# Verification of Spectre Mitigations using Hypersimulations

Jonathan Baumann August 09, 2023





















cache A.size A[i] B[x \* 256] Hardware Mitigations

- Hardware Mitigations
  - $\implies$  costly, can only protect future hardware

- Hardware Mitigations
- Software mitigations

- Hardware Mitigations
- Software mitigations
  - Program Analysis and Repair

- Hardware Mitigations
- Software mitigations
  - Program Analysis and Repair
    - oo7: taint tracking

- Hardware Mitigations
- Software mitigations
  - Program Analysis and Repair
    - oo7: taint tracking
    - SPECTECTOR: symbolic execution

- Hardware Mitigations
- Software mitigations
  - Program Analysis and Repair
  - Compiler Countermeasures

- Hardware Mitigations
- Software mitigations
  - Program Analysis and Repair
  - Compiler Countermeasures
    - Intel: Fence instructions after branches

- Hardware Mitigations
- Software mitigations
  - Program Analysis and Repair
  - Compiler Countermeasures
    - Intel: Fence instructions after branches
    - Speculative Load Hardening: additional data dependencies

- Hardware Mitigations
- Software mitigations
  - Program Analysis and Repair
  - Compiler Countermeasures
    - Intel: Fence instructions after branches
    - · Speculative Load Hardening: additional data dependencies
    - MSVC: Fence instructions, pattern-based

• Method of verifying compiler-based spectre mitigations

- Method of verifying compiler-based spectre mitigations
  - applicable to a variety of leakage models

- Method of verifying compiler-based spectre mitigations
  - applicable to a variety of leakage models
  - capable of verifying more mitigations

- Method of verifying compiler-based spectre mitigations
  - applicable to a variety of leakage models
  - capable of verifying more mitigations
- Verify Intel's mitigation for three leakage models

- Method of verifying compiler-based spectre mitigations
  - applicable to a variety of leakage models
  - capable of verifying more mitigations
- Verify Intel's mitigation for three leakage models
- Incompatibility between speculative load hardening and always-mispredict semantics

- Method of verifying compiler-based spectre mitigations
  - applicable to a variety of leakage models
  - capable of verifying more mitigations
- Verify Intel's mitigation for three leakage models
- Incompatibility between speculative load hardening and always-mispredict semantics
- Design and verify a mitigation that could not be verified previously

- Method of verifying compiler-based spectre mitigations
  - applicable to a variety of leakage models
  - capable of verifying more mitigations
- Verify Intel's mitigation for three leakage models
- Incompatibility between speculative load hardening and always-mispredict semantics
- $\cdot$  Design and verify a mitigation that could not be verified previously
- All work formalized in the Coq Proof Assistant

### Verifying Spectre Mitigations: Speculative Noninterference [Guarnieri et al., 2018]

Noninterference

Same public inputs  $\implies$  Same observations



Language without Language with speculative execution

Language without Language with speculative execution

• Without speculation, speculative noninterference is always satisfied

Language without Language with speculative execution

- Without speculation, speculative noninterference is always satisfied
- Speculative noninterference should be preserved

Language without Language with speculative execution

- Without speculation, speculative noninterference is always satisfied
- Speculative noninterference should be preserved
- Approximate using speculative safety

• Speculative safety only defined for constant-time leakage model

- Speculative safety only defined for constant-time leakage model
  - $\cdot$  not applicable to other leakage models

- Speculative safety only defined for constant-time leakage model
  - not applicable to other leakage models
- Speculatively noninterferent code may not be speculatively safe:

- Speculative safety only defined for constant-time leakage model
  - not applicable to other leakage models
- Speculatively noninterferent code may not be speculatively safe:

read [1] x; if  $x \ge 0$  then read [x] y else read [x] y end; write [1] y
# Patrignani and Guarnieri [2021]: Verifying Mitigations Using Speculative Safety

- Speculative safety only defined for constant-time leakage model
  - not applicable to other leakage models
- Speculatively noninterferent code may not be speculatively safe:

read [1] x; if  $x \ge 0$  then read [x] y else read [x] y end; write [1] y

• not all mitigations can be verified

# Patrignani and Guarnieri [2021]: Verifying Mitigations Using Speculative Safety

- Speculative safety only defined for constant-time leakage model
  - not applicable to other leakage models
- Speculatively noninterferent code may not be speculatively safe:

read [1] x; if  $x \ge 0$  then read [x] y else read [x] y end; write [1] y

- not all mitigations can be verified
- $\cdot$  Our approach does not have these limitations





