{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,27]],"date-time":"2025-08-27T16:25:50Z","timestamp":1756311950368,"version":"3.40.3"},"publisher-location":"Berlin, Heidelberg","reference-count":74,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"type":"print","value":"9783662643211"},{"type":"electronic","value":"9783662643228"}],"license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021]]},"DOI":"10.1007\/978-3-662-64322-8_15","type":"book-chapter","created":{"date-parts":[[2021,10,22]],"date-time":"2021-10-22T18:17:23Z","timestamp":1634926643000},"page":"311-330","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":12,"title":["Speculative Dereferencing: Reviving Foreshadow"],"prefix":"10.1007","author":[{"given":"Martin","family":"Schwarzl","sequence":"first","affiliation":[]},{"given":"Thomas","family":"Schuster","sequence":"additional","affiliation":[]},{"given":"Michael","family":"Schwarz","sequence":"additional","affiliation":[]},{"given":"Daniel","family":"Gruss","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,10,23]]},"reference":[{"key":"15_CR1","unstructured":"Amazon AWS: AWS Lambda@Edge (2019). https:\/\/aws.amazon.com\/lambda\/edge\/"},{"key":"15_CR2","unstructured":"ARM: ARM: Whitepaper Cache Speculation Side-channels (2018). https:\/\/developer.arm.com\/support\/arm-security-updates\/speculative-processor-vulnerability\/download-the-whitepaper"},{"key":"15_CR3","unstructured":"Bhattacharya, S., Maurice, C., Bhasin, S., Mukhopadhyay, D.: Template Attack on Blinded Scalar Multiplication with Asynchronous perf-ioctl Calls. Cryptology ePrint Archive, Report 2017\/968 (2017)"},{"key":"15_CR4","unstructured":"Branco, R., Hu, K., Sun, K., Kawakami, H.: Efficient mitigation of side-channel based attacks against speculative execution processing architectures (2019). US Patent App. 16\/023,564"},{"key":"15_CR5","unstructured":"Brasser, F., M\u00fcller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.R.: Software grand exposure: SGX cache attacks are practical. In: WOOT (2017)"},{"key":"15_CR6","unstructured":"Canella, C., et al.: A Systematic evaluation of transient execution attacks and defenses. In: USENIX Security Symposium (2019). Extended classification tree and PoCs at https:\/\/transient.fail\/"},{"key":"15_CR7","doi-asserted-by":"crossref","unstructured":"Chen, G., Chen, S., Xiao, Y., Zhang, Y., Lin, Z., Lai, T.H.: SgxPectre attacks: stealing Intel secrets from SGX enclaves via speculative execution. In: EuroS&P (2019)","DOI":"10.1109\/EuroSP.2019.00020"},{"key":"15_CR8","unstructured":"Chromium: Mojo in Chromium (2020). https:\/\/chromium.googlesource.com\/chromium\/src.git\/+\/master\/mojo\/README.md"},{"key":"15_CR9","unstructured":"Cloudflare: Cloudflare Workers (2019). https:\/\/www.cloudflare.com\/products\/cloudflare-workers\/"},{"key":"15_CR10","unstructured":"KVM Contributors: Kernel-based Virtual Machine (2019). https:\/\/www.linux-kvm.org"},{"key":"15_CR11","unstructured":"Elixir bootlin (2018). https:\/\/elixir.bootlin.com\/linux\/latest\/source\/arch\/x86\/kvm\/svm.c#L5700"},{"key":"15_CR12","doi-asserted-by":"crossref","unstructured":"Evtyushkin, D., Ponomarev, D., Abu-Ghazaleh, N.: Jump over ASLR: attacking branch predictors to bypass ASLR. In: MICRO (2016)","DOI":"10.1109\/MICRO.2016.7783743"},{"key":"15_CR13","unstructured":"Fog, A.: The microarchitecture of Intel. An optimization guide for assembly programmers and compiler makers, AMD and VIA CPUs (2016)"},{"key":"15_CR14","doi-asserted-by":"crossref","unstructured":"Gens, D., Arias, O., Sullivan, D., Liebchen, C., Jin, Y., Sadeghi, A.R.: LAZARUS: practical side-channel resilient kernel-space randomization. In: RAID (2017)","DOI":"10.1007\/978-3-319-66332-6_11"},{"key":"15_CR15","doi-asserted-by":"crossref","unstructured":"Gras, B., Razavi, K., Bosman, E., Bos, H., Giuffrida, C.: ASLR on the line: practical cache attacks on the MMU. In: NDSS (2017)","DOI":"10.14722\/ndss.2017.23271"},{"key":"15_CR16","doi-asserted-by":"crossref","unstructured":"Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: KASLR is dead: long live KASLR. In: ESSoS (2017)","DOI":"10.1007\/978-3-319-62105-0_11"},{"key":"15_CR17","doi-asserted-by":"crossref","unstructured":"Gruss, D., Maurice, C., Fogh, A., Lipp, M., Mangard, S.: Prefetch side-channel attacks: bypassing SMAP and Kernel ASLR. In: CCS (2016)","DOI":"10.1145\/2976749.2978356"},{"key":"15_CR18","doi-asserted-by":"crossref","unstructured":"Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in JavaScript. In: DIMVA (2016)","DOI":"10.1007\/978-3-319-40667-1_15"},{"key":"15_CR19","unstructured":"Horn, J.: Speculative execution, variant 4: speculative store bypass (2018)"},{"key":"15_CR20","unstructured":"IAIK: Prefetch Side-Channel Attacks V2P (2016). https:\/\/github.com\/IAIK\/prefetch\/blob\/master\/v2p\/v2p.c"},{"key":"15_CR21","unstructured":"IBM (2019). https:\/\/cloud.ibm.com\/functions\/"},{"key":"15_CR22","unstructured":"Intel: Intel Analysis of Speculative Execution Side Channels (2018). Revision 4.0"},{"key":"15_CR23","unstructured":"Intel: Retpoline: A Branch Target Injection Mitigation (2018). Revision 003"},{"key":"15_CR24","unstructured":"Intel: Speculative Execution Side Channel Mitigations (2018). Revision 3.0"},{"key":"15_CR25","unstructured":"Intel: Intel 64 and IA-32 Architectures Optimization Reference Manual (2019)"},{"key":"15_CR26","unstructured":"Intel: Intel 64 and IA-32 Architectures Software Developer\u2019s Manual, Volume 3 (3A, 3B & 3C): System Programming Guide (2019)"},{"key":"15_CR27","unstructured":"Intel Corporation: Software Guard Extensions Programming Reference, Rev. 2 (2014)"},{"key":"15_CR28","unstructured":"Intel Corporation: Refined Speculative Execution Terminology (2020). https:\/\/software.intel.com\/security-software-guidance\/insights\/refined-speculative-execution-terminology"},{"key":"15_CR29","unstructured":"Jangda, A., Powers, B., Berger, E.D., Guha, A.: Not so fast: analyzing the performance of webassembly vs. native code. In: USENIX ATC (2019)"},{"key":"15_CR30","unstructured":"kernel.org: Virtual memory map with 4 level page tables (x86_64) (2009). https:\/\/www.kernel.org\/doc\/Documentation\/x86\/x86_64\/mm.txt"},{"key":"15_CR31","doi-asserted-by":"publisher","first-page":"186065","DOI":"10.1109\/ACCESS.2019.2961158","volume":"7","author":"T Kim","year":"2019","unstructured":"Kim, T., Shin, Y.: Reinforcing meltdown attack by using a return stack buffer. IEEE Access 7, 186065\u2013186077 (2019)","journal-title":"IEEE Access"},{"key":"15_CR32","doi-asserted-by":"crossref","unstructured":"Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ISCA (2014)","DOI":"10.1109\/ISCA.2014.6853210"},{"key":"15_CR33","unstructured":"Kiriansky, V., Waldspurger, C.: Speculative buffer overflows: attacks and defenses. arXiv:1807.03757 (2018)"},{"key":"15_CR34","unstructured":"Shutemov, K.A.: Pagemap: Do Not Leak Physical Addresses to Non-Privileged Userspace (2015). https:\/\/git.kernel.org\/cgit\/linux\/kernel\/git\/torvalds\/linux.git\/commit\/?id=ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce"},{"key":"15_CR35","doi-asserted-by":"crossref","unstructured":"Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In: S&P (2019)","DOI":"10.1109\/SP.2019.00002"},{"key":"15_CR36","unstructured":"Koruyeh, E.M., Khasawneh, K., Song, C., Abu-Ghazaleh, N.: Spectre returns! speculation attacks using the return stack buffer. In: WOOT (2018)"},{"key":"15_CR37","unstructured":"Lee, J., et al.: Hacking in Darkness: Return-oriented Programming against Secure Enclaves. In: USENIX Security Symposium (2017)"},{"key":"15_CR38","unstructured":"Lee, S., Shih, M., Gera, P., Kim, T., Kim, H., Peinado, M.: Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In: USENIX Security Symposium (2017)"},{"key":"15_CR39","unstructured":"Levin, J.: Mac OS X and IOS Internals: To the Apple\u2019s Core. Wiley, Hoboken (2012)"},{"key":"15_CR40","doi-asserted-by":"crossref","unstructured":"Lipp, M., Gruss, D., Schwarz, M., Bidner, D., Maurice, C., Mangard, S.: Practical keystroke timing attacks in sandboxed JavaScript. In: ESORICS (2017)","DOI":"10.1007\/978-3-319-66399-9_11"},{"key":"15_CR41","unstructured":"Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: USENIX Security Symposium (2018)"},{"key":"15_CR42","doi-asserted-by":"crossref","unstructured":"Maisuradze, G., Rossow, C.: ret2spec: speculative execution using return stack buffers. In: CCS (2018)","DOI":"10.1145\/3243734.3243761"},{"key":"15_CR43","doi-asserted-by":"crossref","unstructured":"Maurice, C., et al.: Hello from the other side: SSH over robust cache covert channels in the Cloud. In: NDSS (2017)","DOI":"10.14722\/ndss.2017.23294"},{"key":"15_CR44","unstructured":"Microsoft: Azure serverless computing (2019). https:\/\/azure.microsoft.com\/en-us\/overview\/serverless-computing\/"},{"key":"15_CR45","unstructured":"Microsoft Techcommunity: Hyper-V HyperClear Mitigation for L1 Terminal Fault (2018). https:\/\/techcommunity.microsoft.com\/t5\/Virtualization\/Hyper-V-HyperClear-Mitigation-for-L1-Terminal-Fault\/ba-p\/382429"},{"key":"15_CR46","unstructured":"Mozilla: Javascript data structures (2019). https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/JavaScript\/Data_structures"},{"key":"15_CR47","unstructured":"Nilsson, A., Nikbakht Bideh, P., Brorsson, J.: A Survey of Published Attacks on Intel SGX (2020)"},{"key":"15_CR48","unstructured":"OpenSSL: OpenSSL: The Open Source toolkit for SSL\/TLS (2019). http:\/\/www.openssl.org"},{"key":"15_CR49","doi-asserted-by":"crossref","unstructured":"Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The Spy in the sandbox: practical cache attacks in JavaScript and their implications. In: CCS (2015)","DOI":"10.1145\/2810103.2813708"},{"key":"15_CR50","unstructured":"Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting DRAM addressing for cross-CPU attacks. In: USENIX Security Symposium (2016)"},{"key":"15_CR51","doi-asserted-by":"crossref","unstructured":"Rebeiro, C., Mukhopadhyay, D., Takahashi, J., Fukunaga, T.: Cache timing attacks on Clefia. In: International Conference on Cryptology in India. Springer, Heidelberg (2009)","DOI":"10.1007\/978-3-642-10628-6_7"},{"key":"15_CR52","doi-asserted-by":"crossref","unstructured":"van Schaik, S.: RIDL: rogue in-flight data load. In: S&P (2019)","DOI":"10.1109\/SP.2019.00087"},{"key":"15_CR53","unstructured":"Schwarz, M., Canella, C., Giner, L., Gruss, D.: Store-to-leak forwarding: leaking data on meltdown-resistant CPUs. arXiv:1905.05725 (2019)"},{"key":"15_CR54","doi-asserted-by":"crossref","unstructured":"Schwarz, M., et al.: Automated detection, exploitation, and elimination of double-fetch bugs using modern CPU features. In: AsiaCCS (2018)","DOI":"10.1145\/3196494.3196508"},{"key":"15_CR55","doi-asserted-by":"crossref","unstructured":"Schwarz, M., Gruss, D., Weiser, S., Maurice, C., Mangard, S.: Malware guard extension: using SGX to conceal cache attacks. In: DIMVA (2017)","DOI":"10.1007\/978-3-319-60876-1_1"},{"key":"15_CR56","doi-asserted-by":"crossref","unstructured":"Schwarz, M., et al.: ZombieLoad: cross-privilege-boundary data sampling. In: CCS (2019)","DOI":"10.1145\/3319535.3354252"},{"key":"15_CR57","doi-asserted-by":"crossref","unstructured":"Schwarz, M., Maurice, C., Gruss, D., Mangard, S.: Fantastic timers and where to find them: high-resolution microarchitectural attacks in JavaScript. In: FC (2017)","DOI":"10.1007\/978-3-319-70972-7_13"},{"key":"15_CR58","doi-asserted-by":"crossref","unstructured":"Schwarz, M., Schwarzl, M., Lipp, M., Gruss, D.: NetSpectre: read arbitrary memory over network. In: ESORICS (2019)","DOI":"10.1007\/978-3-030-29959-0_14"},{"key":"15_CR59","doi-asserted-by":"crossref","unstructured":"Schwarz, M., Weiser, S., Gruss, D.: Practical enclave malware with Intel SGX. In: DIMVA (2019)","DOI":"10.1007\/978-3-030-22038-9_9"},{"key":"15_CR60","unstructured":"Schwarzl, M., Schuster, T., Schwarz, M., Gruss, D.: Speculative dereferencing of registers: reviving foreshadow (2021). https:\/\/martinschwarzl.at\/media\/files\/spec_deref_extended.pdf"},{"key":"15_CR61","unstructured":"Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges. In: Black Hat Briefings (2015)"},{"key":"15_CR62","unstructured":"Slashdot EditorDavid: Two Linux Kernels Revert Performance-Killing Spectre Patches (2019). https:\/\/linux.slashdot.org\/story\/18\/11\/24\/2320228\/two-linux-kernels-revert-performance-killing-spectre-patches"},{"key":"15_CR63","unstructured":"Stecklina, J.: An demonstrator for the L1TF\/Foreshadow vulnerability (2019). https:\/\/github.com\/blitz\/l1tf-demo"},{"key":"15_CR64","unstructured":"Turner, P.: Retpoline: a software construct for preventing branch-target-injection (2018). https:\/\/support.google.com\/faqs\/answer\/7625886"},{"key":"15_CR65","unstructured":"Ubuntu Security Team: L1 Terminal Fault (L1TF) (2019). https:\/\/wiki.ubuntu.com\/SecurityTeam\/KnowledgeBase\/L1TF"},{"key":"15_CR66","unstructured":"V8 team: v8 - Adding BigInts to V8 (2018). https:\/\/v8.dev\/blog\/bigint"},{"key":"15_CR67","unstructured":"Van Bulck, J., et al.: Foreshadow: extracting the keys to the intel SGX kingdom with transient out-of-order execution. In: USENIX Security Symposium (2018)"},{"key":"15_CR68","doi-asserted-by":"crossref","unstructured":"Van Bulck, J., et al.: LVI: hijacking transient execution through microarchitectural load value injection. In: S&P (2020)","DOI":"10.1109\/SP40000.2020.00089"},{"key":"15_CR69","unstructured":"Viswanathan, V.: Disclosure of hardware prefetcher control on some intel processors. https:\/\/software.intel.com\/en-us\/articles\/disclosure-of-hw-prefetcher-control-on-some-intel-processors"},{"key":"15_CR70","unstructured":"Weisse, O., et al.: Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution (2018). https:\/\/foreshadowattack.eu\/foreshadow-NG.pdf"},{"key":"15_CR71","doi-asserted-by":"publisher","first-page":"603","DOI":"10.1109\/TNET.2014.2304439","volume":"23","author":"Z Wu","year":"2014","unstructured":"Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-bandwidth and reliable covert channel attacks inside the cloud. ACM Trans. Netw. 23, 603\u2013614 (2014)","journal-title":"ACM Trans. Netw."},{"key":"15_CR72","unstructured":"xenbits: Cache-load gadgets exploitable with L1TF (2019). https:\/\/xenbits.xen.org\/xsa\/advisory-289.html"},{"key":"15_CR73","doi-asserted-by":"crossref","unstructured":"Xiao, Y., Zhang, Y., Teodorescu, R.: SPEECHMINER: a framework for investigating and measuring speculative execution vulnerabilities. In: NDSS (2020)","DOI":"10.14722\/ndss.2020.23105"},{"key":"15_CR74","unstructured":"Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium (2014)"}],"container-title":["Lecture Notes in Computer Science","Financial Cryptography and Data Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-662-64322-8_15","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,10,22]],"date-time":"2021-10-22T18:30:11Z","timestamp":1634927411000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-662-64322-8_15"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"ISBN":["9783662643211","9783662643228"],"references-count":74,"URL":"https:\/\/doi.org\/10.1007\/978-3-662-64322-8_15","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2021]]},"assertion":[{"value":"23 October 2021","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"FC","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Financial Cryptography and Data Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2021","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"1 March 2021","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"5 March 2021","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"25","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"fc2021","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/fc21.ifca.ai\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}