With the increasing popularity of Spectre attacks, it has become more important to investigate the variants of speculative execution attacks. For this purpose, we analyze the speculative loads and store forwarding mechanisms.

In Intel processors, when there is a bottleneck due to the excessive number of store instructions, the load instructions bypass the store instructions. Before the result of the load instruction is committed, the address dependency between previous store instructions and load instruction should be checked. If there is a dependency, the pipeline is flushed and store instructions are committed. Then, the load instruction is executed again and committed. This late dependency check causes latency and it can be used to infer the physical mappings of the instructions.

We have tested several microarchitectures, and observed the same problem in most of the Intel architectures:

We applied Spoiler technique to increase the efficiency of both cache attacks and Rowhammer based attacks. In the absence of virtual to physical address translation to attackers, Spoiler attack can be used to create the eviction sets much faster and more reliable. This increases the applicability of the aforementioned attacks from Javascript and public cloud environments. The details of the work can be found here.