#### Speculative Noninterference

Same observations under nonspeculative execution Same observations under speculative execution



#### Speculative Noninterference

Same observations under nonspeculative execution = of source program Same observations under speculative execution of mitigated program

#### Speculative Noninterference



#### Speculative Noninterference

Same observations under nonspeculative execution of source program Same observations under speculative execution of mitigated program

#### Speculative Noninterference

# Source Leakage Equivalence

#### Speculative Noninterference

Leakage equivalence under nonspeculative execution of source program Leakage Equivalence under speculative execution of mitigated program













# Preservation of Hyperproperties: Hyper-Simulations [Rosemann, 2023]



 $\cdot$  Traces are infinite

- $\cdot\,$  Traces are infinite
- Hypersimulation handles finite prefixes

- $\cdot\,$  Traces are infinite
- Hypersimulation handles finite prefixes
- $\implies$  Define leakage equivalence with respect to trace prefixes

- $\cdot\,$  Traces are infinite
- Hypersimulation handles finite prefixes
- $\implies$  Define leakage equivalence with respect to trace prefixes

- $\cdot\,$  Traces are infinite
- Hypersimulation handles finite prefixes
- $\implies$  Define leakage equivalence with respect to trace prefixes

**Leakage Equivalence** Traces  $t_1$  and  $t_2$  are leakage equivalent iff • for all finite prefixes  $p_1$  and  $p_2$ 

- $\cdot\,$  Traces are infinite
- Hypersimulation handles finite prefixes
- $\implies$  Define leakage equivalence with respect to trace prefixes

- for all finite prefixes  $p_1$  and  $p_2$
- when computing the leakages  $\ell(p_1)$  and  $\ell(p_2)$

- Traces are infinite
- Hypersimulation handles finite prefixes
- $\implies$  Define leakage equivalence with respect to trace prefixes

- for all finite prefixes  $p_1$  and  $p_2$
- when computing the leakages  $\ell(p_1)$  and  $\ell(p_2)$
- $\ell(p_1)$  is a prefix of  $\ell(p_2)$  or vice versa

- Traces are infinite
- Hypersimulation handles finite prefixes
- $\implies$  Define leakage equivalence with respect to trace prefixes

- for all finite prefixes  $p_1$  and  $p_2$
- when computing the leakages  $\ell(p_1)$  and  $\ell(p_2)$
- $\ell(p_1)$  is a prefix of  $\ell(p_2)$  or vice versa
- we can extend the prefixes such that the leakages are equal

- Traces are infinite
- Hypersimulation handles finite prefixes
- $\implies$  Define leakage equivalence with respect to trace prefixes

- for all finite prefixes  $p_1$  and  $p_2$
- $\cdot$  when computing the leakages  $\ell(p_1)$  and  $\ell(p_2)$

$$p_1 \leq^+_{\ell i} p_2$$

- $\ell(p_1)$  is a prefix of  $\ell(p_2)$  or vice versa
- $\cdot$  we can extend the prefixes such that the leakages are equal

• Find simulation relation





• Pick source and target relations





- Pick source and target relations
  - typically: trace prefixes should have the *exact same* leakage





- Find simulation relation
- Pick source and target relations
  - typically: trace prefixes should have the *exact same* leakage
- $\cdot\,$  Determine which source states should be related



- $\cdot$  Find simulation relation
- Pick source and target relations
  - typically: trace prefixes should have the *exact same* leakage
- $\cdot\,$  Determine which source states should be related
  - typically: synchronize on leakage-producing states



- $\cdot$  Find simulation relation
- Pick source and target relations
  - typically: trace prefixes should have the *exact same* leakage
- Determine which source states should be related
  - typically: synchronize on leakage-producing states
- Prove that source relation is satisfied after hyper-step



- $\cdot$  Find simulation relation
- Pick source and target relations
  - typically: trace prefixes should have the *exact same* leakage
- $\cdot\,$  Determine which source states should be related
  - typically: synchronize on leakage-producing states
- Prove that source relation is satisfied after hyper-step
  - follows directly from leakage equivalence



