### SERBERUS: Protecting Cryptographic Code from Spectres at Compile-Time

Nicholas Mosier, Hamed Nemati, John Mitchell, Caroline Trippel

May 22, 2024 45th IEEE Symposium on Security and Privacy





# Security-critical code, like crypto code, is written to avoid leaking secrets sequentially

Constant-time (CT) programming defense: Avoid passing secrets to the unsafe operands of transmitters

control-flow memory access variable-time ops

if (unsafe) y = A[unsafe] z = unsafe/unsafe

... in every sequential execution of the program.

What about transient execution?



```
<LOAD32_LE>:
  mov eax
  ret
```

### Spectre Attacks on Constant-Time Crypto Code

SERBERUS: first defense against
Spectre attacks, involving any
combination of these speculation
primitives, that is readily deployable
on existing hardware.



# Comprehensive Spectre defenses face multiple challenges

#### Hardware speculation:

- I. Unconstrained control-flow
- 4. Unconstrained data-flow (see paper)

#### Legal constant-time code patterns:

- 5. No explicit requirement of static security types (see paper)
- 2. Passing secret arguments by value

#### **Root-causing Spectre leakage:**

3. Existing techniques inapplicable to constant-time

### Challenge #1: Unconstrained speculative control-flow renders comprehensive software defenses against Spectre impractical



### Challenge #1: Unconstrained speculative control-flow renders comprehensive software defenses against Spectre impractical



### Challenge #1: Unconstrained speculative control-flow renders comprehensive software defenses against Spectre impractical



**Solution #I**: Use Intel ISA extensions to constrain speculative control-flow



jump to **endbranch** instructions

## **Solution #I**: Use Intel ISA extensions to constrain speculative control-flow



jump to **endbranch** instructions

## **Solution #1**: Use Intel ISA extensions to constrain speculative control-flow

RRSBA Disable speculation control

Constrain speculative control-flow with **Intel Control-Flow** Enforcement Technology (CET), which provides speculative **CFI** on recent microarchitectures: Alder Lake-N, Arizona Beach <crypto\_core\_salsa>: call <LOAD32\_LE> <L0AD32\_LE>: endbranch mov eax, [rdi] ret mov [rsp+0x48], eax <leak>: endbranch call <...> mov eax, [rdi + rax] Intel CET's Indirect Branch Tracking Intel CET's Shadow Stack returns can only

return to callsites

#### **Solution** #1: Use Intel ISA extensions to constrain speculative control-flow





Intel CET's Indirect Branch Tracking



Intel CET's Shadow Stack



RRSBA Disable speculation control

returns can only return to callsites

#### **Solution** #1: Use Intel ISA extensions to constrain speculative control-flow





Intel CET's Indirect Branch Tracking



Intel CET's Shadow Stack



RRSBA Disable speculation control

Not Spectre defenses! Just happens to provide useful restrictions on some µarches

## **Solution #I**: Use Intel ISA extensions to constrain speculative control-flow

RRSBA Disable speculation control

Constrain speculative control-flow with **Intel Control-Flow** Enforcement Technology (CET), which provides speculative **CFI** on recent microarchitectures: Alder Lake-N, Arizona Beach <crypto\_core\_salsa>: call <LOAD32\_LE> <LOAD32 LE>: endbranch mov eax, [rdi] ret mov [rsp+0x48], eax <leak>: endbranch call <...> mov eax, [rdi + rax] Intel CET's Indirect Branch Tracking Intel CET's Shadow Stack still have transient leakage, but it's much easier to reason about

### Lightweight Speculation Constraints



# Challenge #2: Passing secrets by value is unsafe in the Spectre era



# Challenge #2: Passing secrets by value is unsafe in the Spectre era



# Challenge #2: Passing secrets by value is unsafe in the Spectre era



# **Solution #2:** Static Constant-Time Programming, a strengthening of traditional constant-time

#### **SERBERUS' Solution:**

**static constant-time** (CTS) programming extends constant-time with:



static security types of variables (see paper)



pass secret arguments by reference, not value

### Solution #2: Static Constant-Time Programming



pass secret arguments by reference, not value





### Solution #2: Static Constant-Time Programming



pass secret arguments by reference, not value



## Challenge #3: Existing defenses do not capture the root cause of Spectre leakage in CT/CTS code

Prior work studies transient access instructions [Yu+ MICRO'19], which load secrets into registers.



Not applicable to (static) constant-time programs, which sequentially access secrets

#### **Solution #3:** Taint Primitives

We propose the concept of **taint primitives**, instructions that cause a **publicly-typed register** to **transiently hold a secret**, i.e., a security type violation.

Taint primitives are **necessary** to transiently leak secrets in static constant-time programs.

