
RETIRE-STORE
buf = store v,n@e ·buf0
v,n 2 Vals update(cs,n) = cs0
retire 0 0
217. Rules capture effect of directive - Retire
62
retiring only commands i@T at the head of the reorder buffer
where the instruction i has been resolved, and the tag T is e
indicating that there are no unresolved predictions. Selected
rules for the retire directive are given below:
RETIRE-ASSIGNMENT
buf = x v@e ·buf0
v 2 Vals
hm,a,buf,cs,bpi
retire
=
=
=
)hm,a[x 7! v],buf0
,cs,bpi
RETIRE-STORE
buf = store v,n@e ·buf0
v,n 2 Vals update(cs,n) = cs0
retire 0 0
result of instruction at head of
reorder buffer is resolved
218. Rules capture effect of directive - Retire
62
retiring only commands i@T at the head of the reorder buffer
where the instruction i has been resolved, and the tag T is e
indicating that there are no unresolved predictions. Selected
rules for the retire directive are given below:
RETIRE-ASSIGNMENT
buf = x v@e ·buf0
v 2 Vals
hm,a,buf,cs,bpi
retire
=
=
=
)hm,a[x 7! v],buf0
,cs,bpi
RETIRE-STORE
buf = store v,n@e ·buf0
v,n 2 Vals update(cs,n) = cs0
retire 0 0
result of instruction at head of
reorder buffer is resolved
apply change to registers
and remove entry from reorder buffer
219. Eager load delay [Sakalis et al. 2019]
63
hm,a,buf,cs,bpi=
)hm ,a ,buf ,cs ,bp i
d = next(sc) sc0
= update(sc,buf0
#)
d 2 {fetch,retire}_(d = execute i^buf|i 6= load x,e)
hm,a,buf,cs,bp,sci)loadDelayhm0
,a0
,buf0
,cs0
,bp0
,sc0
i
STEP-EAGER-DELAY
hm,a,buf,cs,bpi
d
=
)hm0
,a0
,buf0
,cs0
,bp0
i
d = next(sc) sc0
= update(sc,buf0
#) d = execute i
buf|i = load x,e 8pc `@`0
2 buf[0..i 1]. `0
= e
hm,a,buf,cs,bp,sci)loadDelayhm0
,a0
,buf0
,cs0
,bp0
,sc0
i
and to selectively delay instruction
tion. While these proposals slight
are labelled and on the effects of
the same building blocks and pro
For this reason, we start by
the Speculative Taint Tracking (S
Data Access (NDA) [4] counterm
a general extension to the hardwa
for supporting taint-tracking schem
izing a countermeasure inspired
security guarantees, and we conc
sure. This countermeasure consists in delaying loads until all
sources of mis-speculation have been resolved. We remark that
the hardware semantics of Section V supports speculation only
over branch instructions. Therefore, we model the loadDelay
countermeasure by preventing loads whenever there are pre-
ceding, unresolved branch instructions in the reorder buffer.
Using the terminology of [3], loads are delayed as long as
they are under a so-called control-shadow.
We formalize the loadDelay countermeasure by modifying
the STEP rule of the hardware semantics as follows (changes
are highlighted in blue):
STEP-OTHERS
hm,a,buf,cs,bpi
d
=
)hm0
,a0
,buf0
,cs0
,bp0
i
d = next(sc) sc0
= update(sc,buf0
#)
d 2 {fetch,retire}_(d = execute i^buf|i 6= load x,e)
hm,a,buf,cs,bp,sci)loadDelayhm0
,a0
,buf0
,cs0
,bp0
,sc0
i
STEP-EAGER-DELAY
cution, and in addition, the progr
speculative execution. This new
countermeasure, leading to Theor
Theorem 3. {
|·|
}loadDelay ` J·Kseq
ct-p
As the control flow during spe
depend upon data previously lo
security of the countermeasure can
Theorem 4. {
|·|
}loadDelay ` J·K
seq
arc
C. tt: Taint tracking of speculativ
Recent work [4], [5] propose to