- Find simulation relation
- Pick source and target relations
  - typically: trace prefixes should have the *exact same* leakage
- $\cdot\,$  Determine which source states should be related
  - typically: synchronize on leakage-producing states
- Prove that source relation is satisfied after hyper-step
  - follows directly from leakage equivalence
- Prove that target relation is satisfied after hyper-step



- Find simulation relation
- Pick source and target relations
  - typically: trace prefixes should have the *exact same* leakage
- $\cdot$  Determine which source states should be related
  - typically: synchronize on leakage-producing states
- Prove that source relation is satisfied after hyper-step
  - follows directly from leakage equivalence
- Prove that target relation is satisfied after hyper-step
- Conclude that target traces are leakage equivalent

• From hypersimulation: target relation *always holds at some future point* 



- From hypersimulation: target relation *always holds at some future point*
- $\cdot \, \leq_{\ell i}^{+}$  must be satisfied at every point during execution



- From hypersimulation: target relation *always holds at some future point*
- $\cdot \leq_{\ell i}^{+}$  must be satisfied at every point during execution
- Leakage equivalence is a safety hyperproperty


# Proving Preservation of Leakage Equivalence

- From hypersimulation: target relation *always holds at some future point*
- $\cdot \leq_{\ell i}^+$  must be satisfied at every point during execution
- Leakage equivalence is a safety hyperproperty
  - $\cdot\, \leqslant^+_{\ell i}$  satisfied at some point
    - $\implies$  satisfied at all prior points



# Proving Preservation of Leakage Equivalence

- From hypersimulation: target relation *always holds at some future point*
- $\cdot \, \leq_{\ell i}^{+}$  must be satisfied at every point during execution
- Leakage equivalence is a safety hyperproperty
  - $\cdot \leq_{\ell i}^+$  satisfied at some point  $\implies$  satisfied at all prior points
- Target relation implies  $\leq_{\ell i}^{+}$

 $\implies \leqslant^+_{\ell i}$  must hold everywhere



 $Expr \ni e ::= n \qquad n \in \mathbb{N}$ | x x is a variable name | e\_1 + e\_2 | e\_1 - e\_2 | e\_1 × e\_2 | e\_1 < e\_2 | e\_1 = e\_2 | !e\_1  $\begin{aligned} Expr \ni e ::= n & n \in \mathbb{N} \\ & | x & x \text{ is a variable name} \\ & | e_1 + e_2 \mid e_1 - e_2 \mid e_1 \times e_2 \mid e_1 < e_2 \mid e_1 = e_2 \mid !e_1 \end{aligned}$ 

 $Stmt \ni s ::= skip \qquad | x := e \\ | fence \qquad | if e then p_1 else p_2 end \\ | read [e] x \qquad | while e do p_1 finally p_2 end \\ | write [e] x \end{aligned}$ 

• Note: we translate *while* to *if* 

- Note: we translate *while* to *if*
- Stack of states to allow rollback

- Note: we translate *while* to *if*
- Stack of states to allow rollback
- Speculation window determines how long to follow mispredicted paths

- Note: we translate *while* to *if*
- Stack of states to allow rollback
- Speculation window determines how long to follow mispredicted paths
- Always-Mispredict semantics [Guarnieri et al., 2018] captures all possible combinations of branch predictions

if x > 0 then if x < 10 then read [x] y else fence end else skip end

no-rollback(n)  $\llbracket b \rrbracket_{\mathcal{V}} = 0$ — AMIFFALSE  $\langle n \mid \mathcal{V} \mid \mathcal{H} \mid if b then p_1 else p_2 end; p \rangle :: S$  $\rightarrow_{sp} \langle wndw(n) | \mathcal{V} | \mathcal{H} | p_1 + p \rangle :: \langle decr(n) | \mathcal{V} | \mathcal{H} | p_2 + p \rangle :: S$ if x > 0then if x < 10 $\left\langle \perp \mid [x \mapsto -1] \mid [-1 \mapsto 42] \mid \qquad \begin{array}{c} \text{then read} [x] \ y \\ \text{else fence} \end{array} \right\rangle$ end else skip end

