- The paper presents a formal approach using weakest precondition reasoning to unify the detection of Spectre-STL, Spectre-PSF, and Spectre-PHT vulnerabilities.
- It introduces modified wp rules with ghost instructions and memory fences to enforce data security across speculative and non-speculative states.
- The method is validated on multiple litmus tests, demonstrating its potential for automated tool integration in speculative execution vulnerability analysis.
This paper (2504.19128) introduces a formal approach using weakest precondition (wp) reasoning to detect speculative execution vulnerabilities, specifically focusing on data flow variants like Spectre-STL and Spectre-PSF. It builds upon an existing wp-based method for detecting control flow variants like Spectre-PHT, providing a unified framework for analyzing these distinct but related vulnerabilities.
The core of the approach is a weakest precondition transformer, denoted wps​, which operates over a pair of predicates ⟨Qs​,Q⟩. Qs​ represents the weakest precondition in a speculative context, and Q the weakest precondition in a non-speculative context. The security of a program is guaranteed if the initial state satisfies the derived non-speculative precondition Q.
The paper defines rules for wps​ over a simple assembly-like language including assignments, sequential composition, conditional statements, loops, and special instructions:
‘:Amemoryfenceinstructionthatterminatescurrentspeculativeexecution,effectivelyresettingthespeculativepreconditionQ_sto</code>true‘.</li><li><code>{e}`: A ghost instruction inserted before a potential leak gadget. This instruction introduces a proof obligation: the security level of the expression `e` must be the lowest possible (`⊥) in both speculative and non-speculative states. This obligation ensures that any leaked information is non-sensitive.
A pre-pass identifies potential micro-architectural leak gadgets (like loads used to index publicly observable memory) and inserts the e</code>instructionbeforethem,where<code>e</code>isthevaluebeingleaked(e.g.,theindexvalue).</p><p>Thelogictracksthesecuritylevelofdatausingexpressions\Gamma_vandsecuritypolicies(x)forvariables,formingasecuritylattice(L, \sqsubseteq).Proofobligationsrelatedtoinformationflowareintegratedintothewprules.Forexample,astore<code>x:=e</code>inthenon−speculativestaterequiresthatthesecuritylevelof<code>e</code>isnothigherthanthepolicyof<code>x</code>(\Gamma_E(e) \sqsubseteq (x)),andthatupdating<code>x</code>doesnotviolatesecuritypoliciesforothervariables.</p><p>Tohandlespeculativeexecutionpoints,specificallybranches(forSpectre−PHT)andstores(forSpectre−STL/PSF),proofobligationsfromthespeculativestateQ_saretransferredtothenon−speculativestateQ.Thismeansifavulnerablestateisreachablespeculativelyfromacertainpoint,thelogicrequiresthatthisvulnerablestateisnon−threatening<em>inthenon−speculativeinitialstateleadingtothatpoint</em>.</p><p><strong>Spectre−STLDetection:</strong></p><p>Spectre−STLexploitsthemispredictionthataloadisindependentofanearlierstore,leadingtotheloadusingastalevalue.Tomodelthis,thestandardwp_sruleforastore<code>x:=e</code>ismodified.Inadditiontothenormalrequirements,thespeculativepostconditionQ_s<em>before</em>thestoreisaddedasaconjunctto<em>both</em>thespeculativeandnon−speculativepreconditions<em>before</em>thestore.Thiscapturesthepossibilitythatthestoreiseffectivelybypassed(<code>Qs​</code>istransferred)whilespeculativeexecutioncontinues(<code>Qs​</code>ismaintained).Ghostvariablestrackingdefinedness(<code>defy</code>)andbasestatevariables(<code>y</code>)arehandledduringthistransfertocorrectlyrelatethespeculativeandnon−speculativecontexts.</p><p>ThemodifiedSpectre−STLstorerule<code>STL(x:=e,\lseq Q_s, Q\rseq)</code>is:!!!!0!!!!TheunderlinedpartsrepresenttheadditionforSpectre−STL,transferringthespeculativepostcondition(<code>Qs​</code>beforethestore)tothenon−speculativeandspeculativepreconditions(beforethestore).</p><p>ApplyingthisruletotheSpectre−STLlitmustest(Case4inAppendixA)involving<code>secretarray[r0]:=0</code>followedbyaload<code>r1:=secretarray[r0]</code>andaleakinstruction<code>{r1}`, the logic derives a non-speculative precondition requiring `Γsecretarray[idxcontent(array_size−1)]​=⊥`. This indicates a vulnerability if the value at the accessed index of `secretarray` is sensitive, as a bypassed store could lead to the original sensitive value being leaked. Inserting a fence after the store resetsQs​ totruebefore the store rule is applied, preventing the transfer of speculative obligations and resulting in a safe precondition (true`).
