Robert Brotzman,Danfeng Zhang,Mahmut Taylan Kandemir,Gang Tan

DOI: https://doi.org/10.1145/3485506

2021-10-20

Proceedings of the ACM on Programming Languages

Abstract:The high-profile Spectre attack and its variants have revealed that speculative execution may leave secret-dependent footprints in the cache, allowing an attacker to learn confidential data. However, existing static side-channel detectors either ignore speculative execution, leading to false negatives, or lack a precise cache model, leading to false positives. In this paper, somewhat surprisingly, we show that it is challenging to develop a speculation-aware static analysis with precise cache models: a combination of existing works does not necessarily catch all cache side channels. Motivated by this observation, we present a new semantic definition of security against cache-based side-channel attacks, called Speculative-Aware noninterference (SANI), which is applicable to a variety of attacks and cache models. We also develop SpecSafe to detect the violations of SANI. Unlike other speculation-aware symbolic executors, SpecSafe employs a novel program transformation so that SANI can be soundly checked by speculation-unaware side-channel detectors. SpecSafe is shown to be both scalable and accurate on a set of moderately sized benchmarks, including commonly used cryptography libraries.

Guanhua Wang,Sudipta Chattopadhyay,Ivan Gotovchits,Tulika Mitra,Abhik Roychoudhury

DOI: https://doi.org/10.48550/arXiv.1807.05843

2019-11-12

Abstract:The Spectre vulnerability in modern processors has been widely reported. The key insight in this vulnerability is that speculative execution in processors can be misused to access the secrets. Subsequently, even though the speculatively executed instructions are squashed, the secret may linger in micro-architectural states such as cache, and can potentially be accessed by an attacker via side channels. In this paper, we propose oo7, a static analysis approach that can mitigate Spectre attacks by detecting potentially vulnerable code snippets in program binaries and protecting them against the attack by patching them. Our key contribution is to balance the concerns of effectiveness, analysis time and run-time overheads. We employ control flow extraction, taint analysis, and address analysis to detect tainted conditional branches and speculative memory accesses. oo7 can detect all fifteen purpose-built Spectre-vulnerable code patterns, whereas Microsoft compiler with Spectre mitigation option can only detect two of them. We also report the results of a large-scale study on applying oo7 to over 500 program binaries (average binary size 261 KB) from different real-world projects. We protect programs against Spectre attack by selectively inserting fences only at vulnerable conditional branches to prevent speculative execution. Our approach is experimentally observed to incur around 5.9% performance overheads on SPECint benchmarks.

Cryptography and Security

Lutan Zhao,Peinan Li,Rui Hou,Michael C. Huang,Peng Liu,Lixin Zhang,Dan Meng

DOI: https://doi.org/10.1109/tc.2020.2997555

IF: 3.183

2021-07-01

IEEE Transactions on Computers

Abstract:Speculative execution side-channel vulnerabilities such as Spectre reveal that conventional architecture designs lack security consideration. This article proposes a software transparent defense framework, named as Conditional Speculation, against Spectre vulnerabilities found on traditional out-of-order microprocessors. It introduces the concept of security dependence to mark speculative memory instructions which could leak information with potential security risks. More specifically, security-dependent instructions are detected and marked with suspect speculation flags in the Issue Queue. All the instructions can be speculatively issued for execution in accordance with the classic out-of-order pipeline. For those instructions with suspect speculation flags, they are considered as safe instructions if their speculative execution dose not refill new cache lines with unauthorized privilege data. Otherwise, they are considered as unsafe instructions and thus not allowed to execute speculatively. To pursue a balance of performance and security, we investigate two filtering mechanisms, Cache-hit-based Hazard Filter and Trusted Page Buffer-based Hazard Filter to filter out false security hazards. As for true security hazards, we have two approaches to prevent them from changing cache states. One is to block all unsafe access, the other is to fetch them from lower-level caches or memory to a speculative buffer temporarily, and refill them after confirming that they are on the correct execution path. Our design philosophy is to speculatively execute safe instructions to maintain the performance benefits of out-of-order execution while delaying the cache updates for speculative execution of unsafe instructions for security consideration. We evaluate Conditional Speculation in terms of perf-rmance, security, and area. The experimental results show that the hardware overhead is marginal and the performance overhead is minimal.

