Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data

Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, Christopher W. Fletcher

Research output: Contribution to journalArticlepeer-review


Speculative execution attacks present an enormous security threat, capable of reading arbitrary program data under malicious speculation, and later exfiltrating that data over microarchitectural covert channels. This article proposes speculative taint tracking (STT), a high-security and high-performance hardware mechanism to block these attacks. The main idea is that it is safe to execute and selectively forward the results of speculative instructions that read secrets, as long as we can prove that the forwarded results do not reach potential covert channels. The technical core of the article is a new abstraction to help identify all covert channels, and an architecture to quickly identify when a covert channel is no longer a threat. We further conduct a detailed formal analysis on the scheme and prove security in a companion document. When evaluated on SPEC06 workloads, STT incurs 8.5% or 14.5% performance overhead relative to an insecure machine.

Original languageEnglish (US)
Article number9057389
Pages (from-to)81-90
Number of pages10
JournalIEEE Micro
Issue number3
StatePublished - May 1 2020

ASJC Scopus subject areas

  • Software
  • Hardware and Architecture
  • Electrical and Electronic Engineering


Dive into the research topics of 'Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data'. Together they form a unique fingerprint.

Cite this