Survey of Transient Execution Attacks
-
-
Abstract
Transient execution attacks (TEAs) exploit processor optimizations to bypass security checks and exfiltrate sensitive information through covert channels. Among them, Meltdown and Spectre attacks have become prominent, affecting mainstream commercial processors such as Intel, ARM, and AMD. Despite the defensive measures implemented by processor manufacturers, variants of these attacks continue to be discovered and disclosed by researchers. To improve the understanding of TEAs and deploy robust defenses, this paper comprehensively analyzes TEAs under various covert channels. Initially, the common characteristics of TEAs are extracted, and a novel model for TEAs is systematically constructed. Subsequently, we summarize the various types of covert channels involved in existing research, classify the TEAs into three types: Meltdown type attacks driven by out-of-order execution (OoOE), Spectre type attacks driven by branch misprediction, and microarchitecture data sampling (MDS) type attacks driven by data misprediction, and delineate the key aspects and relationships of each type of attack. Notably, this paper systematically compiles and categorizes MDS type attacks for the first time. Then, the capabilities of each attack variant were meticulously analyzed and evaluated from three dimensions: covert channel, attack applicable scenarios, and microarchitecture immunity status, which aids security researchers in developing new, more destructive attack types based on the deficiencies of the existing attack-related research. Finally, combined with the above-mentioned comprehensive and in-depth analysis and summary of processor microarchitecture and covert channels, this paper anticipates the future trajectory of TEAs research, hoping to provide strong support for subsequent research work.
-
-