Cats vs. Spectre: An Axiomatic Approach to Modeling Speculative Execution Attacks

TL;DR

This paper introduces a lightweight, axiomatic modeling approach for speculative execution attacks like Spectre, enabling rapid extension and validation of defenses using a formal memory model framework.

Contribution

It proposes an axiomatic, CAT-based memory model for speculative semantics, improving extensibility and efficiency over existing operational approaches.

Findings

Framework effectively detects known speculative attacks

Models can be quickly extended to new attack types

Evaluation shows competitive performance with state-of-the-art tools

Abstract

The Spectre family of speculative execution attacks have required a rethinking of formal methods for security. Approaches based on operational speculative semantics have made initial inroads towards finding vulnerable code and validating defenses. However, with each new attack grows the amount of microarchitectural detail that has to be integrated into the underlying semantics. We propose an alternative, light-weight and axiomatic approach to specifying speculative semantics that relies on insights from memory models for concurrency. We use the CAT modeling language for memory consistency to specify execution models that capture speculative control flow, store-to-load forwarding, predictive store forwarding, and memory ordering machine clears. We present a bounded model checking framework parametrized by our speculative CAT models and evaluate its implementation against the state of the art. Due to the axiomatic approach, our models can be rapidly extended to allow our framework to detect new types of attacks and validate defenses against them.