2.0 KiB
List of Relevant Papers and Docs
-
Branch Predictor Invalidation
-
Spectre V2, the work we will focus on is related to Variant 2 but since Variant 1 is a bit easier to understand it can also be of interest to read. There's a Google Project Zero blog post describing the reverse engineering, which is also more or less repeated (although a bit more condensed) in the Spectre paper. The particular attack that closest relates to this work is the KVM attack. As you will find, however, there is not much details regarding "training", i.e., Injecting a branch target that causes misprediction. https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
-
Meltdown: https://spectreattack.com/meltdown.pdf
-
Flush+Reload is a cache attack that is often use in Spectre attacks to read data that has been leaked. Remember Speculatively executed code is rolled back: https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-yarom.pdf
-
Prime+Probe and Evict+Time, whereas Flush+Reload requires shared memory between the attacker and victim, Prime+Probe only requires that the CPU caches are shared. This works as an alternative method of leaking data with Spectre: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.481.2053&rep=rep1&type=pdf
-
Blindside: https://comsec.ethz.ch/wp-content/files/blindside_ccs20.pdf
-
A Systematic Evaluation of Transient Execution Attacks and Defenses https://arxiv.org/pdf/1811.05441.pdf
-
Systematization Papers (SoK) on "Transient Execution Attacks": https://www.cc0x1f.net/publications/transient_sytematization.pdf
-
About RSB Exploitation: https://www.usenix.org/system/files/conference/woot18/woot18-paper-koruyeh.pdf