The Spectre family of speculative execution attacks have required a rethinking of formal methods for security. Approaches based on operational speculative semantics have made initial inroads towards finding vulnerable code and validating defenses. However, with each new attack grows the amount of microarchitectural detail that has to be integrated into the underlying semantics. We propose an alternative, light-weight and axiomatic approach to specifying speculative semantics that relies on insights from memory models for concurrency. We use the CAT modeling language for memory consistency to specify execution models that capture speculative control flow, store-to-load forwarding, predictive store forwarding, and memory ordering machine clears. We present a bounded model checking framework parametrized by our speculative CAT models and evaluate its implementation against the state of the art. Due to the axiomatic approach, our models can be rapidly extended to allow our framework to detect new types of attacks and validate defenses against them.

中文翻译：

---

Cats vs. Spectre：模拟推测执行攻击的公理化方法

Spectre 系列的推测执行攻击需要重新考虑安全的正式方法。基于操作推测语义的方法在寻找易受攻击的代码和验证防御方面取得了初步进展。然而，随着每次新的攻击，必须集成到底层语义中的微架构细节的数量都会增加。我们提出了一种替代的、轻量级的、公理化的方法来指定依赖于内存模型对并发性的洞察的推测语义。我们使用 CAT 建模语言来实现内存一致性，以指定捕获推测控制流、存储到加载转发、预测性存储转发和内存排序机器清除的执行模型。我们提出了一个由我们的推测 CAT 模型参数化的有界模型检查框架，并根据现有技术评估其实现。由于公理化方法，我们的模型可以快速扩展，以允许我们的框架检测新类型的攻击并验证对它们的防御。