Cats vs. Spectre: An Axiomatic Approach to Modeling Speculative Execution Attacks
This work addresses the problem of efficiently modeling and detecting speculative execution vulnerabilities for security researchers and practitioners, offering a more flexible alternative to existing methods.
The authors tackled the challenge of modeling speculative execution attacks like Spectre by proposing a lightweight axiomatic approach using the CAT modeling language, which enabled rapid extension to detect new attack types and validate defenses.
The Spectre family of speculative execution attacks have required a rethinking of formal methods for security. Approaches based on operational speculative semantics have made initial inroads towards finding vulnerable code and validating defenses. However, with each new attack grows the amount of microarchitectural detail that has to be integrated into the underlying semantics. We propose an alternative, light-weight and axiomatic approach to specifying speculative semantics that relies on insights from memory models for concurrency. We use the CAT modeling language for memory consistency to specify execution models that capture speculative control flow, store-to-load forwarding, predictive store forwarding, and memory ordering machine clears. We present a bounded model checking framework parametrized by our speculative CAT models and evaluate its implementation against the state of the art. Due to the axiomatic approach, our models can be rapidly extended to allow our framework to detect new types of attacks and validate defenses against them.