and to selectively delay instruction
tion. While these proposals slight
are labelled and on the effects of
the same building blocks and pro
For this reason, we start by
the Speculative Taint Tracking (S
220. Eager load delay [Sakalis et al. 2019]
63
hm,a,buf,cs,bpi=
)hm ,a ,buf ,cs ,bp i
d = next(sc) sc0
= update(sc,buf0
#)
d 2 {fetch,retire}_(d = execute i^buf|i 6= load x,e)
hm,a,buf,cs,bp,sci)loadDelayhm0
,a0
,buf0
,cs0
,bp0
,sc0
i
STEP-EAGER-DELAY
hm,a,buf,cs,bpi
d
=
)hm0
,a0
,buf0
,cs0
,bp0
i
d = next(sc) sc0
= update(sc,buf0
#) d = execute i
buf|i = load x,e 8pc `@`0
2 buf[0..i 1]. `0
= e
hm,a,buf,cs,bp,sci)loadDelayhm0
,a0
,buf0
,cs0
,bp0
,sc0
i
and to selectively delay instruction
tion. While these proposals slight
are labelled and on the effects of
the same building blocks and pro
For this reason, we start by
the Speculative Taint Tracking (S
Data Access (NDA) [4] counterm
a general extension to the hardwa
for supporting taint-tracking schem
izing a countermeasure inspired
security guarantees, and we conc
Loads are executed
only if prior branch
instructions are
resolved
sure. This countermeasure consists in delaying loads until all
sources of mis-speculation have been resolved. We remark that
the hardware semantics of Section V supports speculation only
over branch instructions. Therefore, we model the loadDelay
countermeasure by preventing loads whenever there are pre-
ceding, unresolved branch instructions in the reorder buffer.
Using the terminology of [3], loads are delayed as long as
they are under a so-called control-shadow.
We formalize the loadDelay countermeasure by modifying
the STEP rule of the hardware semantics as follows (changes
are highlighted in blue):
STEP-OTHERS
hm,a,buf,cs,bpi
d
=
)hm0
,a0
,buf0
,cs0
,bp0
i
d = next(sc) sc0
= update(sc,buf0
#)
d 2 {fetch,retire}_(d = execute i^buf|i 6= load x,e)
hm,a,buf,cs,bp,sci)loadDelayhm0
,a0
,buf0
,cs0
,bp0
,sc0
i
STEP-EAGER-DELAY
cution, and in addition, the progr
speculative execution. This new
countermeasure, leading to Theor
Theorem 3. {
|·|
}loadDelay ` J·Kseq
ct-p
As the control flow during spe
depend upon data previously lo
security of the countermeasure can
Theorem 4. {
|·|
}loadDelay ` J·K
seq
arc
C. tt: Taint tracking of speculativ
Recent work [4], [5] propose to
and to selectively delay instruction
tion. While these proposals slight
are labelled and on the effects of
the same building blocks and pro
For this reason, we start by
the Speculative Taint Tracking (S
221. Eager load delay [Sakalis et al. 2019]
63
hm,a,buf,cs,bpi=
)hm ,a ,buf ,cs ,bp i
d = next(sc) sc0
= update(sc,buf0
#)
d 2 {fetch,retire}_(d = execute i^buf|i 6= load x,e)
hm,a,buf,cs,bp,sci)loadDelayhm0
,a0
,buf0
,cs0
,bp0
,sc0
i
STEP-EAGER-DELAY
hm,a,buf,cs,bpi
d
=
)hm0
,a0
,buf0
,cs0
,bp0
i
d = next(sc) sc0
= update(sc,buf0
#) d = execute i
buf|i = load x,e 8pc `@`0
2 buf[0..i 1]. `0
= e
hm,a,buf,cs,bp,sci)loadDelayhm0
,a0
,buf0
,cs0
,bp0
,sc0
i
and to selectively delay instruction
tion. While these proposals slight
are labelled and on the effects of
the same building blocks and pro
For this reason, we start by
the Speculative Taint Tracking (S
Data Access (NDA) [4] counterm
