LeakageFreeSpec: Applying the Wiping Approach to Defend Against Transient Execution Attacks
Authors: 
Fahong Yu, Zhimin Tang, Xiaobo Li, Zhihua FanAuthors Info & Claims
Fahong Yu, Zhimin Tang, Xiaobo Li, Zhihua FanAuthors Info & ClaimsPages 276 - 284
Abstract
Transient Execution Attacks, such as Spectre and Meltdown, pose significant challenges to processor security. While various defense strategies have been proposed, they often suffer from issues like high-performance overhead and incomplete coverage. This paper introduces a novel hardware-based mitigation approach known as LeakageFreeSpec to address transient execution attacks.
Our key insight is that transient execution attacks leak sensitive information through observable, persistent microarchitecture traces generated by mis-speculated instructions. LeakageFreeSpec dynamically monitors the instruction flow in an out-of-order processor and wipes the persistent microarchitecture traces created by potentially dangerous instructions. This ensures that most of the performance benefits of speculative execution are maintained, as LeakageFreeSpec doesn't block speculation.
We designed SquashAbleCache in accordance with the principles of LeakageFreeSpec, allowing it to eliminate all cache traces created by mis-speculated load instructions. As a result, SquashAbleCache provides protection against a wide range of transient execution attacks that exploit cache side channels. We implemented SquashAbleCache and evaluated its security in the context of the Spectre v1 attack. Our simulations, conducted using SPEC and PARSEC workloads, demonstrate the effectiveness of SquashAbleCache. It incurs only a negligible average performance overhead of 0.71% in defending against a broad spectrum of transient execution attacks that exploit cache side channels. In contrast to the state-of-the-art design known as GhostMinion, which has an average performance overhead of 2.2%, SquashAbleCache offers comparable performance with minimal data movements, as the majority of the processor's predictions are correct.
References
[1]
P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom. Spectre Attacks: Exploiting Speculative Execution. In Proc. of the 40th IEEE Symposium on Security and Privacy(S&P'19), 2019.
[2]
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg. Meltdown: Reading Kernel Memory from User Space. USENIX Security Symposium, 2018.
[3]
Claudio Canella, Daniel Genkin, Lukas Giner, Daniel Gruss, Moritz Lipp, Marina Minkin, Daniel Moghimi, Frank Piessens, Michael Schwarz, Berk Sunar, Jo Van Bulck, and Yuval Yarom. 2019. Fallout: Leaking Data on Meltdown-Resistant CPUs. In Proc. of the ACM Conference on Computer and Communications Security (CCS).
[4]
Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, and Daniel Gruss. 2019. ZombieLoad: Cross-Privilege-Boundary Data Sampling. In Proc. of the ACM Conference on Computer and Communications Security (CCS).
[5]
Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2019. RIDL: Rogue In-flight Data Load. In Proc. of the IEEE Symposium on Security and Privacy (S&P).
[6]
Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution. In Proc. of the USENIX Security Symposium (USENIX).
[7]
Ofir Weisse, Jo Van Bulck, Marina Minkin, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Raoul Strackx, Thomas F. Wenisch, and Yuval Yarom. 2018. Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution. Technical report (2018).
[8]
Julian Stecklina and Thomas Prescher. 2018. LazyFP: Leaking FPU register state using microarchitectural side-channels. arXiv preprint arXiv:1806.07480 (2018)
[9]
Mohammad Behnia, Prateek Sahu, Riccardo Paccagnella, Jiyong Yu, Zirui Neil Zhao, Xiang Zou, Thomas Unterluggauer, Josep Torrellas, Carlos Rozas, Adam Morrison, Frank Mckeen, Fangfei Liu, Ron Gabor, Christopher W. Fletcher, Abhishek Basak, and Alaa Alameldeen. 2021. Speculative Interference Attacks: Breaking Invisible Speculation Schemes. In Proc. of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'21), April 19-23, 2021, Virtual, USA. ACM, New York, NY, USA, 15 pages. https://doi.org/10.1145/3445814.3446708
[10]
Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher W. Fletcher, and Josep Torrellas. 2018. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy. In Proc. of the IEEE/ACM International Symposium on Microarchitecture (MICRO).