no-rollback(n)  $\llbracket b \rrbracket_{\mathcal{V}} = 0$ if x > 0— AMIFFALSE  $\langle n | \mathcal{V} | \mathcal{H} |$ **if** b **then**  $p_1$  **else**  $p_2$  **end**;  $p \rangle$  :: S then if x < 10 $\rightarrow_{sp} \langle wndw(n) | \mathcal{V} | \mathcal{H} | p_1 + p \rangle :: \langle decr(n) | \mathcal{V} | \mathcal{H} | p_2 + p \rangle :: S$ then read [x] y else fence end else skip end  $\left< 16 \mid [x \mapsto -1] \mid [-1 \mapsto 42] \mid \text{ then read } [x] y \\ \text{else fence end} \right>$  $\langle \perp | [x \mapsto -1] | [-1 \mapsto 42] | skip \rangle$ 

```
if x > 0
then if x < 10
    then read [x] y
    else fence
    end
else skip
end</pre>
```

 $\begin{array}{l} \langle 15 \mid [x \mapsto -1] \mid [-1 \mapsto 42] \mid \textit{read} [x] y \rangle \\ \\ \langle 15 \mid [x \mapsto -1] \mid [-1 \mapsto 42] \mid \textit{fence} \rangle \\ \\ \langle \perp \mid [x \mapsto -1] \mid [-1 \mapsto 42] \mid \textit{skip} \rangle \end{array}$ 

```
if x > 0
then if x < 10
    then read [x] y
    else fence
    end
else skip
end</pre>
```

 $\langle 14 \mid [x \mapsto -1, y \mapsto 42] \mid [-1 \mapsto 42] \mid [] \rangle$   $\langle 15 \mid [x \mapsto -1] \mid [-1 \mapsto 42] \mid fence \rangle$   $\langle \perp \mid [x \mapsto -1] \mid [-1 \mapsto 42] \mid skip \rangle$ 

if x > 0
then if x < 10
 then read [x] y
 else fence
 end
else skip
end</pre>

 $\langle 15 | [x \mapsto -1] | [-1 \mapsto 42] | fence \rangle$  $\langle \perp | [x \mapsto -1] | [-1 \mapsto 42] | skip \rangle$ 

if x > 0
then if x < 10
 then read [x] y
 else fence
 end
else skip
end</pre>

 $\langle \mathbf{0} \mid [\mathbf{x} \mapsto -1] \mid [-1 \mapsto 42] \mid [] \rangle$  $\langle \perp \mid [\mathbf{x} \mapsto -1] \mid [-1 \mapsto 42] \mid \mathbf{skip} \rangle$ 

if x > 0
then if x < 10
 then read [x] y
 else fence
 end
else skip
end</pre>

### $\langle \perp | [x \mapsto -1] | [-1 \mapsto 42] | skip \rangle$

if x > 0
then if x < 10
 then read [x] y
 else fence
 end
else skip
end</pre>

### $\langle \perp \mid [x \mapsto -1] \mid [-1 \mapsto 42] \mid [] \rangle$

Leakage models: functions from sequences of states to sequences of observations

Leakage models: functions from sequences of states to sequences of observations

 $\ell_{ct}$  control flow, memory accesses

Leakage models: functions from sequences of states to sequences of observations

 $\ell_{ct}$  control flow, memory accesses  $\ell_{lm}$  loop headers, memory accesses

Leakage models: functions from sequences of states to sequences of observations

 $\ell_{ct}$  control flow, memory accesses  $\ell_{lm}$  loop headers, memory accesses  $\ell_{mem}$  only memory accesses

# Verifying Intel's Mitigation

Mitigation proposed by Intel [Intel, 2018, 2021]: Insertion of Fence instructions after every branch Mitigation proposed by Intel [Intel, 2018, 2021]: Insertion of Fence instructions after every branch

 $(if b then p_1 else p_2 end; p)_{fence} = if b then fence; (p_1)_{fence}$   $else fence; (p_2)_{fence} end; (p)_{fence}$ (while b do p\_1 finally p\_2 end; p)\_{fence} = while b do fence; (p\_1)\_{fence}  $finally fence; (p_2)_{fence} end; (p)_{fence}$   $(s; p)_{fence} = s; (p)_{fence} otherwise$  $([])_{fence} = []$   $(\cdot)_{fence}$  is proven secure under

