Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing

TL;DR

This paper introduces techniques to significantly accelerate the testing of speculative execution leaks in CPUs, enabling deeper analysis and leading to the discovery of new, previously unknown leakage classes affecting string comparison and division.

Contribution

The authors identify performance bottlenecks in existing testing tools and propose methods that increase testing speed by up to 100 times, facilitating deeper and more effective leak detection campaigns.

Findings

Discovered two new types of speculative leaks affecting string comparison and division

Achieved up to two orders of magnitude increase in testing speed

Enabled comprehensive testing campaigns on commercial CPUs

Abstract

Attacks like Spectre abuse speculative execution, one of the key performance optimizations of modern CPUs. Recently, several testing tools have emerged to automatically detect speculative leaks in commercial (black-box) CPUs. However, the testing process is still slow, which has hindered in-depth testing campaigns, and so far prevented the discovery of new classes of leakage. In this paper, we identify the root causes of the performance limitations in existing approaches, and propose techniques to overcome these limitations. With these techniques, we improve the testing speed over the state-of-the-art by up to two orders of magnitude. These improvements enable us to run a testing campaign of unprecedented depth on Intel and AMD CPUs. As a highlight, we discover two types of previously unknown speculative leaks (affecting string comparison and division) that have escaped previous manual and automatic analyses.