This work addresses the problem of speculative execution vulnerabilities, such as those exploited by Spectre attacks, which arise from misprediction-induced information leakage. The authors propose Speculative Non-Interference (SNI), a novel security semantic framework that formally characterizes information flows under concurrent speculative mechanisms for the first time. SNI is compositional, enabling precise modeling of complex microarchitectural interactions, and integrates symbolic execution with SMT solving to automatically verify program security across diverse speculative execution models. The accompanying tool, Spectector, demonstrates the framework’s practicality, scalability, and theoretical novelty by successfully detecting and verifying speculative leaks in both standard benchmarks and newly devised vulnerability scenarios.

Speculative execution enhances processor performance by predicting intermediate results and executing instructions based on these predictions. However, incorrect predictions can lead to security vulnerabilities, as speculative instructions leave traces in microarchitectural components that attackers can exploit. This is demonstrated by the family of Spectre attacks. Unfortunately, existing countermeasures to these attacks lack a formal security characterization, making it difficult to verify their effectiveness. In this paper, we propose a novel framework for detecting information flows introduced by speculative execution and reasoning about software defenses. The theoretical foundation of our approach is speculative non-interference (SNI), a novel semantic notion of security against speculative execution attacks. SNI relates information leakage observed under a standard non-speculative semantics to leakage arising under semantics that explicitly model speculative execution. To capture their combined effects, we extend our framework with a mechanism to safely compose multiple speculative semantics, each focussing on a single aspect of speculation. This allows us to analyze the complex interactions and resulting leaks that can arise when multiple speculative mechanisms operate together. On the practical side, we develop Spectector, a symbolic analysis tool that uses our compositional framework and leverages SMT solvers to detect vulnerabilities and verify program security with respect to multiple speculation mechanisms. We demonstrate the effectiveness of Spectector through evaluations on standard security benchmarks and new vulnerability scenarios.