engineering, electrical & electronic,computer science, hardware & architecture

Atri Bhattacharyya,Alexandra Sandulescu,Matthias Neugschwandtner,Alessandro Sorniotti,Babak Falsafi,Mathias Payer,Anil Kurmus

DOI: https://doi.org/10.1145/3319535.3363194

2019-09-26

Abstract:Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do not load attacker-provided code, may be impacted. It also remains unclear as to what extent these attacks are reliant on cache-based side channels. We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process. SMoTher is a fine-grained side channel that detects contention based on a single victim instruction. To discover real-world gadgets, we describe a methodology and build a tool that locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we found hundreds of gadgets that can be used to leak information. Finally, we demonstrate proof-of-concept attacks against the OpenSSH server, creating oracles for determining four host key bits, and against an application performing encryption using the OpenSSL library, creating an oracle which can differentiate a bit of the plaintext through gadgets in libcrypto and glibc.

Cryptography and Security

Ofek Kirzner,Adam Morrison

DOI: https://doi.org/10.48550/arXiv.2106.15601

2021-07-02

Abstract:Spectre v1 attacks, which exploit conditional branch misprediction, are often identified with attacks that bypass array bounds checking to leak data from a victim's memory. Generally, however, Spectre v1 attacks can exploit any conditional branch misprediction that makes the victim execute code incorrectly. In this paper, we investigate speculative type confusion, a Spectre v1 attack vector in which branch mispredictions make the victim execute with variables holding values of the wrong type and thereby leak memory content. We observe that speculative type confusion can be inadvertently introduced by a compiler, making it extremely hard for programmers to reason about security and manually apply Spectre mitigations. We thus set out to determine the extent to which speculative type confusion affects the Linux kernel. Our analysis finds exploitable and potentially-exploitable arbitrary memory disclosure vulnerabilities. We also find many latent vulnerabilities, which could become exploitable due to innocuous system changes, such as coding style changes. Our results suggest that Spectre mitigations which rely on statically/manually identifying "bad" code patterns need to be rethought, and more comprehensive mitigations are needed.

Cryptography and Security

Chang Liu,Dongsheng Wang,Yongqiang Lyu,Pengfei Qiu,Yu Jin,Zhuoyuan Lu,Yinqian Zhang,Gang Qu

DOI: https://doi.org/10.1109/hpca57654.2024.00014

2024-01-01

Abstract:This paper presents a comprehensive investigation into the security vulnerabilities associated with speculative memory access on AMD processors. Firstly, employing novel reverse engineering techniques, our study uncovers two key predictors, namely the Predictive Store Forwarding Predictor (PSFP) and the Speculative Store Bypass Predictor (SSBP), along with elucidating their internal structures and state machine designs. Secondly, our research empirically confirms that these predictors can be deliberately manipulated and altered during transient execution, resulting in secret leakage across security domains. Leveraging these discoveries, we propose innovative attacks targeting these predictors, including an out-of-place variant of Spectre-STL and an entirely new form of Spectre attack named Spectre-CTL. Finally, we establish experimentally that enabling Speculative Store Bypass Disable alleviates the vulnerabilities. However, this comes at the expense of significant performance degradation.

Mohamadreza Rostami,Shaza Zeitouni,Rahul Kande,Chen Chen,Pouya Mahmoody,Jeyavijayan,Rajendran,Ahmad-Reza Sadeghi

DOI: https://doi.org/10.1145/3649329.3658469

2024-10-30

Abstract:Microarchitectural attacks represent a challenging and persistent threat to modern processors, exploiting inherent design vulnerabilities in processors to leak sensitive information or compromise systems. Of particular concern is the susceptibility of Speculative Execution, a fundamental part of performance enhancement, to such attacks. We introduce Specure, a novel pre-silicon verification method composing hardware fuzzing with Information Flow Tracking (IFT) to address speculative execution leakages. Integrating IFT enables two significant and non-trivial enhancements over the existing fuzzing approaches: i) automatic detection of microarchitectural information leakages vulnerabilities without golden model and ii) a novel Leakage Path coverage metric for efficient vulnerability detection. Specure identifies previously overlooked speculative execution vulnerabilities on the RISC-V BOOM processor and explores the vulnerability search space 6.45x faster than existing fuzzing techniques. Moreover, Specure detected known vulnerabilities 20x faster.