((·))<sub>fence</sub> is proven secure under

ℓ<sub>ct</sub> Constant-time leakage model
 (confirming result by Patrignani and Guarnieri [2021])

 $(\cdot)_{fence}$  is proven secure under

\$\ell\_{ct}\$ Constant-time leakage model

 (confirming result by Patrignani and Guarnieri [2021])

 \$\ell\_{lm}\$ Leakage model including loop headers, but not all control flow
 (new result)

 $(\cdot)_{fence}$  is proven secure under

- ℓ<sub>ct</sub> Constant-time leakage model
   (confirming result by Patrignani and Guarnieri [2021])
- $\ell_{\rm lm}\,$  Leakage model including loop headers, but not all control flow (new result)

Speculative Load Hardening [Carruth, 2018]: Protect memory access with artificial data dependencies

Protect memory access with artificial data dependencies

• Special register accumulates path conditions

- Special register accumulates path conditions
  - data dependency on branch conditions

- Special register accumulates path conditions
  - data dependency on branch conditions
  - detects speculative execution

- Special register accumulates path conditions
  - data dependency on branch conditions
  - detects speculative execution
- Memory accesses compute address using special register

- Special register accumulates path conditions
  - data dependency on branch conditions
  - detects speculative execution
- Memory accesses compute address using special register
  - original address during nonspeculative execution

- Special register accumulates path conditions
  - data dependency on branch conditions
  - detects speculative execution
- Memory accesses compute address using special register
  - original address during nonspeculative execution
  - known safe address during speculative execution

# Issues with Speculative Load Hardening



# Issues with Speculative Load Hardening


# Issues with Speculative Load Hardening





• In practice, data dependency should trigger rollback

- In practice, data dependency should trigger rollback
- Always-Mispredict semantics do not model this

- In practice, data dependency should trigger rollback
- Always-Mispredict semantics do not model this
- More accurate semantics with vendor guarantees needed

#### read [1] x; if $x \ge 0$ then read [x] y else read [x] y end; write [1] y

• At every branch, check the sequence of *read* and *write* instructions

- At every branch, check the sequence of *read* and *write* instructions
- Insert a *fence* instruction if the sequences are different

- At every branch, check the sequence of *read* and *write* instructions
- Insert a *fence* instruction if the sequences are different
- Insert a *fence* instruction in case of nested branches

- At every branch, check the sequence of *read* and *write* instructions
- Insert a *fence* instruction if the sequences are different
- Insert a *fence* instruction in case of nested branches
- ightarrow Proof-of-concept implementation has some additional restrictions

• Mitigated code may not be speculatively safe

- Mitigated code may not be speculatively safe
  - $\cdot$  not verifiable by previous approach

- Mitigated code may not be speculatively safe
  - $\cdot$  not verifiable by previous approach
- Verified under constant-time leakage model

- Mitigated code may not be speculatively safe
  - $\cdot$  not verifiable by previous approach
- Verified under constant-time leakage model
- Restrictions can be lifted with future work

- Mitigated code may not be speculatively safe
  - not verifiable by previous approach
- Verified under constant-time leakage model
- Restrictions can be lifted with future work
- $\implies$  reasonable mitigations that were not covered before

 $\cdot$  function calls

- $\cdot$  function calls
- linking against attacker-defined code

- $\cdot$  function calls
- linking against attacker-defined code

Other applications:

- $\cdot$  function calls
- linking against attacker-defined code

Other applications:

 $\cdot$  semantics closer to actual hardware

- $\cdot$  function calls
- linking against attacker-defined code

Other applications:

- semantics closer to actual hardware
- semantics for different spectre variations [Fabian et al., 2022]

- $\cdot$  function calls
- linking against attacker-defined code

Other applications:

- semantics closer to actual hardware
- semantics for different spectre variations [Fabian et al., 2022]
- more precise semantics based on hardware guarantees

• confirms prior work [Patrignani and Guarnieri, 2021]

- confirms prior work [Patrignani and Guarnieri, 2021]
- enables reasoning about more leakage models

- confirms prior work [Patrignani and Guarnieri, 2021]
- enables reasoning about more leakage models
  - control flow does not need to be included

- confirms prior work [Patrignani and Guarnieri, 2021]
- enables reasoning about more leakage models
  - control flow does not need to be included
- $\cdot$  verifies mitigations that could not be verified before