a general extension to the hardwa
for supporting taint-tracking schem
izing a countermeasure inspired
security guarantees, and we conc
Loads are executed
only if prior branch
instructions are
resolved
sure. This countermeasure consists in delaying loads until all
sources of mis-speculation have been resolved. We remark that
the hardware semantics of Section V supports speculation only
over branch instructions. Therefore, we model the loadDelay
countermeasure by preventing loads whenever there are pre-
ceding, unresolved branch instructions in the reorder buffer.
Using the terminology of [3], loads are delayed as long as
they are under a so-called control-shadow.
We formalize the loadDelay countermeasure by modifying
the STEP rule of the hardware semantics as follows (changes
are highlighted in blue):
STEP-OTHERS
hm,a,buf,cs,bpi
d
=
)hm0
,a0
,buf0
,cs0
,bp0
i
d = next(sc) sc0
= update(sc,buf0
#)
d 2 {fetch,retire}_(d = execute i^buf|i 6= load x,e)
hm,a,buf,cs,bp,sci)loadDelayhm0
,a0
,buf0
,cs0
,bp0
,sc0
i
STEP-EAGER-DELAY
cution, and in addition, the progr
speculative execution. This new
countermeasure, leading to Theor
Theorem 3. {
|·|
}loadDelay ` J·Kseq
ct-p
As the control flow during spe
depend upon data previously lo
security of the countermeasure can
Theorem 4. {
|·|
}loadDelay ` J·K
seq
arc
C. tt: Taint tracking of speculativ
Recent work [4], [5] propose to
and to selectively delay instruction
tion. While these proposals slight
are labelled and on the effects of
the same building blocks and pro
For this reason, we start by
the Speculative Taint Tracking (S
Everything else
works as before
222. Hw-level taint-tracking [Yu et al. 2019, Weisse et al. 2019]
64
modeled by d).
We describe later how these functions can be instantiated to
model STT and NDA.
We formalize the tt countermeasure by modifying the STEP
rule as follows (changes are highlighted in blue):
STEP
d = next(sc) buful = unlbl(buf,d)
hm,a, buful ,cs,bpi
d
=
)hm0
,a0
, buf0
ul ,cs0
,bp0
i
sc0
= update(sc,buf0
#) buf0
= lbl(buf0
ul,buf,d)
hm,a,buf,cs,bp,sci)tthm0
,a0
buf0
,cs0
,bp0
,sc0
i
The rule differs from the standard STEP rule in three ways:
• Entries in the reorder buffer are labelled.
• Before activating a step in the pipeline, i.e., before apply-
ing one step of
d
=
), we use the unlabeling function to derive an
a transmit
execute no
• The la
fies how ne
labels are u
– Newly f
there is no
they are la
assignment
unsafe dat
labelled as
All other n
– Whenev
labels are p
– When w
eliminating
223. Hw-level taint-tracking [Yu et al. 2019, Weisse et al. 2019]
64
modeled by d).
We describe later how these functions can be instantiated to
model STT and NDA.
We formalize the tt countermeasure by modifying the STEP
rule as follows (changes are highlighted in blue):
STEP
d = next(sc) buful = unlbl(buf,d)
hm,a, buful ,cs,bpi
d
=
)hm0
,a0
, buf0
ul ,cs0
,bp0
i
sc0
= update(sc,buf0
#) buf0
= lbl(buf0
ul,buf,d)
hm,a,buf,cs,bp,sci)tthm0
,a0
buf0
,cs0
,bp0
,sc0
i
The rule differs from the standard STEP rule in three ways:
• Entries in the reorder buffer are labelled.
• Before activating a step in the pipeline, i.e., before apply-
ing one step of
d
=
