This work addresses Spectre-STL and Spectre-PSF—speculative execution vulnerabilities rooted in data-flow dependencies—by proposing the first static, data-flow–level detection method. Unlike conventional approaches targeting control-flow vulnerabilities, our method systematically applies weakest precondition (WP) reasoning to formally model and verify speculative data flows, establishing a rigorous program semantics framework for speculation-aware analysis. We integrate the litmus testing methodology for empirical validation. Evaluated on the standard litmus test suite, our approach achieves full detection of both vulnerability classes with high precision and formal correctness guarantees. It thus bridges a critical gap in the formal static analysis of data-flow–driven speculative execution vulnerabilities and introduces a novel, semantics-based static analysis paradigm for speculative execution security.

Speculative execution is a hardware optimisation technique where a processor, while waiting on the completion of a computation required for an instruction, continues to execute later instructions based on a predicted value of the pending computation. It came to the forefront of security research in 2018 with the disclosure of two related attacks, Spectre and Meltdown. Since then many similar attacks have been identified. While there has been much research on using formal methods to detect speculative execution vulnerabilities based on predicted control flow, there has been significantly less on vulnerabilities based on predicted data flow. In this paper, we introduce an approach for detecting the data flow vulnerabilities, Spectre-STL and Spectre-PSF, using weakest precondition reasoning. We validate our approach on a suite of litmus tests used to validate related approaches in the literature.