Existing compiler-based Spectre mitigations lack universal formal security guarantees: their safety proofs are either absent or rely on weak speculative semantics that omit key hardware speculation mechanisms, resulting in insufficient practical assurance. This paper introduces the first “speculative security guarantee lifting” framework, enabling automatic migration of mitigation schemes—already verified under weak semantics—to a strong semantics model encompassing all five Spectre variants, nine mainstream compiler mitigations, and five hardware speculation mechanisms, without requiring proof reconstruction. Implemented and verified in Coq, our framework delivers the first end-to-end, strong-semantics security proofs for all nine mitigations. This significantly strengthens theoretical security guarantees and enhances industrial deployability and trustworthiness.

Mainstream compilers implement different countermeasures to prevent specific classes of speculative execution attacks. Unfortunately, these countermeasures either lack formal guarantees or come with proofs restricted to speculative semantics capturing only a subset of the speculation mechanisms supported by modern CPUs, thereby limiting their practical applicability. Ideally, these security proofs should target a speculative semantics capturing the effects of all speculation mechanisms implemented in modern CPUs. However, this is impractical and requires new secure compilation proofs to support additional speculation mechanisms. In this paper, we address this problem by proposing a novel secure compilation framework that allows lifting the security guarantees provided by Spectre countermeasures from weaker speculative semantics (ignoring some speculation mechanisms) to stronger ones (accounting for the omitted mechanisms) without requiring new secure compilation proofs. Using our lifting framework, we performed the most comprehensive security analysis of Spectre countermeasures implemented in mainstream compilers to date. Our analysis spans 9 different countermeasures against 5 classes of Spectre attacks, which we proved secure against a speculative semantics accounting for five different speculation mechanisms.