[11]
V. Kiriansky, I. Lebedev, S. Amarasinghe, S. Devadas, and J. Emer. Dawg: A defense against cache timing attacks in speculative execution processors. In Proc. of the 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), 2018.
[12]
M. Taram, A. Venkat, and D. Tullsen. Context-sensitive fencing: Securing speculative execution via microcode customization. In Proc. of the International Conference on Architectural Support for Programming Languages and Operating Systems, 2019. [Online]. Available: https://doi.org/10.1145/3297858.3304060
[13]
Peinan Li, Lutan Zhao, Rui Hou, Lixin Zhang, and Dan Meng. 2019. Conditional Speculation: An Effective Approach to Safeguard Out-of-Order Execution Against Spectre Attacks. In Proc. of the IEEE International Symposium on High Performance Computer Architecture (HPCA).
[14]
K. Barber, A. Bacha, L. Zhou, Y. Zhang, and R. Teodorescu. Specshield: Shielding speculative data from microarchitectural covert channels. In Proc. of the 28th International Conference on Parallel Architectures and Compilation Techniques (PACT), 2019.
[15]
J. Fustos, F. Farshchi, and H. Yun. Spectreguard: An efficient data-centric defense mechanism against spectre attacks. In The 56th Design Automation Conference (DAC), 2019. https://doi.org/10.1145/3316781.3317914
[16]
Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, and Christopher W. Fletcher. 2019. Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data. In The 52nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'52), October 12-16, 2019, Columbus, OH, USA. ACM, NewYork, NY, USA, 15 pages. https://doi.org/10.1145/3352460.3358274
[17]
Gururaj Saileshwar and Moinuddin K. Qureshi. 2019. CleanupSpec: An "Undo" Approach to Safe Speculation. In The 52nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'52), October 12-16, 2019, Columbus, OH, USA. ACM, New York, NY, USA, 14 pages. https://doi.org/10.1145/3352460.3358314
[18]
Christos Sakalis, Stefanos Kaxiras, Alberto Ros, Alexandra Jimborean, and Magnus Sjalander. 2019. Efficient Invisible Speculative Execution Through Selective Delay and Value Prediction. In Proc. of the ACM/IEEE International Symposium on Computer Architecture (ISCA).
[19]
Khaled N. Khasawneh, Esmaeil Mohammadian Koruyeh, Chengyu Song, Dmitry Evtyushkin, Dmitry Ponomarev, and Nael B. Abu-Ghazaleh. 2019. SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation. In Proc. of the Design Automation Conference (DAC).
[20]
M. Schwarz, M. Lipp, C. Canella, R. Schilling, F. Kargl, and D. Gruss. Context: A generic approach for mitigating spectre. In The 27th Annual Network and Distributed System Security Symposium (NDSS'20), San Diego, CA, USA, 2020.
[21]
Jiyong Yu, Namrata Mantri, Josep Torrellas, Adam Morrison, Christopher W. Fletcher. Speculative Data-Oblivious Execution: Mobilizing Safe Prediction For Safe and Efficient Speculative Execution. 2020 ACM/IEEE 47th International Symposium on Computer Architecture (ISCA).
[22]
Sam Ainsworth and Timothy M. Jones. 2020. MuonTrap: Preventing Cross-Domain Spectre-Like Attacks by Capturing Speculative State. In Proc. of the ACM/IEEE International Symposium on Computer Architecture (ISCA).
[23]
Ainsworth, S 2021, GhostMinion: A Strictness-Ordered Cache System for Spectre Mitigation. In Proc. of the 54th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'54). ACM Association for Computing Machinery, 54th IEEE/ACM International Symposium on Microarchitecture, Athens, Greece, 18/10/21.
