Speculose: Analyzing the Security Implications of Speculative Execution in CPUs
This work addresses a critical security problem for CPU designers and operating system developers by exposing vulnerabilities in a long-standing performance optimization, with broad implications for system security.
The paper tackles the security risks of speculative execution in CPUs, revealing that speculatively executed code leaves measurable side effects, enabling adversaries to enumerate memory pages and read arbitrary memory, with demonstrations showing kernel-level ASLR in Linux can be broken in under three seconds and Windows 10 KASLR entropy reduced by 18 bits in less than a second.
Whenever modern CPUs encounter a conditional branch for which the condition cannot be evaluated yet, they predict the likely branch target and speculatively execute code. Such pipelining is key to optimizing runtime performance and is incorporated in CPUs for more than 15 years. In this paper, to the best of our knowledge, we are the first to study the inner workings and the security implications of such speculative execution. We revisit the assumption that speculatively executed code leaves no traces in case it is not committed. We reveal several measurable side effects that allow adversaries to enumerate mapped memory pages and to read arbitrary memory---all using only speculated code that was never fully executed. To demonstrate the practicality of such attacks, we show how a user-space adversary can probe for kernel pages to reliably break kernel-level ASLR in Linux in under three seconds and reduce the Windows 10 KASLR entropy by 18~bits in less than a second.