Breaking and Fixing Speculative Load Hardening



Spectre attack is a powerful transient execution attack, and it breaks traditional security guarantees (e.g. out-of-boundary check). We revisit the spectre-v1 attack and its mitigation, which is called Speculative Load Hardening (SLH). SLH is an LLVM extension, and it prevents the memory loading until the branch before it is resolved. We demonstrate that SLH is not sufficient in preventing spectre-v1 attack and for the first time, we show that variant-timing instructions leak secret even when they are executed speculatively. Further, we extend the SLH to Ultimate SLH (USLH). We analyze the performance cost of USLH and we show that USLH performs better then inserting LFENCE after branches while USLH provides equivalent security guarantee.

Paper: https://eprint.iacr.org/2022/715


Presentation slides



Zhiyuan Zhang

Master Student
University of Adelaide



He is doing Master of Philosophy in University of Adelaide and he is supervised by Yuval Yarom and Chitchanok Chuengsatiansup. His research interest is in Hardware Security, Computer Architecture and Operating System. He also has interest in Crypto, although he knows very little about it ;)