), we use the unlabeling function to derive an
a transmit
execute no
• The la
fies how ne
labels are u
– Newly f
there is no
they are la
assignment
unsafe dat
labelled as
All other n
– Whenev
labels are p
– When w
eliminating
Entries in the reorder buffer are labelled as safe/unsafe
224. Hw-level taint-tracking [Yu et al. 2019, Weisse et al. 2019]
64
modeled by d).
We describe later how these functions can be instantiated to
model STT and NDA.
We formalize the tt countermeasure by modifying the STEP
rule as follows (changes are highlighted in blue):
STEP
d = next(sc) buful = unlbl(buf,d)
hm,a, buful ,cs,bpi
d
=
)hm0
,a0
, buf0
ul ,cs0
,bp0
i
sc0
= update(sc,buf0
#) buf0
= lbl(buf0
ul,buf,d)
hm,a,buf,cs,bp,sci)tthm0
,a0
buf0
,cs0
,bp0
,sc0
i
The rule differs from the standard STEP rule in three ways:
• Entries in the reorder buffer are labelled.
• Before activating a step in the pipeline, i.e., before apply-
ing one step of
d
=
), we use the unlabeling function to derive an
a transmit
execute no
• The la
fies how ne
labels are u
– Newly f
there is no
they are la
assignment
unsafe dat
labelled as
All other n
– Whenev
labels are p
– When w
eliminating
Entries in the reorder buffer are labelled as safe/unsafe
Derive unlabeled buffer
(hides information tagged
as unsafe)
225. Hw-level taint-tracking [Yu et al. 2019, Weisse et al. 2019]
64
modeled by d).
We describe later how these functions can be instantiated to
model STT and NDA.
We formalize the tt countermeasure by modifying the STEP
rule as follows (changes are highlighted in blue):
STEP
d = next(sc) buful = unlbl(buf,d)
hm,a, buful ,cs,bpi
d
=
)hm0
,a0
, buf0
ul ,cs0
,bp0
i
sc0
= update(sc,buf0
#) buf0
= lbl(buf0
ul,buf,d)
hm,a,buf,cs,bp,sci)tthm0
,a0
buf0
,cs0
,bp0
,sc0
i
The rule differs from the standard STEP rule in three ways:
• Entries in the reorder buffer are labelled.
• Before activating a step in the pipeline, i.e., before apply-
ing one step of
d
=
), we use the unlabeling function to derive an
a transmit
execute no
• The la
fies how ne
labels are u
– Newly f
there is no
they are la
assignment
unsafe dat
labelled as
All other n
– Whenev
labels are p
– When w
eliminating
Entries in the reorder buffer are labelled as safe/unsafe
Derive unlabeled buffer
(hides information tagged
as unsafe)
Computation on unlabeled buffer
226. Hw-level taint-tracking [Yu et al. 2019, Weisse et al. 2019]
64
modeled by d).
We describe later how these functions can be instantiated to
model STT and NDA.
We formalize the tt countermeasure by modifying the STEP
rule as follows (changes are highlighted in blue):
STEP
d = next(sc) buful = unlbl(buf,d)
hm,a, buful ,cs,bpi
d
=
)hm0
,a0
, buf0
ul ,cs0
,bp0
i
sc0
= update(sc,buf0
#) buf0
= lbl(buf0
ul,buf,d)
hm,a,buf,cs,bp,sci)tthm0
,a0
buf0
,cs0
,bp0
,sc0
i
The rule differs from the standard STEP rule in three ways:
• Entries in the reorder buffer are labelled.
• Before activating a step in the pipeline, i.e., before apply-
ing one step of
d
=
), we use the unlabeling function to derive an
a transmit
execute no
• The la
fies how ne
labels are u
– Newly f
there is no
they are la
assignment
unsafe dat
labelled as
All other n
– Whenev
labels are p
– When w
eliminating