- confirms prior work [Patrignani and Guarnieri, 2021]
- enables reasoning about more leakage models
  - control flow does not need to be included
- verifies mitigations that could not be verified before
  - such mitigations are reasonable, not contrived examples

Gilles Barthe, Benjamin Grégoire, and Vincent Laporte. Secure compilation of side-channel countermeasures: The case of cryptographic "constant-time". In 31st IEEE Computer Security Foundations Symposium, CSF 2018, Oxford, United Kingdom, July 9-12, 2018, pages 328–343. IEEE Computer Society, 2018. doi: 10.1109/CSF.2018.00031. URL https://doi.org/10.1109/CSF.2018.00031.

Chandler Carruth. Speculative Load Hardening, 2018. URL https://llvm.org/docs/SpeculativeLoadHardening.html. Xaver Fabian, Marco Guarnieri, and Marco Patrignani. Automatic detection of speculative execution combinations. In Heng Yin, Angelos Stavrou, Cas Cremers, and Elaine Shi, editors, Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, CA, USA, November 7-11, 2022, pages 965–978. ACM, 2022. doi: 10.1145/3548606.3560555. URL https://doi.org/10.1145/3548606.3560555.

Marco Guarnieri, Boris Köpf, José F. Morales, Jan Reineke, and Andrés Sánchez. SPECTECTOR: principled detection of speculative information flows. *CoRR*, abs/1812.08639, 2018. URL *http://arxiv.org/abs/1812.08639*.

# References iii

Intel. Using Intel compilers to mitigate speculative execution side-channel issues, 2018. URL https://www.intel.com/content/www/us/en/developer/ articles/troubleshooting/ using-intel-compilers-to-mitigate-speculative-execution-side-ch html.

Intel. Intel C++ compiler classic developer guide and reference, 2021. URL
https://www.intel.com/content/www/us/en/develop/
documentation/cpp-compiler-developer-guide-and-reference/
top/compiler-reference/compiler-options/
code-generation-options/
mconditional-branch-qconditional-branch.html.

Marco Patrignani and Marco Guarnieri. Exorcising spectres with secure compilers. In Yongdae Kim, Jong Kim, Giovanni Vigna, and Elaine Shi, editors, *CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, Republic of Korea, November 15 - 19, 2021*, pages 445–461. ACM, 2021. doi: 10.1145/3460120.3484534. URL

https://doi.org/10.1145/3460120.3484534.

Julian Rosemann. Private communications, not yet released. All relevant proofs are included in the Coq development, 2023.

 $\frac{1}{\langle \mathcal{V} \mid \mathcal{H} \mid skip; p \rangle \rightarrow_{ns} \langle \mathcal{V} \mid \mathcal{H} \mid p \rangle} S_{KIP} \qquad \frac{1}{\langle \mathcal{V} \mid \mathcal{H} \mid fence; p \rangle \rightarrow_{ns} \langle \mathcal{V} \mid \mathcal{H} \mid p \rangle}$ Fence  $\llbracket e \rrbracket_{\mathcal{V}} = V$  $\frac{\mathbb{E}[v] \ v \to v}{\langle \mathcal{V} \mid \mathcal{H} \mid x := e; p \rangle \to_{ns} \langle \mathcal{V}[x \mapsto v] \mid \mathcal{H} \mid p \rangle} \text{Assign}$  $\frac{\llbracket a \rrbracket_{\mathcal{V}} = a' \qquad \mathcal{H}(a') = v}{\langle \mathcal{V} \mid \mathcal{H} \mid \textbf{read} [a] x; p \rangle \rightarrow_{ns} \langle \mathcal{V}[x \mapsto v] \mid \mathcal{H} \mid p \rangle} \text{ Read}$  $\frac{\llbracket a \rrbracket_{\mathcal{V}} = a' \qquad \mathcal{V}(x) = v}{\langle \mathcal{V} \mid \mathcal{H} \mid write \; [a] \; x; p \rangle \rightarrow_{ns} \langle \mathcal{V} \mid \mathcal{H}[a' \mapsto v] \mid p \rangle} \text{ Write}$ 

