Spectre vulnerabilities violate our fundamental assumptions about architectural abstractions, allowing attackers to steal sensitive data despite previously state-of-the-art countermeasures. To defend against Spectre, developers of verification tools and compiler-based mitigations are forced to reason about microarchitectural details such as speculative execution. In order to aid developers with these attacks in a principled way, the research community has sought formal foundations for speculative execution upon which to rebuild provable security guarantees. This paper systematizes the community's current knowledge about software verification and mitigation for Spectre. We study state-of-the-art software defenses, both with and without associated formal models, and use a cohesive framework to compare the security properties each defense provides. We explore a wide variety of tradeoffs in the complexity of formal frameworks, the performance of defense tools, and the resulting security guarantees. As a result of our analysis, we suggest practical choices for developers of analysis and mitigation tools, and we identify several open problems in this area to guide future work on grounded software defenses.

中文翻译：

---

SoK：幽灵防御的实用基础

幽灵漏洞违反了我们对体系结构抽象的基本假设，尽管先前采取了最新的对策，但攻击者仍可以窃取敏感数据。为了抵御Spectre，验证工具和基于编译器的缓解措施的开发人员被迫考虑诸如推测执行之类的微体系结构细节。为了以有原则的方式帮助开发人员抵御这些攻击，研究界已寻求投机执行的正式基础，以在此基础上重建可证明的安全保证。本文对社区当前有关Spectre的软件验证和缓解的知识进行了系统化。我们研究有无相关正式模型的最新软件防御，并使用内聚框架比较每种防御措施提供的安全性属性。我们探讨了形式框架的复杂性，防御工具的性能以及由此产生的安全性保证之间的各种权衡。作为我们分析的结果，我们为分析和缓解工具的开发人员提供了切实可行的选择，并且确定了该领域中的一些未解决问题，以指导未来的扎根软件防御工作。