# SPECCFI: Mitigating Spectre Attacks using CFI Informed Speculation

**Authors:** Esmaeil Mohammadian Koruyeh, Shirin Haji Amin Shirazi, Khaled N., Khasawneh, Chengyu Song, Nael Abu-Ghazaleh

arXiv: 1906.01345 · 2019-12-06

## TL;DR

SPECCFI is a novel defense mechanism that leverages Control-Flow Integrity (CFI) information to prevent speculative execution from being hijacked in Spectre attacks, effectively mitigating multiple variants with minimal overhead.

## Contribution

This paper introduces SPECCFI, a new approach that applies CFI principles during speculative execution to prevent Spectre attacks, integrating hardware and software techniques for comprehensive protection.

## Key findings

- SPECCFI effectively mitigates Spectre-BTB and Spectre-RSB attacks.
- The approach incurs minimal performance and hardware overhead.
- It complements existing defenses against branch predictor attacks.

## Abstract

Spectre attacks and their many subsequent variants are a new vulnerability class affecting modern CPUs. The attacks rely on the ability to misguide speculative execution, generally by exploiting the branch prediction structures, to execute a vulnerable code sequence speculatively. In this paper, we propose to use Control-Flow Integrity (CFI), a security technique used to stop control-flow hijacking attacks, on the committed path, to prevent speculative control-flow from being hijacked to launch the most dangerous variants of the Spectre attacks (Spectre-BTB and Spectre-RSB). Specifically, CFI attempts to constrain the possible targets of an indirect branch to a set of legal targets defined by a pre-calculated control-flow graph (CFG). As CFI is being adopted by commodity software (e.g., Windows and Android) and commodity hardware (e.g., Intel's CET and ARM's BTI), the CFI information becomes readily available through the hardware CFI extensions. With the CFI information, we apply CFI principles to also constrain illegal control-flow during speculative execution. Specifically, our proposed defense, SPECCFI, ensures that control flow instructions target legal destinations to constrain dangerous speculation on forward control-flow paths (indirect calls and branches). We augment this protection with a precise speculation-aware hardware stack to constrain speculation on backward control-flow edges (returns). We combine this solution with existing solutions against branch target predictor attacks (Spectre-PHT) to close all known non-vendor-specific Spectre vulnerabilities. We show that SPECCFI results in small overheads both in terms of performance and additional hardware complexity.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1906.01345/full.md

## Figures

12 figures with captions in the complete paper: https://tomesphere.com/paper/1906.01345/full.md

## References

82 references — full list in the complete paper: https://tomesphere.com/paper/1906.01345/full.md

---
Source: https://tomesphere.com/paper/1906.01345