Cryptography and Security,Hardware Architecture

Fangzheng Lin,Zhongfa Wang,Hiroshi Sasaki

2024-11-18

Abstract:Speculative execution is crucial in enhancing modern processor performance but can introduce Spectre-type vulnerabilities that may leak sensitive information. Detecting Spectre gadgets from programs has been a research focus to enhance the analysis and understanding of Spectre attacks. However, one of the problems of existing approaches is that they rely on the presence of source code (or are impractical in terms of run-time performance and gadget detection ability). This paper presents Teapot, the first Spectre gadget scanner that works on COTS binaries with comparable performance to compiler-based alternatives. As its core principle, we introduce Speculation Shadows, a novel approach that separates the binary code for normal execution and speculation simulation in order to improve run-time efficiency. Teapot is based on static binary rewriting. It instruments the program to simulate the effects of speculative execution and also adds integrity checks to detect Spectre gadgets at run time. By leveraging fuzzing, Teapot succeeds in efficiently detecting Spectre gadgets. Evaluations show that Teapot outperforms both performance (more than 20x performant) and gadget detection ability than a previously proposed binary-based approach.

Cryptography and Security,Hardware Architecture

Haifeng Gu,Mingsong Chen,Yanzhao Wang,Fei Xie

DOI: https://doi.org/10.1109/icess49830.2020.9301601

2020-01-01

Abstract:Speculative execution has been widely used in modern CPU designs. This technique improves the CPU performance significantly. However, it may introduce the speculative execution side channels which can be exploited by attackers maliciously, such as the well-known Spectre attack. Although Spectre can expose the speculative execution side channels in data cache, it relies heavily on the training of branch predictors and timing analysis of the target physical processor. Thereby, it is difficult to predict if Spectre attack on processors that are under design in the early stage can succeed or not. For future white-box processors under design, how to identify the speculative execution side channels in data cache in the early stage is an important issue. To address this problem, we propose an approach to generating branch directions (including mis-predictions) of conditional branch instructions based on Instruction Set Architecture simulation. The predictions of the branch predictor in the processor under design will be guided by these branch directions to trigger the speculative execution side channels in data cache for detection. In our experiments, the RISC-V BOOM processor is used as a case study where the speculative execution side channel in data cache can be detected by our approach.

Kaixuan Wang,Xinyu Qin,Zhuoyuan Yang,Weiliang He,Yifan Liu,Jun Han

DOI: https://doi.org/10.1145/3583781.3590308

2023-01-01

Abstract:Speculative execution attacks such as Spectre and Meltdown exploit the wrong execution patch to leak private data. In current state-of-the-art defense strategies, executions of all memory accesses that use speculatively-loaded addresses are blocked, resulting in high overhead. Our key observation is that these blocked memory accesses can be executed without operand-dependent hardware resource usage through value prediction. Therefore, we propose a novel hardware defense framework, named Speculative Value Prediction (SVP), to safely and efficiently execute the potentially unsafe memory accesses earlier. We build SVP on the cycle-accurate Gem5 simulator and its performance improvement is positively correlated with the coverage of value predictors. Experiments show that when using the value predictor with 30%/60%/100% coverage, SVP outperforms the state-of-the-art defense mechanism STT in the Spectre model by 21.5%/50.3%/107.7% respectively, and in the Futuristic model by 28.7%/55.4%/105.7% respectively.

Sunjay Cauligi,Craig Disselkoen,Daniel Moghimi,Gilles Barthe,Deian Stefan

DOI: https://doi.org/10.48550/arXiv.2105.05801

2022-04-08

Abstract:Spectre vulnerabilities violate our fundamental assumptions about architectural abstractions, allowing attackers to steal sensitive data despite previously state-of-the-art countermeasures. To defend against Spectre, developers of verification tools and compiler-based mitigations are forced to reason about microarchitectural details such as speculative execution. In order to aid developers with these attacks in a principled way, the research community has sought formal foundations for speculative execution upon which to rebuild provable security guarantees. This paper systematizes the community's current knowledge about software verification and mitigation for Spectre. We study state-of-the-art software defenses, both with and without associated formal models, and use a cohesive framework to compare the security properties each defense provides. We explore a wide variety of tradeoffs in the expressiveness of formal frameworks, the complexity of defense tools, and the resulting security guarantees. As a result of our analysis, we suggest practical choices for developers of analysis and mitigation tools, and we identify several open problems in this area to guide future work on grounded software defenses.