### Taint Primitives in CTS Programs



as public argument which leaks

## SERBERUS: a comprehensive Spectre defense for static constant-time code



### SERBERUS: a comprehensive Spectre defense for static constant-time code



## SERBERUS: a comprehensive Spectre defense for static constant-time code



**assigns distinct physical stacks to each function** to eliminate taint
primitives due to stack sharing

zeroes out registers that m secrets on call/return to elin interprocedural taint primit inserts a minimal number of speculation fences to eliminate taint primitives not handled by other passes

# SERBERUS: a comprehensive Spectre defense for static constant-time code



programmer transparent: SERBERUS

does not need to know secrecy labels

implemented for **LLVM** 

#### SERBERUS' Function-Private Stacks Pass

Stack sharing is the root cause of STKL: a publicly-typed

load may read a stale secret from prior procedure's stack frame.



uninitialized stack load

```
int x = 0;

y = A[\underline{x}];
```

```
foo() {
    x = secret;
    ...
}
SP →
```

#### SERBERUS' Function-Private Stacks Pass



**Stack sharing is the root cause of** STKL: a publicly-typed load may read a stale secret from prior procedure's stack frame.



**Solution**: allocate a **private stack** to each procedure.

#### SERBERUS' Register Cleaning Pass



#### SERBERUS' Register Cleaning Pass



```
cloAD32_LE>:
    endbranch
    mov ecx, [rdi]
    mov [rsi], ecx
    mov ecx, 0

ret

ret

cleak_ecx>:
    endbranch
    call <...>
    mov eax, [rdi + rcx]
```



#### SERBERUS' Fence Insertion Pass

non-constant-address load/store

- Frames speculation fence (LFENCE) insertion as a *minimum* directed multicut problem over the transient control-flow graph
- Sources are loads or stores that may access secrets
- Sinks are dependent transmitters



Mitigated Procedure

#### SERBERUS' Performance



#### **Evaluated Mitigations**

| mitigation            | PHT | втв      | RSB      | STL      | PSF      |
|-----------------------|-----|----------|----------|----------|----------|
| insecure baseline     |     |          |          |          |          |
| Ifence+retpoline+ssbd | ✓   | <b>√</b> |          | <b>√</b> | ✓        |
| slh+retpoline+ssbd    | ~   | <b>√</b> |          | <b>√</b> | <b>√</b> |
| SERBERUS (this paper) | ✓   | <b>√</b> | <b>√</b> | <b>√</b> | <b>√</b> |

**SERBERUS outperforms state-of-the-art mitigations** in the crypto primitives we evaluate while offering **stronger security guarantees**.

### Comparison to Prior Work

**Legend** 

disable speculation

secure speculation

| deployable<br>mitigations<br>targeting CT | PHT<br>conditional<br>branch pred | BTB indirect branch pred | RSB<br>return<br>prediction | STL<br>store-to-load<br>fwding pred | PSF predictive store fwding |
|-------------------------------------------|-----------------------------------|--------------------------|-----------------------------|-------------------------------------|-----------------------------|
| Intel LFENCE                              | X                                 |                          |                             |                                     |                             |
| UltimateSLH<br>[Zhang+ USENIX'23]         | •                                 |                          |                             |                                     |                             |
| Blade<br>[Vassena+ POPL'21]               | •                                 |                          |                             |                                     |                             |
| seISLH<br>[Shivakumar+ S&P'23]            | •                                 |                          |                             |                                     |                             |
| Misspec. types<br>[Shivakumar+ S&P'23]    | •                                 |                          |                             |                                     |                             |
| retpoline                                 |                                   | <b>⊗</b>                 |                             |                                     |                             |
| IPRED_DIS                                 |                                   | ×                        |                             |                                     |                             |
| SSBD                                      |                                   |                          |                             | X                                   | <b>⟨</b> X                  |
| PSFD                                      |                                   |                          |                             |                                     | <b>⟨</b> X                  |
| Securest SOTA                             |                                   | X                        |                             | X                                   | <b>⟨</b> X                  |
| SERBERUS<br>[Mosier+ S&P'24]              |                                   |                          |                             |                                     | ×                           |

### Extras in the Paper

- We introduce "Abstract Speculative Processor" (ASP), an operational semantics modeling transient execution on a speculative, out-of-order processor
- We formalize CTS programming for ASP programs
- We formally define taint primitives and prove the existence of the four classes of taint primitives in CTS programs on ASP
- We formalize SERBERUS' three passes as transformations on ASP programs
- We prove the correctness and security guarantees of SERBERUS' passes on ASP

### **Takeaways**

- SERBERUS is the first comprehensive, deployable defense for protecting constant-time code against Spectre leakage.
- SERBERUS outperforms state-of-the-art defenses despite offering stronger security guarantees.
- Proof of SERBERUS' security guarantees: see paper
- Working on upstreaming into LLVM

Interested in learning more on how Serberus works?

→ Read our paper!

Interested in protecting your code with Serberus?

→ Contact us!

GitHub: <a href="https://github.com/nmosier/serberus">https://github.com/nmosier/serberus</a>

email: nmosier@stanford.edu