Entries in the reorder buffer are labelled as safe/unsafe
Update labels
Derive unlabeled buffer
(hides information tagged
as unsafe)
Computation on unlabeled buffer
227. Constant-time Sandboxing
Checking secure programming
27
[[⋅]]seq
ct
[[⋅]]seq
arch
[[⋅]]spec
ct
✓
✓
✓
See paper for: security de
fi
nitions
.. + NI wrt [[⋅]]seq
arch
.. + Speculative NI
[Guarnieri et al., S&P’20]
.. + weak spec. NI
228. Constant-time Sandboxing
Checking secure programming
27
[[⋅]]seq
ct
[[⋅]]seq
arch
[[⋅]]spec
ct
✓
✓
✓
See paper for: security de
fi
nitions
.. + NI wrt [[⋅]]seq
arch
.. + Speculative NI
[Guarnieri et al., S&P’20]
.. + weak spec. NI
231. Background: Reorder buffer
• Key hardware data structure for
out-of-order and speculative execution
• Keeps track of “in-
fl
ight instructions”
66
232. Background: Reorder buffer
• Key hardware data structure for
out-of-order and speculative execution
• Keeps track of “in-
fl
ight instructions”
• Example:
66
Entry Instruction Control Dep.
0: c ⟵ x < A_size -
1: beqz c, END -
2: - -
3: - -
… … …
c ⟵ x < A_size
beqz c, END
L1: load t, A + x
load y, B + t
END:
233. Background: Reorder buffer
• Key hardware data structure for
out-of-order and speculative execution
• Keeps track of “in-
fl
ight instructions”
• Example:
66
Entry Instruction Control Dep.
0: c ⟵ x < A_size -
1: beqz c, END -
2: - -
3: - -
… … …
c ⟵ x < A_size
beqz c, END
L1: load t, A + x
load y, B + t
END:
Entry Instruction Control Dep.
0: c ⟵ x < A_size -
1: beqz c, END -
2: load t, A + x 1
3: - -
… … …
Speculative
Instruction
Fetch
234. Background: Reorder buffer
• Key hardware data structure for
out-of-order and speculative execution
• Keeps track of “in-
fl
ight instructions”
• Example:
67
Entry Instruction Control Dep.
0: c ⟵ x <
A_size
-
1: beqz c, END -
2: - -
3: - -
… … …
c ⟵ x < A_size
beqz c, END
L1: load t, A + x
load y, B + t
END:
Entry Instruction Control Dep.
0: c ⟵ x < A_size -
1: beqz c, END -
2: load t, A + x 1
3: load y, B + t 1
… … …
Speculative
Instruction
Fetch
Entry Instruction Control Dep.
0: c ⟵ x < A_size -
1: beqz c, END -
2: load t, A + x 1
3: - -
… … …
235. Background: Reorder buffer
• Key hardware data structure for
out-of-order and speculative execution
• Keeps track of “in-
fl
ight instructions”
• Example:
68
Entry Instruction Control Dep.
0: c ⟵ x <
A_size
-
1: beqz c, END -
2: - -
3: - -
… … …
c ⟵ x < A_size
beqz c, END
L1: load t, A + x
load y, B + t
END:
Entry Instruction Control Dep.
0: c ⟵ 0 -
1: beqz c, END -
2: load t, A + x 1
3: load y, B + t 1
… … …
Evaluate
x < A_size
Entry Instruction Control Dep.
0: c ⟵ x <
A_size
-
1: beqz c, END -
2: load t, A + x 2
3: - -
… … …
Entry Instruction Control Dep.
0: c ⟵ x < A_size -
1: beqz c, END -
2: load t, A + x 1
3: load y, B + t 1
… … …
236. Background: Reorder buffer
• Key hardware data structure for
out-of-order and speculative execution
• Keeps track of “in-
fl
ight instructions”
• Example:
69
Entry Instruction Control Dep.
0: c ⟵ x <
A_size
-
1: beqz c, END -
2: - -
3: - -
… … …
c ⟵ x < A_size
beqz c, END
L1: load t, A + x
load y, B + t
END:
Entry Instruction Control Dep.
0: c ⟵ 0 -
1: beqz c, END -
2: - -
3: - -
… … …
Rollback
mis-speculation