Cryptography and Security,Programming Languages

Hai Jin,Zhuo He,Weizhong Qiang

DOI: https://doi.org/10.1145/3566053

IF: 1.444

2022-01-01

ACM Transactions on Architecture and Code Optimization

Abstract:In modern processors, speculative execution has significantly improved the performance of processors, but it has also introduced speculative execution vulnerabilities. Recent defenses are based on the delayed execution to block various speculative side channels, but we show that several of the current state-of-the-art defenses fail to block some of the available speculative side channels, and the current most secure defense introduces a performance overhead of up to 24.5%. We propose SpecTerminator, the first defense framework based on instruction classes that can comprehensively and precisely block all existing speculative side channels. In SpecTerminator, a novel speculative side channel classification scheme based on the features of secret transmission is proposed, and the sensitive instructions in the speculative window are classified and identified using optimized hardware taint tracking and instruction masking techniques to accurately determine the scope of leakage. Then, according to the execution characteristics of these instructions, dedicated delayed execution strategies, such as TLB request ignoring, selective issue, and extended delay-on-miss, are designed for each type of sensitive instruction to precisely control that these instructions are delayed only in pipeline stages that are at risk of leakage. In contrast to previous defenses based on the Gem5 simulator, we have innovatively implemented defenses against Spectre attacks based on the open-source instruction set RISC-V on an FPGA-accelerated simulation platform that is more similar to real hardware. To evaluate the security of SpecTerminator, we have replicated various existing x86-based Spectre variants on RISC-V. On SPEC 2006, SpecTerminator defends against Spectre attacks based on memory hierarchy side channels with a performance overhead of 2.6% and against all existing Spectre attacks with a performance overhead of 6.0%.

Ali Hajiabadi,Archit Agarwal,Andreas Diavastos,Trevor E. Carlson

2023-06-20

Abstract:New speculation-based attacks that affect large numbers of modern systems are disclosed regularly. Currently, CPU vendors regularly fall back to heavy-handed mitigations like using barriers or enforcing strict programming guidelines resulting in significant performance overhead. What is missing is a solution that allows for efficient mitigation and is flexible enough to address both current and future speculation vulnerabilities, without additional hardware changes. In this work, we present SpecControl, a novel hardware/software co-design, that enables new levels of security while reducing the performance overhead that has been demonstrated by state-of-the-art methodologies. SpecControl introduces a communication interface that allows compilers and application developers to inform the hardware about true branch dependencies, confidential control-flow instructions, and fine-grained instruction constraints in order to apply restrictions only when necessary. We evaluate SpecControl against known speculative execution attacks and in addition, present a new speculative fetch attack variant on the Pattern History Table (PHT) in branch predictors that shows how similar previously reported vulnerabilities are more dangerous by enabling unprivileged attacks, especially with the state-of-the-art branch predictors. SpecControl provides stronger security guarantees compared to the existing defenses while reducing the performance overhead of two state-of-the-art defenses from 51% and 43% to just 23%.

Cryptography and Security,Hardware Architecture

Zhiyuan Lv,Youjian Zhao

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys53884.2021.00121

2021-01-01

Abstract:Speculation-based attacks, e.g., Spectre and Meltdown, affect hundreds of millions of computers. These attacks utilize speculative execution to access privileged data and leak it through a side-channel, e.g., typical a cache channel. Existing hardware-based defense solutions require major changes to the microprocessor architecture and incur large overheads, while software-based solutions address only specific exploit techniques. In this paper, we propose StatekeepSpec, a novel defense against Spectre attacks by forbidding speculative instructions' side effects to the cache hierarchy. Specifically, given a speculative load, if it triggers a cache hit then StatekeepSpec enforces it reading data from the cache without updating its replacement information; otherwise a cache miss occurs then StatekeepSpec enforces it reading data directly from the next level cache or memory, without updating the current level cache. As a result, StatekeepSpec blocks micro-architectural covert and side channels through the cache hierarchy caused by speculative loads. We have implemented a prototype of StatekeepSpec by modifying the design of an x86-64 processor using the Gem5 full system simulator. The evaluation results show that StatekeepSpec provides a strong security guarantee against cache based Spectre attacks. Furthermore, our simulations with 23 SPEC CPU workloads show that the performance overhead introduced by StatekeepSpec is less than 29%.

