Speculation at Fault: Modeling and Testing Microarchitectural Leakage of CPU Exceptions


Jana Hofmann, Azure Research, Microsoft; Emanuele Vannacci, Vrije Universiteit Amsterdam; Cédric Fournet, Boris Köpf, and Oleksii Oleksenko, Azure Research, Microsoft


Microarchitectural leakage models provide effective tools to prevent vulnerabilities such as Spectre and Meltdown via secure co-design: For software, they provide a foundation for secure compilation and verification; for hardware, they provide a target specification to test and verify against.

Unfortunately, existing leakage models are severely limited: None of them covers CPU exceptions, which are essential to implement security abstractions such as virtualization and memory protection, and which are the source of critical vulnerabilities such as Meltdown, MDS, and Foreshadow.

In this paper, we provide the first leakage models for CPU exceptions, together with new tools for testing black-box CPUs against them. We run extensive experiments and successively refine these models, until we precisely capture the leakage for a representative subset of exceptions on four different x86 microarchitectures.

In the process, we contradict, refine, and corroborate a large number of findings from prior work, and we uncover three novel transient leaks affecting stores to non-canonical addresses, stores to read-only memory, and divisions by zero.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {291225,
author = {Jana Hofmann and Emanuele Vannacci and Cedric Fournet and Boris Kopf and Oleksii Oleksenko},
title = {Speculation at Fault: Modeling and Testing Microarchitectural Leakage of {CPU} Exceptions},
booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
year = {2023},
isbn = {978-1-939133-37-3},
address = {Anaheim, CA},
pages = {7143--7160},
url = {https://www.usenix.org/conference/usenixsecurity23/presentation/hofmann},
publisher = {USENIX Association},
month = aug

Presentation Video