Entry Instruction Control Dep.
0: c ⟵ x <
A_size
-
1: beqz c, END -
2: load t, A + x 2
3: - -
… … …
Entry Instruction Control Dep.
0: c ⟵ x <
A_size
-
1: beqz c, END -
2: load t, A + x 2
3: load y, B + t 2
… … …
Entry Instruction Control Dep.
0: c ⟵ 0 -
1: beqz c, END -
2: load t, A + x 1
3: load y, B + t 1
… … …
237. Background: Reorder buffer
• Key hardware data structure for
out-of-order and speculative execution
• Keeps track of “in-
fl
ight instructions”
• Example:
70
Entry Instruction Control Dep.
0: c ⟵ x <
A_size
-
1: beqz c, END -
2: - -
3: - -
… … …
c ⟵ x < A_size
beqz c, END
L1: load t, A + x
load y, B + t
END:
Entry Instruction Control Dep.
0: beqz c, END -
1: - -
2: - -
3: - -
… … …
Retire
Entry Instruction Control Dep.
0: c ⟵ x <
A_size
-
1: beqz c, END -
2: load t, A + x 2
3: - -
… … …
Entry Instruction Control Dep.
0: c ⟵ x <
A_size
-
1: beqz c, END -
2: load t, A + x 2
3: load y, B + t 2
… … …
Entry Instruction Control Dep.
0: c ⟵ 0 -
1: beqz c, END -
2: - -
3: - -
… … …
239. if (x < A_size)
y = B[A[x]]
Speculative execution + branch prediction
72
Size of array A
240. if (x < A_size)
y = B[A[x]]
Speculative execution + branch prediction
72
Size of array A
241. if (x < A_size)
y = B[A[x]]
Speculative execution + branch prediction
72
Size of array A
Branch predictor
242. if (x < A_size)
y = B[A[x]]
Speculative execution + branch prediction
72
Size of array A
Branch predictor
Prediction based on branch
history & program structure
243. if (x < A_size)
y = B[A[x]]
Speculative execution + branch prediction
72
Size of array A
Branch predictor
Prediction based on branch
history & program structure
244. if (x < A_size)
y = B[A[x]]
Speculative execution + branch prediction
72
Size of array A
Branch predictor
Prediction based on branch
history & program structure
Wrong predicton? Rollback changes!
Architectural (ISA) state
Microarchitectural state
249. Spectre V1
void f(int x)
if (x < A_size)
y = B[A[x]]
73
What is in A[128]?
A_size=16
B[0]B[1] ...
B
250. Spectre V1
void f(int x)
if (x < A_size)
y = B[A[x]]
What is in A[128]?
1) Train branch predicto
r
74
A_size=16
B[0]B[1] ...
B
251. Spectre V1
void f(int x)
if (x < A_size)
y = B[A[x]]
What is in A[128]?
1) Train branch predicto
r
2) Prepare cache
74
A_size=16
B[0]B[1] ...
B
252. Spectre V1
void f(int x)
if (x < A_size)
y = B[A[x]]
What is in A[128]?
1) Train branch predicto
r
2) Prepare cache
3) Run with x = 128
74
A_size=16
B[0]B[1] ...
B
253. Spectre V1
void f(int x)
if (x < A_size)
y = B[A[x]]
What is in A[128]?
1) Train branch predicto
r
2) Prepare cache
3) Run with x = 128
74
B[A[128]]
A_size=16
B[0]B[1] ...
B B[A[128]]
254. B[A[128]]
]
Spectre V1
void f(int x)
if (x < A_size)
y = B[A[x]]
What is in A[128]?
1) Train branch predicto
r
2) Prepare cache
3) Run with x = 128
74
B[A[128]]
A_size=16
B[0]B[1] ...
B B[A[128]]
255. B[A[128]]
]
Depends on
A[128]
Spectre V1
void f(int x)
if (x < A_size)
y = B[A[x]]
What is in A[128]?
1) Train branch predicto
r
2) Prepare cache
3) Run with x = 128
74
B[A[128]]
A_size=16
B[0]B[1] ...
B B[A[128]]
259. Secure programming — foundations
75
Program is non-interferent wrt contract and policy
if for all arch. states , : if then
p π
σ σ′

