SoK: Practical Foundations for Software Spectre Defenses

TL;DR

This paper reviews and compares current software defenses against Spectre vulnerabilities, emphasizing formal foundations, security guarantees, and practical tradeoffs to guide future mitigation strategies.

Contribution

It systematizes existing knowledge on Spectre defenses, analyzing formal models and practical tools to inform better security practices and identify open research challenges.

Findings

Comparison of formal and informal Spectre defenses

Tradeoffs between expressiveness and complexity in mitigation tools

Practical recommendations for developers and open problems identified

Abstract

Spectre vulnerabilities violate our fundamental assumptions about architectural abstractions, allowing attackers to steal sensitive data despite previously state-of-the-art countermeasures. To defend against Spectre, developers of verification tools and compiler-based mitigations are forced to reason about microarchitectural details such as speculative execution. In order to aid developers with these attacks in a principled way, the research community has sought formal foundations for speculative execution upon which to rebuild provable security guarantees. This paper systematizes the community's current knowledge about software verification and mitigation for Spectre. We study state-of-the-art software defenses, both with and without associated formal models, and use a cohesive framework to compare the security properties each defense provides. We explore a wide variety of tradeoffs in the expressiveness of formal frameworks, the complexity of defense tools, and the resulting security guarantees. As a result of our analysis, we suggest practical choices for developers of analysis and mitigation tools, and we identify several open problems in this area to guide future work on grounded software defenses.