#### Nonspeculative Semantics ii

$$\begin{split} & \llbracket b \rrbracket_{\mathcal{V}} \neq 0 \\ \hline & \overline{\langle \mathcal{V} \mid \mathcal{H} \mid \textit{if } b \textit{ then } p_1 \textit{ else } p_2 \textit{ end} ; p \rangle} \quad \text{IFTRUE} \\ & \underline{\llbracket b \rrbracket_{\mathcal{V}} = 0} \\ \hline & \overline{\langle \mathcal{V} \mid \mathcal{H} \mid \textit{if } b \textit{ then } p_1 \textit{ else } p_2 \textit{ end} ; p \rangle} \quad \text{IFFALSE} \end{split}$$

 $\langle \mathcal{V} \mid \mathcal{H} \mid while \ b \ do \ p_1 \ finally \ p_2 \ end; p \rangle$ 

 $\rightarrow_{ns} \langle \mathcal{V} \mid \mathcal{H} \mid if b then (p_1 + while b do p_1 finally p_2 end) else p_2 end; p \rangle$ 

$$\frac{1}{\langle \mathcal{V} \mid \mathcal{H} \mid [] \rangle \rightarrow_{\mathsf{ns}} \langle \mathcal{V} \mid \mathcal{H} \mid [] \rangle} \text{ Term}$$

WHILE

$$decr(n) := \begin{cases} \bot & \text{if } n = \bot \\ n-1 & \text{otherwise} \end{cases} \quad wndw(n) := \begin{cases} \omega & \text{if } n = \bot \\ n-1 & \text{otherwise} \end{cases}$$
$$no-rollback(n) := n > 0 \lor n = \bot \qquad zero-out(n) := \begin{cases} \bot & \text{if } n = \bot \\ 0 & \text{otherwise} \end{cases}$$
$$\frac{no-rollback(n)}{\langle n \mid \mathcal{V} \mid \mathcal{H} \mid skip; p \rangle :: S \to_{sp} \langle decr(n) \mid \mathcal{V} \mid \mathcal{H} \mid p \rangle :: S \end{cases} \quad \text{AMSKIP}$$

# Speculative Semantics ii

no-rollback(*n*)  $\langle n \mid \mathcal{V} \mid \mathcal{H} \mid \textbf{fence}; p \rangle :: S \rightarrow_{sp} \langle \text{zero-out}(n) \mid \mathcal{V} \mid \mathcal{H} \mid p \rangle :: S \overset{\text{AMFence}}{\longrightarrow}$ no-rollback(n)  $\llbracket e \rrbracket_{\mathcal{V}} = v$ AMASSIGN  $\langle n \mid \mathcal{V} \mid \mathcal{H} \mid x := e; p \rangle :: S \rightarrow_{sp} \langle \operatorname{decr}(n) \mid \mathcal{V}[x \mapsto v] \mid \mathcal{H} \mid p \rangle :: S$ no-rollback(n)  $\llbracket a \rrbracket_{\mathcal{V}} = a'$   $\mathcal{H}(a') = v$  $\overline{\langle n \mid \mathcal{V} \mid \mathcal{H} \mid \boldsymbol{read} \left[a\right] x; p\rangle :: S \rightarrow_{sp} \langle \operatorname{decr}(n) \mid \mathcal{V}[x \mapsto v] \mid \mathcal{H} \mid p\rangle :: S}$ AMREAD no-rollback(n)  $\llbracket a \rrbracket_{\mathcal{V}} = a'$   $\mathcal{V}(x) = v$ AMWRITE  $\overline{\langle n \mid \mathcal{V} \mid \mathcal{H} \mid write [a] x; p \rangle :: S \rightarrow_{sp} \langle decr(n) \mid \mathcal{V} \mid \mathcal{H}[a' \mapsto v] \mid p \rangle :: S}$
$\frac{\text{no-rollback}(n)}{\langle n \mid \mathcal{V} \mid \mathcal{H} \mid \textit{while e do } p_1 \textit{ finally } p_2 \textit{ end}; \rangle :: S }$  AMWHILE  $\rightarrow_{\text{sp}} \langle \text{decr}(n) \mid \mathcal{V} \mid \mathcal{H} \mid \textit{if e then } (p_1 \texttt{+}[\textit{while e do } p_1 \textit{ finally } p_2 \textit{ end}]) \textit{ else } p_2 \textit{ end}; p \rangle$  :: S

