Speculative Execution of Code
Reading in the book Python for Everyone within a small section called Bugs in Silicon I read: “In 2018, security researchers found flaws that are present in nearly every computer chip manufactured in the previous twenty years. These chips exploit an optimization called ‘speculative execution’– computing results ahead of time and discarding those that are not needed.” An adversary can make the program read data speculatively. Think of this article as study notes prior to completion.
What is speculative execution?
Speculative execution is an optimisation technique where a computer system performs some task that may not be needed. Work is done before it is known whether it is actually needed, so as to prevent a delay that would have to be incurred by doing the work after it is known that it is needed.
We can consider three varieties.
- Eager execution is a form of speculative execution where both sides of the conditional branch are executed; however, the results are committed only if the predicate is true. With unlimited resources, eager execution (also known as oracle execution) would in theory provide the same performance as perfect branch prediction. With limited resources eager execution should be employed carefully since the number of resources needed grows exponentially with each level of branch executed eagerly.
- Predictive execution is a form of speculative execution where some outcome is predicted and execution proceeds along the predicted path until the actual result is known. If the prediction is true, the predicted execution is allowed to commit, however if there is a misprediction, execution has to be unrolled and re-executed. Common forms of this include branch predictions, and memory dependence prediction. A generalized form is sometimes referred to as value prediction.
- Lazy execution does not involve speculation. The incorporation of speculative execution into implementations of the Haskell programming language is a current research topic. Eager Haskell is designed around the idea of speculative execution. A 2003 PhD thesis made GHC support a kind of speculative execution with an abortion mechanism to back out in case of a bad choice called optimistic execution. It was deemed too complicated.
Starting in 2017 a series of security vulnerabilities were found in the implementations of speculative execution on common processor architectures which effectively enabled an elevation of privileges.
Spectres in the Machine
Spectre is a vulnerability that affects modern microprocessors that perform branch prediction. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack timing attack.
A timing attack is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, and the time can differ based on the input; with precise measurements of the time for each operation, an attacker can work backwards to the input.
Meltdown is a hardware vulnerability affecting Intel x86 microprocessors, IBM Power Processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorised to do so.
Spoiler is a security vulnerability on modern computer central processing units (CPUs) that use speculative execution. It exploits side-effects of speculative execution to improve the efficiency of Rowhammer and other related memory and cache attacks. According to reports, all modern Intel Core CPUs are vulnerable to the attack as of 2019. AMD has stated that its processors are not vulnerable.
Foreshadow (known as the less appealing name L1 Terminal Fault (L1TF) by Intel) is a vulnerability that affects modern microprocessors that was first discovered by two independent teams of researchers in January 2018, but was first disclosed to the public on 14 August 2018. The vulnerability is a speculative execution attack on Intel processors that may result in the disclosure of sensitive information stored in personal computers and third-party clouds.
Microarchitectural Data Sampling
The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL (Rogue In-Flight Data Load) and ZombieLoad.
There are likely more. Which I have not covered, but this is what I get from a preliminary search and through Wikipedia. Of course this is only surface information.
This is day 91 of #500daysofAI. My current focus for day 50–100 is on AI Safety. If you enjoy this please give me a response as I do want to improve my writing or discover new research, companies and projects.