Computer Science 2021
Side channels and transient execution
CSci 2021: Machine Architecture and Organization
December 10th, 2018
Stephen McCamant
Computer Science 2021
Side and covert channels
Transient execution
Transient execution and kernel isolation: Meltdown
Transient execution and software checks: Spectre
Fixes, lessons learned, and the future
Computer Science 2021
Information protection
Most security goals relate to one of two properties
Keep adversaries from taking control
Protect sensitive (secret private, confidential, etc.)
information from being revealed
Buffer overflows were most commonly a problem for #1
Though read buffer overflows can be bad for #2, like “Heartbleed”
Each goal eventually depends on the other
An adversary with control can send access information directly
Control is protected by secrets like passwords
Today is about security problems of the #2 variety
Computer Science 2021
Side channels
side channel
is an unexpected way in which a system
reveals information, different from how information is
intentionally output
Analog side channels are mediated by the physical world
outside the machine, e.g.:
Sound of the hard-disk running
Power usage
Digital side channels reveal information while staying
inside the computer abstraction, e.g.:
You can’t read a file, but the error message reveals that it exists
Running time of an operation depends on what else is running
Computer Science 2021
Side channels vs. covert channels
In a side channel, information is revealed from an
unsuspecting victim.
Sound of many people erasing indicates that an exam question is
In a covert channel, the source of the information is
working together with the receiver to transmit it when
they shouldn’t.
Cough once if the answer is “true”, twice if it is “false”
Often the channel itself is the same, it just differs how
you use it
And not everyone is careful about this distinction
Computer Science 2021
Recall that the instruction-set architecture is an
abstraction that hides details
Above the line: programmer visible state
Below the line, pipelining, caches, etc.
Another form of this terminology distinction you will hear
“Architectural” means the above-the-line view
“Micro-architectural” means the below-the-line view
If information is available only because of a micro-
architectural behavior, that’s likely a side channel

