Runahead execution is a continuously evolving microarchitectural technique for processor performance. This paper introduces the first transient execution attack on the runahead execution, called SPECRUN, which exploits the unresolved branch prediction during runahead execution. We show that SPECRUN eliminates the limitation on the number of transient instructions posed by the reorder buffer size, enhancing the exploitability and harmfulness of the attack. We concretely demonstrate a proof-of-concept attack that causes leaking secrets from a victim process, validate the merit of SPECRUN, and design a secure runahead execution scheme. This paper highlights the need to consider the security of potential optimization techniques before implementing them in a processor.

翻译：提前执行是一种持续演进的处理器性能微架构技术。本文首次提出针对提前执行的瞬态执行攻击——SPECRUN，该攻击利用提前执行期间未解决的分支预测。我们证明，SPECRUN消除了由重排序缓冲区大小带来的瞬态指令数量限制，增强了攻击的可利用性和危害性。我们具体展示了一项概念验证攻击，该攻击导致从受害进程中泄露秘密，验证了SPECRUN的效用，并设计了一种安全的提前执行方案。本文强调了在处理器中实现潜在优化技术前需考虑其安全性的必要性。