### SERBERUS: Protecting Cryptographic Code from Spectres at Compile Time

Nicholas Mosier, Hamed Nemati, John C. Mitchell, Caroline Trippel

October 30, 2025
Top Picks in Hardware and Embedded Security

Stanford University

<sup>2</sup> KTH Royal Institute of Technology

## Hardware side-channel attacks leak victim secrets to an attacker

#### transmitter

unsafe instruction whose execution exhibits operand-dependent resource usage



# Constant-time programming ensures secrets do not leak sequentially

Constant-time programming defense: Avoid passing secrets to the unsafe operands of transmitters

```
control-flow memory access variable-time ops
if (unsafe) y = A[unsafe] z = unsafe/unsafe
... in every sequential execution of the program.
```

What about transient execution?



```
<LOAD32_LE>:
  mov eax
  ret
```

### Spectre Attacks on Constant-Time Crypto Code



#### **SERBERUS**

the first software Spectre defense to secure constant-time programs featuring PHT/BTB/RSB/STL/PSF speculation on existing hardware (recent Intel E-cores)



#### Outline

- Overcoming fundamental challenges for compile-time Spectre defenses
  - I. Making transient control-flow analysis tractable
  - 2. Performantly securing code that passes secrets by value
  - 3. Root-causing Spectre leakage in constant-time code
- SERBERUS' design and evaluation
- SERBERUS' impact

### Challenge #1: Intractable to reason about unconstrained transient control-flow in software



### Challenge #1: Intractable to reason about unconstrained transient control-flow in software



## Challenge #1: Intractable to reason about unconstrained transient control-flow in software



## **Solution #I**: Use Intel ISA extensions to constrain transient control-flow



jump to **endbranch** instructions

## **Solution #1**: Use Intel ISA extensions to constrain transient control-flow



jump to **endbranch** instructions

### **Solution** #1: Use Intel ISA extensions to constrain transient control-flow



### **Solution** #1: Use Intel ISA extensions to constrain transient control-flow

RRSBA Disable speculation control



returns can only

return to callsites

## **Solution #I**: Use Intel ISA extensions to constrain transient control-flow



useful restrictions on some microarchitectures

RRSBA Disable speculation control

Intel CET's Shadow Stack

### **Solution** #1: Use Intel ISA extensions to constrain transient control-flow

Constrain transient control-flow with Intel Control-Flow Enforcement Technology (CET), which provides transient CFI on E-core microarchitectures (e.g., Gracemont, Crestmont) <crypto\_core\_salsa>: call <LOAD32\_LE> <LOAD32 LE>: endbranch mov <mark>eax</mark>, [rdi] ret mov [rsp+0x48], eax <leak>: endbranch call <...> mov eax, [rdi + rax] Intel CET's Indirect Branch Tracking Intel CET's Shadow Stack still have transient leakage, but it's much easier to reason about RRSBA Disable speculation control

# Challenge #2: Passing secrets by value is unsafe in the Spectre era



# Challenge #2: Passing secrets by value is unsafe in the Spectre era



# Challenge #2: Passing secrets by value is unsafe in the Spectre era



## **Solution #2:** Static Constant-Time Programming, a strengthening of traditional constant-time

#### **SERBERUS' Solution:**

**static constant-time** (CTS) programming extends constant-time with:



implicit public/secret typing of variables

(so that we can infer types at compile time without programmer annotations)



pass secret arguments by reference, not value (so that we can scrub all secrets from registers on call/return)

Note: crypto routines generally satsify CTS out-of-the-box

### Solution #2: Static Constant-Time Programming



pass secret arguments by reference, not value





### Solution #2: Static Constant-Time Programming



pass secret arguments by reference, not value



## Challenge #3: Existing defenses do not capture the root cause of Spectre leakage in CT/CTS code

Prior work attributes transient leakage to access instructions [Yu+ MICRO'19], which load secrets into registers.

Inapplicable to software defenses: speculation fences do not always block sequentially accessed secrets from transiently leaking.

### **Solution #3:** Taint Primitives

We propose the concept of **taint primitives**, instructions that cause a **publicly-typed register** to **transiently hold a secret**, i.e., a security type violation.

Taint primitives are **necessary** to transiently leak secrets in static constant-time programs.