Spectre-PSF Detection:
Spectre-PSF relies on mispredicting that a load is dependent on an earlier store and speculatively forwarding the store's value, even if the addresses don't match. To model this, the Spectre-STL store rule is further extended. The speculative state can now be reached not just by bypassing the store, but also by speculatively forwarding the store's value (e) to any subset of variables ({y_1,...,y_m}) that appear in the speculative postcondition (Qs​ before the store).
The PSF(x := e, $\lseq Q_s, Q\rseq$) rule adds proof obligations for every subset of variables in the speculative postcondition, where those variables are replaced by the store value e. These obligations are added to both the speculative and non-speculative preconditions.
1
2
3
4
5
6
7
|
$PSF(x := e, \lseq Q_s, Q\rseq) =\
\t1 \lseq \M \underline{\forall \{y_1,...,y_m\}\subseteq vars(Q_s)\cdot}\
\t1 (Q_s \land Q_s[#1{x, \Gamma_x, def{x}{e, \Gamma_E(e), true})\underline{[#1{y_1,...,y_m}{e,...,e},\
Q[#1{x, \Gamma_x}{e, \Gamma_E(e)} \land \Gamma_E(e) \sqsubseteq (x) \land & (2)\
(\all y \cdot \Gamma_y \sqsubseteq (y)[#1{x}{e})\land\
\underline{\forall \{y_1,...,y_m\} \subseteq vars(Q_s) \cdot}\
\t1 Q_s[#1{var^, d_1, ..., d_n}{var, false, ..., false}\underline{[#1{y_1,...,y_m}{e,...,e}\,\rseq\O$ |
The underlined parts show the universal quantification over subsets of variables in
Qs​ and their substitution with the store value
e.
For the Spectre-PSF example (Section 3.2) where C[0] := 64 is followed by loads from C[r0] and A[r1*r0], and a final leak instruction based on the value from A, the logic analyzes the potential speculative forwarding of 64. For idx=1, if 64 is forwarded to the variable holding C[r0], the subsequent load becomes A[64*1], an out-of-bounds access. The derived non-speculative precondition includes ΓA[64∗r0]​=⊥, which is not provably true if A[64] is sensitive data, indicating the vulnerability.
Practical Implementation and Application:
The proposed logic provides a formal basis for building automated analysis tools.
- Language Abstraction: The assembly-like language is simple enough to represent typical vulnerable code patterns (gadgets). Real-world code would need to be translated to this intermediate representation.
- Gadget Detection: A pre-analysis phase is required to identify potential leak gadgets and insert
e</code>instructions.Thiscanbemechanizedbasedoncodepatternsaccessingpubliclyobservablememory(likecache−timingchannels).</li><li><strong>SecurityPolicy:</strong>Definingthesecuritypolicy((x))forvariablesiscrucialandrequiresprogrammerorsystemannotations.Thisdefineswhatinformationisconsideredsensitiveandwhereitisallowedtoreside.</li><li><strong>AutomatedReasoning:</strong>ThepapersuggeststhatautomatedweakestpreconditionanalyzerslikeBoogieorWhy3couldbeadaptedtoimplementthislogic.Thiswouldrequireencodingthewp_s$ rules and handling the security lattice and ghost variables within the prover's framework.
- Scalability: While wp-based methods can handle non-determinism better than pure model checking, handling the full speculative window and complex program structures remains a challenge. The current approach approximates the speculation window by allowing speculation to continue indefinitely.
- Combination of Attacks: The logic naturally handles combinations of Spectre variants by accumulating proof obligations from different sources of speculation (branches and stores). Case 9 in Appendix A and the example in Appendix B demonstrate this.
- Integration with Other Techniques: The framework is designed to integrate with rely/guarantee reasoning for concurrent programs and reordering interference freedom for weak memory models, offering a path towards analyzing more complex real-world scenarios.
The approach has been validated on a suite of 13 Spectre-STL litmus tests and a Spectre-PSF test, successfully identifying known vulnerabilities and confirming that mitigations like fences are effective according to the logic. The main practical challenge for widespread adoption is the development of automated tooling based on the formal rules.