 $\frac{\text{no-rollback}(n) \quad [[b]]_{\mathcal{V}} \neq 0}{\langle n \mid \mathcal{V} \mid \mathcal{H} \mid if \ b \ then \ p_1 \ else \ p_2 \ end; p \rangle :: S} \quad \text{AMIFTRUE}}$   $\rightarrow_{\text{sp}} \langle \text{wndw}(n) \mid \mathcal{V} \mid \mathcal{H} \mid p_2 \ # p \rangle :: \langle \text{decr}(n) \mid \mathcal{V} \mid \mathcal{H} \mid p_1 \ # p \rangle :: S$ 

no-rollback(n)  $\llbracket b \rrbracket_{\mathcal{V}} = 0$  AMIFFALSE  $\langle n \mid \mathcal{V} \mid \mathcal{H} \mid if b then p_1 else p_2 end; p \rangle :: S$  $\rightarrow_{sp} \langle wndw(n) | \mathcal{V} | \mathcal{H} | p_1 + p \rangle :: \langle decr(n) | \mathcal{V} | \mathcal{H} | p_2 + p \rangle :: S$  $\frac{n \neq \bot \land n > 0}{\langle n \mid \mathcal{V} \mid \mathcal{H} \mid [] \rangle :: S \rightarrow_{sp} S} \text{ AMROLLBACKT}$  $\overline{\langle \mathbf{0} \mid \mathcal{V} \mid \mathcal{H} \mid p \rangle :: S \rightarrow_{\mathsf{SD}} S} \text{ AMRollback}$  $[] \rightarrow_{sd} []$  AMTerm'  $\overline{\langle \perp \mid \mathcal{V} \mid \mathcal{H} \mid [] \rangle :: S \rightarrow_{\mathsf{sp}} \langle \perp \mid \mathcal{V} \mid \mathcal{H} \mid [] \rangle :: S} \text{ AMTerm}$ 

Extend the semantics with taint tracking (Safe / Unsafe)

Extend the semantics with taint tracking (Safe / Unsafe)



Extend the semantics with taint tracking (Safe / Unsafe)



Speculative safety: All executions of a program only produce safe observations.

Extend the semantics with taint tracking (Safe / Unsafe)



Speculative safety: All executions of a program only produce safe observations.

Speculative safety implies speculative noninterference

• Taint tracking ignores implicit flows

- Taint tracking ignores implicit flows
  - $\cdot$  only correct when control flow is observable to the attacker

- Taint tracking ignores implicit flows
  - $\cdot$  only correct when control flow is observable to the attacker
- Speculatively noninterferent code may not be speculatively safe:

- Taint tracking ignores implicit flows
  - $\cdot$  only correct when control flow is observable to the attacker
- Speculatively noninterferent code may not be speculatively safe:

read [1] x; if  $x \ge 0$  then read [x] y else read [x] y end; write [1] y

- Taint tracking ignores implicit flows
  - $\cdot$  only correct when control flow is observable to the attacker
- Speculatively noninterferent code may not be speculatively safe:

read [1] x; if  $x \ge 0$  then read [x] y else read [x] y end; write [1] y

• Speculative reads may be tainted unsafe

- Taint tracking ignores implicit flows
  - $\cdot$  only correct when control flow is observable to the attacker
- Speculatively noninterferent code may not be speculatively safe:

read [1] x; if  $x \ge 0$  then read [x] y else read [x] y end; write [1] y

- Speculative reads may be tainted unsafe
- Speculatively noninterferent, as all the same read will be performed nonspeculatively

- Taint tracking ignores implicit flows
  - $\cdot$  only correct when control flow is observable to the attacker
- Speculatively noninterferent code may not be speculatively safe:

read [1] x; if  $x \ge 0$  then read [x] y else read [x] y end; write [1] y

- Speculative reads may be tainted unsafe
- Speculatively noninterferent, as all the same read will be performed nonspeculatively
- $\cdot\,$  Our approach does not have these limitations

• Assignments within the speculation window

- Assignments within the speculation window
- Manually inserted *fence* instructions within the speculation window

- Assignments within the speculation window
- Manually inserted *fence* instructions within the speculation window
- Branches shorter than the speculation window