## SERBERUS: a comprehensive Spectre defense for static constant-time code

#### implemented for **LLVM**



## SERBERUS: a comprehensive Spectre defense for static constant-time code

#### implemented for **LLVM**



### SERBERUS' Register Cleaning Pass

### SERBERUS' Register Cleaning Pass



### SERBERUS' Performance



#### **Evaluated Mitigations**

| mitigation            | PHT | втв      | RSB      | STL      | PSF      |
|-----------------------|-----|----------|----------|----------|----------|
| insecure baseline     |     |          |          |          |          |
| Ifence+retpoline+ssbd | ✓   | <b>√</b> |          | <b>√</b> | <b>√</b> |
| slh+retpoline+ssbd    | ~   | <b>√</b> |          | <b>√</b> | <b>√</b> |
| SERBERUS (this paper) | ✓   | <b>√</b> | <b>√</b> | <b>√</b> | <b>√</b> |

**SERBERUS outperforms state-of-the-art mitigations** in the crypto primitives we evaluate while offering **stronger security guarantees**.

## Comparison with Existing Software Defenses for Unannotated Constant-Time Code

Legend

disable speculation
secure speculation



### SERBERUS' Impact

- for users: offering the first way to securely run CTS crypto code on existing HW
- for vendors: prompting industry documentation of transient CFI semantics
- for developers: Spectre-aware programming guidelines
- for researchers: a new paradigm for identifying and eliminating transient leakage
- for architects: the first HW-SW codesign of its kind

# Impact for **users**: only way to securely run CTS crypto code on existing HW

Past Serberus Future

No prior defense prevents secrets from transiently leaking via PHT/BTB/RSB/STL/PSF on existing hardware.

- SERBERUS remains the only comprehensive defense for all CTS crypto code on existing Intel E-cores.
- SERBERUS' open-source LLVM fork secures any CTS code that LLVM can compile
- Widely cited as the new SOTA

- SERBERUS prompted Intel to signal that its "long-term direction" is to enforce transient CFI on all future hardware. 1
- SERBERUS will become more widely deployable over time.
- In progress: upstreaming
   Serberus into LLVM.

| deployable defenses<br>targeting CT | PHT conditional branch pred | BTB indirect branch pred | RSB<br>return<br>prediction | <b>STL</b><br>store-to-load<br>fwding pred | PSF<br>predictive<br>store fwding | Overhead (8KB benchmarks) |
|-------------------------------------|-----------------------------|--------------------------|-----------------------------|--------------------------------------------|-----------------------------------|---------------------------|
| Prior work                          |                             | X                        |                             | X                                          | X                                 | 14.1%                     |

## Impact for **vendors**: standardization of transient CFI semantics

Past Serberus Future

 No transient semantics for CFI on any major ISA/CPU

call

???

ENDBR

???

 Spurred Intel to publish the transient semantics of Intel CET on existing platforms



- To our knowledge, has spurred discussions about how to retrofit Arm for speculative CT programming
- Possible domino effect, leading to standardization for RISC-V too
- Future defenses may build on Intel's strong transient CFI semantics

Intel CETArmRISC-VPre-SERBERUSunknownunknownunknown

# Impact for **developers**: Spectre-aware programming guidelines



Traditional constant-time programming permits inherently dangerous programming patterns

y
ns

Static constant-time (CTS)
programming defines concrete,
easy-to-follow guidelines for crypto
programming in the Spectre era

Future adoption of CTS principles will reduce Spectre attack surface, even if no defense is enabled





 Many routines in widely used crypto libraries (OpenSSL, libsodium, HACL\*) already uphold CTS

# Impact for **researchers**: new way to identify and eliminate transient leakage of secrets



# Impact for **architects**: a new kind of HW-SW codesign

Past Serberus Future

While performant, prior HW-SW codesigns require **invasive HW modifications** to track what data may be secret.

- Heavy lifting in HW, not SW
- High HW complexity
- Unknown viability: not implemented in existing HW; no sign of adoption in future HW

SERBERUS shows how low-cost transient control-flow and data-flow restrictions in HW can enable efficient compile-time defenses in SW.

- Offloads heavy lifting from HW to SW
- Low HW complexity
- Viable: sufficient constraints implemented in some existing HW

Motivates architects to implement more low-cost restrictions in future HW to enable even more efficient SW defenses.

### **Takeaways**

- SERBERUS is the first comprehensive, deployable defense for protecting constant-time code against Spectre leakage on existing HW.
- SERBERUS has prompted industry to document transient CFI semantics.
- SERBERUS can be extended to...
  - handle new speculation primitives (e.g., SLS)
  - run on new microarchitectures (e.g., Intel P-cores or Arm)
  - complement other defenses (e.g., sandboxing defenses [Schmitz+AsiaCCS'25])
- SERBERUS provides...
  - crypto developers with new guidelines for hardening their code against Spectre.
  - researchers with a new technique for root-causing and eliminating Spectre leakage.
  - architects with low-cost hardware changes to enable performant software Spectre defenses.

GitHub: <a href="https://github.com/nmosier/serberus">https://github.com/nmosier/serberus</a>

Email: nmosier@stanford.edu