Speculator: A tool to analyze speculative execution attacks and mitigations

Abstract

Speculative execution attacks exploit vulnerabilities at a CPU’s microarchitectural level, which, until recently, remained hidden below the instruction set architecture, largely undocumented by CPU vendors. New speculative execution attacks are released on a monthly basis, showing how aspects of the so-far unexplored microarchitectural attack surface can be exploited. In this paper, we introduce, Speculator, a new tool to investigate these new microarchitectural attacks and their mitigations, which aims to be the GDB of speculative execution. Using speculative execution markers, set of instructions that we found are observable through performance counters during CPU speculation, Speculator can study microarchitectural behavior of single snippets of code, or more complex attacker and victim scenarios (e.g. Branch Target Injection (BTI) attacks). We also present our findings on multiple CPU platforms showing the precision and the flexibility offered by Speculator and its templates.