Hernán Ponce-de-León,Johannes Kinder

DOI: https://doi.org/10.48550/arXiv.2108.13818

2021-12-11

Abstract:The Spectre family of speculative execution attacks have required a rethinking of formal methods for security. Approaches based on operational speculative semantics have made initial inroads towards finding vulnerable code and validating defenses. However, with each new attack grows the amount of microarchitectural detail that has to be integrated into the underlying semantics. We propose an alternative, light-weight and axiomatic approach to specifying speculative semantics that relies on insights from memory models for concurrency. We use the CAT modeling language for memory consistency to specify execution models that capture speculative control flow, store-to-load forwarding, predictive store forwarding, and memory ordering machine clears. We present a bounded model checking framework parametrized by our speculative CAT models and evaluate its implementation against the state of the art. Due to the axiomatic approach, our models can be rapidly extended to allow our framework to detect new types of attacks and validate defenses against them.

Cryptography and Security,Programming Languages

Anirban Chakraborty,Nimish Mishra,Debdeep Mukhopadhyay

2024-06-15

Abstract:Transient execution attacks have been one of the widely explored microarchitectural side channels since the discovery of Spectre and Meltdown. However, much of the research has been driven by manual discovery of new transient paths through well-known speculative events. Although a few attempts exist in literature on automating transient leakage discovery, such tools focus on finding variants of known transient attacks and explore a small subset of instruction set. Further, they take a random fuzzing approach that does not scale as the complexity of search space increases. In this work, we identify that the search space of bad speculation is disjointedly fragmented into equivalence classes, and then use this observation to develop a framework named Shesha, inspired by Particle Swarm Optimization, which exhibits faster convergence rates than state-of-the-art fuzzing techniques for automatic discovery of transient execution attacks. We then use Shesha to explore the vast search space of extensions to the x86 Instruction Set Architecture (ISAs), thereby focusing on previously unexplored avenues of bad speculation. As such, we report five previously unreported transient execution paths in Instruction Set Extensions (ISEs) on new generation of Intel processors. We then perform extensive reverse engineering of each of the transient execution paths and provide root-cause analysis. Using the discovered transient execution paths, we develop attack building blocks to exhibit exploitable transient windows. Finally, we demonstrate data leakage from Fused Multiply-Add instructions through SIMD buffer and extract victim data from various cryptographic implementations.

Cryptography and Security

Yuan Xiao,Yinqian Zhang,Radu Teodorescu

DOI: https://doi.org/10.48550/arXiv.1912.00329

2019-12-10

Abstract:SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities have enabled the notorious Meltdown, Spectre, and L1 terminal fault (L1TF) attacks. While a number of studies have reported different variants of SPEECH vulnerabilities, they are still not well understood. This is primarily due to the lack of information about microprocessor implementation details that impact the timing and order of various micro-architectural events. Moreover, to date, there is no systematic approach to quantitatively measure SPEECH vulnerabilities on commodity processors. This paper introduces SPEECHMINER, a software framework for exploring and measuring SPEECH vulnerabilities in an automated manner. SPEECHMINER empirically establishes the link between a novel two-phase fault handling model and the exploitability and speculation windows of SPEECH vulnerabilities. It enables testing of a comprehensive list of exception-triggering instructions under the same software framework, which leverages covert-channel techniques and differential tests to gain visibility into the micro-architectural state changes. We evaluated SPEECHMINER on 9 different processor types, examined 21 potential vulnerability variants, confirmed various known attacks, and identified several new variants.

