With the increasing popularity of Spectre attacks, it has become more important to investigate the variants of speculative execution attacks. For this purpose, we analyze the speculative loads and store forwarding mechanisms.
In Intel processors, when there is a bottleneck due to the excessive number of store instructions, the load instructions bypass the store instructions. Before the result of the load instruction is committed, the address dependency between previous store instructions and load instruction should be checked. If there is a dependency, the pipeline is flushed and store instructions are committed. Then, the load instruction is executed again and committed. This late dependency check causes latency and it can be used to infer the physical mappings of the instructions.
We have tested several microarchitectures, and observed the same problem in most of the Intel architectures: