A large scale analysis of cloud providers against transient execution attacks

Modern CPU optimizations such as branch prediction and out-of-order execution are fundamental for performance and are widely adopted by almost all CPU vendors. Recent research works showed, however, how transient execution attacks could exploit these CPU performance optimization solutions to retrieve secrets leveraging secret-dependent traces left in the microarchitectural state of the CPU. New classes of attacks, as Meltdown and Spectre, have been built on top of this new class of vulnerabilities. Mitigations have been developed both at CPU and OS level, but some of these can provoke a significant performance drop not acceptable in some computing domains. Therefore these mitigations are not always enabled or enforced in both the kernel space and user space, leaving the machine vulnerable to some extent. Particular requirements in terms of performance are nowadays demanded to the cloud providers, which offer high computation power to the IT industry. Today, however, there is not a tool to easily empirically test if a computer system is actually protected against transient execution attacks, ending up with a general unawareness of being vulnerable. In this thesis I present my contribution on the development of the tests for transient execution attacks for Speculator, which aims to become the GDB of speculative execution. Moreover I present the large scale analysis performed on different cloud providers by using the developed tests together with other tools that use different approaches to test the same class of vulnerabilities. The goal of the thesis work is to create the first tool to empirically check if a computer system is vulnerable to a set of Spectre and Meltdown attacks and report the results to the end user in a clear manner. At the same time the thesis also investigates the actual situation against transient execution attacks among the several cloud providers. The experimental results show how the empirical approach used by Speculator can be extremely precise in the detection of Spectre and Meltdown vulnerabilities that, in most of the cases, remain unpatched in the user space world and in most of the cloud providers machines.