[24]
K. Loughlin, I. Neal, J. Ma, E. Tsai, O. Weisse, S. Narayanasamy, and B. Kasikci. DOLMA: Securing speculation with the principle of transient non-observability. In 30th USENIX Security Symposium (USENIX Security 21), 2021. https://www.usenix.org/conference/usenixsecurity21/presentation/loughlin
[25]
Rutvik Choudhary, Jiyong Yu, Christopher W. Fletcher, Adam Morrison (2021). Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy. MICRO'21, October 18-22, 2021, Virtual Event, Greece.
[26]
Zirui Neil Zhao, Houxiang Ji, Adam Morrison, Darko Marinov, Josep Torrellas. 2022. Pinned Loads: Taming Speculative Loads in Secure Processors. In 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'22), February 28-March 4, 2022, Lausanne, Switzerland. ACM, New York, NY, USA, 15 pages. https://doi.org/10.1145/3503222.3507724
[27]
Amund Bergland Kvalsvik, Pavlos Aimoniotis, Stefanos Kaxiras, and Magnus Sjalander. 2023. Doppelganger Loads: A Safe, Complexity-Effective Optimization for Secure Speculation Schemes. In Proc. of the 50th Annual International Symposium on Computer Architecture (ISCA'23), June 17-21, 2023, Orlando, FL, USA. ACM, New York, NY, USA, 13 pages. https://doi.org/10.1145/3579371.3589088
[28]
Percival, C.: Cache missing for fun and profit. In: BSDCan 2005, Ottawa, CA (2005).
[29]
Yarom Y, Falkner K. 2014. FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: 23Rd USENIX security symposium (USENIX security 14). USENIX association, San Diego, pp 719--732.
[30]
Michael Schwarz, Martin Schwarzl, Moritz Lipp, Jon Masters, and Daniel Gruss. 2019. Netspectre: Read arbitrary memory over network. In European Symposium on Research in Computer Security. Springer, 279--299.
[31]
Atri Bhattacharyya, Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, Babak Falsafi, Mathias Payer, and Anil Kurmus. 2019. SMoTherSpectre: exploiting speculative execution through port contention. arXiv preprint arXiv:1903.01843 (2019)
[32]
Timothy Sherwood, Erez Perelman, Greg Hamerly, and Brad Calder. 2002. Automatically Characterizing Large Scale Program Behavior. In Proc. Of the ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'02).
[33]
N. Muralimanohar, R. Balasubramonian, and N. P. Jouppi. Cacti 6.0: A tool to model large caches. In Proc. of the IEEE/ACM International Symposium on Microarchitecture (MICRO), 2007.
Index Terms
- LeakageFreeSpec: Applying the Wiping Approach to Defend Against Transient Execution Attacks
Recommendations
SPECRUN: The Danger of Speculative Runahead Execution in Processors
DAC '24: Proceedings of the 61st ACM/IEEE Design Automation ConferenceRunahead execution is a continuously evolving microarchitectural technique for processor performance. This paper introduces the first transient execution attack on the runahead execution, called SPECRUN, which exploits the unresolved branch prediction ...
Performance evolution of mitigating transient execution attacks
EuroSys '22: Proceedings of the Seventeenth European Conference on Computer SystemsToday's applications pay a performance penalty for mitigations to protect against transient execution attacks such as Meltdown [32] and Spectre [25]. Such a reduction in performance directly translates to higher operating costs and degraded user ...
CacheGuard: a security-enhanced directory architecture against continuous attacks
CF '19: Proceedings of the 16th ACM International Conference on Computing FrontiersModern processor cores share the last-level cache and directory to improve resource utilization. Unfortunately, such sharing makes the cache vulnerable to cross-core cache side channel attacks. Recent studies show that information leakage through cross-...
Comments
Information & Contributors
Information
Published In
May 2024
345 pages
ISBN:9798400705977
DOI:10.1145/3649153
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 02 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
CF '24
Sponsor:
Acceptance Rates
CF '24 Paper Acceptance Rate 33 of 105 submissions, 31%;
Overall Acceptance Rate 273 of 785 submissions, 35%
Upcoming Conference
CF '25
- Sponsor:
- sigmicro
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 157Total Downloads
- Downloads (Last 12 months)157
- Downloads (Last 6 weeks)32
Reflects downloads up to 12 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in