CPU Address-Leakage Transient Execution Attack Detection and Its Countermeasures

Modern advanced CPU designs are frequently exposed to transient execution vulnerabilities, which allow attackers to harness microarchitectural side effects for data exfiltration. The leaked data may encompass direct target data, such as RSA keys, or indirect information, like physical page mappings. Thus, transient execution attacks can be divided into data-leakage and address-leakage, depending on the specific targets that are exposed. Existing studies have developed practical defenses and detection mechanisms against the microarchitectural attacks. However, almost all of them focus solely on data leakage and are thus unable to detect and counter address-leakage attacks, like Spoiler, due to their unique mechanisms. This paper introduces AALERT, the first detection mechanism specifically designed for address-leakage transient execution attacks. AALERT integrates a Cuckoo filter module within the CPUs Memory Order Buffer (MOB) to screen buffered addresses on the fly. We further optimize the filtering algorithm to minimize false positives. We discuss and implement several countermeasures to defeat the detected attacks. Finally, we evaluate the effectiveness and performance of AALERT based on prototype implementations, demonstrating a detection rate of 99.99% with negligible performance overhead.