Spectre Vulnerability Simulation
Published:
In this post, I share some details on my extension to a simple simulation for the Spectre attack as part of the assignment for COSC 6385 course at the University of Houston.
How the Attack Works
Spectre attacks alter the branch prediction system. It can affect the branch prediction system through the following two scenarios.
By mistraining the branch predictor. To achieve this, the attacker executes an apparently innocent code designed to confuse the system. Then, the attacker executes a branch that will definitely be mispredicted, and that will eventually jump into a piece of code chosen by the attacker. This piece of code, also known as a gadget, can later steal the secret data.
Through direct injection. When the sub-parts of the branch prediction system are shared among different programs and one is an attacking program, this attack can be easily achieved using carefully chosen bad data. When the victim executes their program either at the same time as the attacker or afterward, the victim will wind up using the predictor state that was filled in by the attacker and unwittingly start to run the gadget. In this scenario, the victim program is attacked by another program.
Demo
Environment Setup
- Oracle Virtual Box : Version 6.1.18 r142142 (Qt5.6.3)
- Ubuntu 16.04.07 LTS
- Kernel Version: 4.15.0-136-generic
I first cloned the repository and compiled the file spectre.c using the following command:
gcc spectre.c -o spectre
This generates the executable file that demonstrates the Spectre attack. I then executed the executable using the following command:
./spectre
and obtained the following results.
As circled in the above figures, the exploitation happened successfully and it was able to read the secret contents.
Note: I did not face any issues while compiling or running the demo.
How to Fix
Software
For software-level protection, we can use patches such as the LLVM patch, MSVC, and the ARM speculation barrier header. Further, some mitigations were proposed by the paper that disclosed Spectre for the first time to the public [1]:
(1). Inserting serializing instructions can help avoid indirect branch poisoning.
(2). Enabling strategies to prevent reading secret data during speculative execution.
(3). Intel tries to prevent branch poisoning using microcode updates for some processors, which fall back to the BTB for prediction, to disable this fallback mechanism.
Hardware
By tracking whether the data was fetched as a result of speculative execution or not, and if it was obtained from speculative execution, preventing it from being used in subsequent execution, which might leak the information.
Note: Meltdown attack simulation can be found in the post.