Transient Execution Attacks & Microarchitectural Side-Channels

Vocabulary flashcards summarizing the main terms, components, attacks, and defenses discussed in the lecture on transient execution attacks and related microarchitectural concepts.

Speculative Execution

Technique where the CPU guesses future instructions to execute before control dependencies are resolved.

Transient Execution

Short-lived speculative operations whose architectural effects are rolled back but microarchitectural effects remain.

Out-of-Order (OOO) Execution

Hardware reorders independent instructions to execute as soon as operands are ready, improving IPC.

Instruction Level Parallelism (ILP)

Parallel execution of independent instructions within a single thread.

Thread Level Parallelism (TLP)

Parallelism achieved by executing instructions from multiple threads.

Superscalar Processor

CPU that issues and completes multiple instructions per cycle using several execution units.

Reorder Buffer (ROB)

Structure that holds speculative results until instructions are ready to commit or be flushed.

Dynamic Branch Prediction

Runtime mechanism to predict branch outcomes using past behavior.

Pattern History Table (PHT)

Table of saturating counters recording taken/not-taken history of conditional branches.

Branch Target Buffer (BTB)

Cache that predicts the target address of (usually indirect) branches.

Return Stack Buffer (RSB)

Small hardware stack that predicts return addresses for function returns.

Meltdown

Transient execution attack that reads privileged kernel memory via delayed fault handling.

Kernel Page-Table Isolation (KPTI)

Software defense that unmaps kernel pages from user processes to block Meltdown.

Spectre

Class of attacks that tricks victim code into speculatively accessing secrets and leaking them via microarchitectural state.

Spectre-PHT (Spectre v1 / Bounds Check Bypass)

Spectre variant exploiting mispredicted conditional branches in the PHT.

Spectre-BTB (Spectre v2 / Branch Target Injection)

Spectre variant that poisons the BTB to redirect indirect branches to attacker-chosen gadgets.

Spectre-STL (Spectre v4 / Speculative Store Bypass)

Variant where a load speculatively bypasses an older store, exposing stale secret data.

Spectre-RSB (Spectre v5 / ret2spec)

Attack that misuses the RSB so a ret speculatively jumps to attacker-controlled code.

Retpoline

Software mitigation replacing indirect branches with controlled returns to trap speculation in a safe loop.

Retbleed

Attack that hijacks ret-instruction speculation when the RSB underflows, bypassing retpoline on some CPUs.

Indirect Branch Restricted Speculation (IBRS)

Intel microcode barrier preventing cross-domain BTB predictions (costly).

Single Thread Indirect Branch Predictors (STIBP)

Intel feature preventing SMT siblings from sharing branch predictor state.

Indirect Branch Predictor Barrier (IBPB)

Command that flushes branch predictor state on context switch.

Speculative Store Bypass Disable (SSBD)

Microcode control that blocks Spectre-STL by delaying loads until older stores resolve.

RSB Stuffing

Defense that fills the RSB with safe addresses to prevent malicious return speculation.

Prime+Probe

Cache side-channel where attacker primes cache sets, lets victim run, then probes for evictions.

Flush+Reload

High-resolution cache attack that flushes a shared line and reloads it to see if the victim accessed it.

CacheZoom

Attack on Intel SGX achieving full L1 trace by isolating cores and interrupting execution.

Covert Channel

Unintended communication path (e.g., cache, ports) used to exfiltrate data between isolation boundaries.

Port Contention

Side-channel where execution unit (port) conflicts reveal victim instruction types (e.g., PortSmash).

Samplers / Load-Fill Buffer (LFB)

Internal buffers that hold in-flight load data; leakage here underlies ZombieLoad.

Microarchitectural Data Sampling (MDS)

Family of attacks (Foreshadow, ZombieLoad, Fallout, RIDL) leaking in-flight data from internal buffers.

Foreshadow (L1TF)

MDS attack that reads data from L1 cache by matching physical addresses marked non-present.

ZombieLoad

MDS attack leaking stale data from Load-Fill Buffers across privilege boundaries.

Fallout

MDS variant leaking store buffer contents due to partial address matches.

RIDL

Research umbrella term for reading in-flight data from various CPU buffers.

Load Value Injection (LVI)

Reverse Meltdown that injects bogus values into victim loads via SMT, causing secret computation.

Simultaneous Multithreading (SMT)

Technique allowing multiple hardware threads to issue instructions each cycle on one core.

Fine-grained Multithreading

Processor switches to another thread every cycle to hide stalls, used in GPUs.

Weird Machine

Unintended computational model created by exploiting undefined behavior or microarchitectural quirks.

Weird Register

Logical bit encoded as presence (1) or absence (0) of a cache line in a weird machine.

Weird Gate

Transient-execution gadget that processes weird registers to perform logical operations.

Coarse vs. Fine Vertical Waste

Lost cycles when pipeline waits for stalls (vertical) versus underused execution units (horizontal).

Prime

Step in Prime+Probe where attacker fills selected cache sets with own data.

Probe

Step measuring reload times to detect which cache lines were evicted by victim.

Cache Line Granularity

Smallest addressable unit in cache (typically 64 B) observable by cache attacks.

TAgged GEometric (TAGE) Predictor

Modern branch predictor combining multiple history lengths with partial tags to reduce aliasing.

Branch Prediction Barrier (lfence / CSDB)

Serializing instruction that stops further speculative execution past the fence.

Store-to-Load Forwarding (STL)

Mechanism that forwards data from pending stores to dependent loads; can be mispredicted for Spectre attacks.