Triosecuris: Formally Verified Protection Against Speculative Control-Flow Hijacking

TL;DR

Triosecuris is a formally verified hardware-software combined defense mechanism against speculative execution attacks like Spectre, providing strong security guarantees for arbitrary programs.

Contribution

It introduces a novel transformation combining CET-style control-flow integrity with speculative load hardening, with formal security proofs.

Findings

Formal proof that Triosecuris limits speculation leaks to source program leaks.

Applicable to arbitrary programs, regardless of cryptographic constant-time discipline.

Achieves relative security through a machine-checked formalization.

Abstract

This paper introduces Triosecuris, a formally verified defense against Spectre BTB, RSB, and PHT that combines CET-style hardware-assisted control-flow integrity with compiler-inserted speculative load hardening (SLH). Triosecuris is based on the novel observation that in the presence of CET-style protection, we can precisely detect BTB misspeculation for indirect calls and RSB misspeculation for returns and set the SLH misspeculation flag. We formalize Triosecuris as a transformation in Rocq and provide a machine-checked proof that it achieves relative security: any transformed program running with speculation leaks no more than what the source program leaks without speculation. This strong security guarantee applies to arbitrary programs, even those not following the cryptographic constant-time programming discipline.