Cryptography and Security

Jacob Fustos,Michael Bechtel,Heechul Yun

DOI: https://doi.org/10.48550/arXiv.2003.12208

2020-06-23

Abstract:Transient execution attacks utilize micro-architectural covert channels to leak secrets that should not have been accessible during logical program execution. Commonly used micro-architectural covert channels are those that leave lasting footprints in the microarchitectural state, for example, a cache state change, from which the secret is recovered after the transient execution is completed. In this paper, we present SpectreRewind, a new approach to create contention based covert channels for transient execution attacks. In our approach, a covert channel is established by issuing the necessary instructions logically before the transiently executed victim code. Unlike prior contention based covert channels, which require simultaneous multi-threading (SMT), SpectreRewind supports single hardware thread based covert channels, making it viable on systems where attacker cannot utilize SMT. We show that contention on the floating point division unit on commodity processors can be used to create a high-performance (~100 KB/s), low-noise covert channel for transient execution attacks instead of commonly used flush+reload based cache covert channels. We implement a Meltdown attack utilizing the proposed covert channel showing competitive performance compared to the stateof-the-art cache based covert channel implementation. We also show that the covert channel works in the JavaScript engine of a Chrome browser.

Cryptography and Security

Roberto Guanciale,Musard Balliu,Mads Dam

DOI: https://doi.org/10.48550/arXiv.1911.00868

2020-08-17

Abstract:The recent Spectre attacks has demonstrated the fundamental insecurity of current computer microarchitecture. The attacks use features like pipelining, out-of-order and speculation to extract arbitrary information about the memory contents of a process. A comprehensive formal microarchitectural model capable of representing the forms of out-of-order and speculative behavior that can meaningfully be implemented in a high performance pipelined architecture has not yet emerged. Such a model would be very useful, as it would allow the existence and non-existence of vulnerabilities, and soundness of countermeasures to be formally established. In this paper we present such a model targeting single core processors. The model is intentionally very general and provides an infrastructure to define models of real CPUs. It incorporates microarchitectural features that underpin all known Spectre vulnerabilities. We use the model to elucidate the security of existing and new vulnerabilities, as well as to formally analyze the effectiveness of proposed countermeasures. Specifically, we discover three new (potential) vulnerabilities, including a new variant of Spectre v4, a vulnerability on speculative fetching, and a vulnerability on out-of-order execution, and analyze the effectiveness of three existing countermeasures: constant time, Retpoline, and ARM's Speculative Store Bypass Safe (SSBS).

Cryptography and Security

Mengming Li,Chenlu Miao,Yilong Yang,Kai Bu

DOI: https://doi.org/10.1109/HPCA53966.2022.00016

2022-01-01

Abstract:Speculative execution attacks exploiting speculative execution to leak secrets have aroused significant concerns in both industry and academia. They mainly exploit covert or side channels over microarchitectural states left by mis-speculated and squashed instructions (i.e., transient instructions). Most such attacks target cache states. Existing cache-based defenses against speculative execution attacks fall into two categories, Invisible and Undo. Most Invisible defenses buffer execution metadata of speculative instructions and place them into the cache only if the speculatively executed instructions become determined. Motivated by the fact that mis-speculations are rare cases, Undo defenses allow speculative instructions to modify cache states. Upon a mis-speculation, they rollback cache states to the ones prior to the execution of transient instructions. However, Invisible defenses have been recently found insecure by the speculative interference attack. This calls for a deep security inspection of Undo defenses against speculative execution attacks. In this paper, we present unXpec as the first attack against Undo-based safe speculation. It exploits the secret-dependent timing channel exhibited through the rollback operations of Undo defenses. Specifically, the rollback process requires both invalidating cache lines brought into the cache by transient instructions and restoring evicted cache lines from the cache by transiently loaded data. This opens up a channel that encodes secret via the timing difference between when rollback involves much invalidation and restoration or not. We further leverage eviction sets to enforce more restoration operations. This yields a longer rollback time and thus a larger secret-dependent timing difference. We demonstrate the timing channel over the open-source CleanupSpec, a representative Undo solution. A single transient load can trigger a secret-dependent timing difference of 22 cycles (without eviction sets) of 32 cycles (with eviction sets), which is sufficiently exploitable for constructing a covert channel for speculative execution attacks. We run unXpec on the gem5 simulator with CleanupSpec enabled. The results show that unXpec can leak secrets at a high rate of 140 Kbps with an accuracy over 90%. Simply enforcing constant-time rollback to mitigate unXpec may induce an over 70% performance overhead.