Speculator: A Tool to Analyze Speculative Execution Attacks and Mitigations

Andrea Mambretti, Matthias Neugschwandtner, Alessandro Sorniotti, Engin Kirda, William Robertson, Anil Kurmus
In Proceedings of the Annual Computer Security Applications Conference (ACSAC)

side channels

Speculative execution attacks exploit vulnerabilities at a CPU’s microarchitectural level, which, until recently, remained hidden below the instruction set architecture, largely undocumented by CPU vendors. New speculative execution attacks are released on a monthly basis, showing how aspects of the so-far unexplored microarchitectural attack surface can be exploited. In this paper, we introduce Speculator, a new tool to investigate these new microarchitectural attacks and their mitigations, which aims to be the GDB of speculative execution. Using speculative execution markers, sets of instructions that we found are observable through performance counters during CPU speculation, Speculator can study microarchitectural behavior of single snippets of code, or more complex attacker and victim scenarios (e.g., Branch Target Injection (BTI) attacks). We also present our findings on multiple CPU platforms showing the precision and the flexibility offered by Speculator and its templates.