σ ≈π σ′

(p, σ) = (p, σ′

)
260. Secure programming — foundations
75
Program is non-interferent wrt contract and policy
if for all arch. states , : if then
p π
σ σ′

σ ≈π σ′

(p, σ) = (p, σ′

)
Specify secret data
261. Secure programming — foundations
75
Program is non-interferent wrt contract and policy
if for all arch. states , : if then
p π
σ σ′

σ ≈π σ′

(p, σ) = (p, σ′

)
Specify secret data
262. Secure programming — foundations
75
Program is non-interferent wrt contract and policy
if for all arch. states , : if then
p π
σ σ′

σ ≈π σ′

(p, σ) = (p, σ′

)
Specify secret data
263. Secure programming — foundations
75
Program is non-interferent wrt contract and policy
if for all arch. states , : if then
p π
σ σ′

σ ≈π σ′

(p, σ) = (p, σ′

)
If is non-interferent wrt contract and policy , and
hardware satis
fi
es , then
is non-interferent wrt hardware and policy
p π
p π
Specify secret data
264. Secure programming — foundations
75
Program is non-interferent wrt contract and policy
if for all arch. states , : if then
p π
σ σ′

σ ≈π σ′

(p, σ) = (p, σ′

)
If is non-interferent wrt contract and policy , and
hardware satis
fi
es , then
is non-interferent wrt hardware and policy
p π
p π
Specify secret data
265. Secure programming — foundations
75
Program is non-interferent wrt contract and policy
if for all arch. states , : if then
p π
σ σ′

σ ≈π σ′

(p, σ) = (p, σ′

)
If is non-interferent wrt contract and policy , and
hardware satis
fi
es , then
is non-interferent wrt hardware and policy
p π
p π
Specify secret data
266. Secure programming — foundations
75
Program is non-interferent wrt contract and policy
if for all arch. states , : if then
p π
σ σ′

σ ≈π σ′

(p, σ) = (p, σ′

)
If is non-interferent wrt contract and policy , and
hardware satis
fi
es , then
is non-interferent wrt hardware and policy
p π
p π
Specify secret data
269. Constant-time
76
Traditional CT wrt policy non-interference wrt seq-ct and
π ≡ π
Control-
fl
ow and memory accesses
do not depend on secrets
270. Constant-time
76
Traditional CT wrt policy non-interference wrt seq-ct and
π ≡ π
General CT wrt and non-interference wrt and
π ≡ π
Control-
fl
ow and memory accesses
do not depend on secrets
273. Sandboxing
77
Traditional SB wrt policy non-interference wrt seq-arch and
π ≡ π
Programs never access high
memory locations (out-of-sandbox)
274. Sandboxing
77
Traditional SB wrt policy non-interference wrt seq-arch and
π ≡ π
General SB wrt and
Traditional SB wrt + non-interference wrt and
π ≡
π π
Programs never access high
memory locations (out-of-sandbox)
275. Constant-time Sandboxing
Checking secure programming
78
[[⋅]]seq
ct
[[⋅]]seq
arch
[[⋅]]spec
ct
Traditional CT
.. + NI wrt [[⋅]]seq
arch
.. + speculative NI
[Guarnieri et al., S&P’20]
Traditional SB
Traditional SB
.. + weak spec. NI
276. Constant-time Sandboxing
Checking secure programming
78
[[⋅]]seq
ct
[[⋅]]seq
arch
[[⋅]]spec
ct
Traditional CT
.. + NI wrt [[⋅]]seq
arch
.. + speculative NI
[Guarnieri et al., S&P’20]
Traditional SB
Traditional SB
.. + weak spec. NI