Claudio Canella
ABSTRACT
Transient-execution attacks, such as Meltdown and Spectre, exploit performance optimizations in modern CPUs to enable unauthorized access to data across protection boundaries. Against these attacks, we have noticed a rapid growth of deployed and proposed countermeasures. In this paper, we show the evolution of countermeasures against transient-execution attacks by both industry and academia since the initial discoveries of the attacks. We show that despite the advances in the understanding and systematic view of the field, the proposed and deployed defenses are limited.
Supplemental Material
- Sam Ainsworth and Timothy M Jones. 2019. Muon Trap: Preventing Cross-Domain Spectre-Like Attacks by Capturing Speculative State. arXiv:1911.08384.Google Scholar
- Alejandro Cabrera Aldaya, Billy Bob Brumley, Sohaib ul Hassan, Cesar Pereida García, and Nicola Tuveri. 2019. Port contention for fun and profit. In S&P.Google Scholar
- AMD. 2018. AMD64 Technology: Speculative Store Bypass Disable.Google Scholar
- AMD. 2018. Software Techniques for Managing Speculation on AMD Processor.Google Scholar
- Nadav Amit, Fred Jacobs, and Michael Wei. 2019. Jumpswitches: restoring the performance of indirect branches in the era of spectre. In USENIX ATC.Google Scholar
- Orlando Arias, David Gens, Yier Jin, Christopher Liebchen, Ahmad-Reza Sadeghi, and Dean Sullivan. 2017. LAZARUS: Practical Side-channel Resilient Kernel-Space Randomization. In RAID.Google Scholar
- ARM. 2013. ARM Architecture Reference Manual ARMv8.Google Scholar
- ARM. 2018. Cache Speculation Side-channels.Google Scholar
- Musard Balliu, Mads Dam, and Roberto Guanciale. 2019. In Spectre: Breaking and Fixing Microarchitectural Vulnerabilities by Formal Analysis. arXiv:1911.00868.Google Scholar
- Julian Bangert, Sergey Bratus, Rebecca Shapiro, Michael E Locasto, Jason Reeves,Sean W Smith, and Anna Shubina. 2013. ELFbac: using the loader format for intent-level semantics and fine-grained protection. Dartmouth Technical Report.Google Scholar
- Kristin Barber, Anys Bacha, Li Zhou, Yinqian Zhang, and Radu Teodorescu. 2019. Specshield: Shielding speculative data from microarchitectural covert channels. In PACT.Google Scholar
- Atri Bhattacharyya, Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, Babak Falsafi, Mathias Payer, and Anil Kurmus. 2019. Smotherspectre: exploiting speculative execution through port contention. In CCS.Google Scholar
- Thomas Bourgeat, Ilia Lebedev, Andrew Wright, Sizhuo Zhang, and Srinivas Devadas. 2019. MI6: Secure enclaves in a speculative out-of-order processor. In MICRO.Google Scholar
- R Branco, K Hu, K Sun, and H Kawakami. 2019. Efficient mitigation of side-channel based attacks against speculative execution processing architectures.Google Scholar
- Gianpiero Cabodi, Paolo Camurati, Fabrizio Finocchiaro, and Danilo Vendraminetto. 2019. Model-Checking Speculation-Dependent Security Properties: Abstracting and Reducing Processor Models for Sound and Complete Verification. Electronics(2019).Google Scholar
- Claudio Canella, Khaled N. Khasawneh, and Daniel Gruss. 2020. The Evolution of Transient-Execution Attacks. In GLSVLSI.Google Scholar
- Claudio Canella, Michael Schwarz, Martin Haubenwallner, Martin Schwarzl, and Daniel Gruss. 2020. KASLR: Break It, Fix It, Repeat. In AsiaCCS.Google Scholar
- Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A Systematic Evaluation of Transient Execution Attacks and Defenses. In USENIX Security. Extended classification tree and PoCs at https://transient.fail/.Google Scholar
- Chandler Carruth. 2018. RFC: Speculative Load Hardening (a Spectre variant 1 mitigation).Google Scholar
- Guoxing Chen, Mengyuan Li, Fengwei Zhang, and Yinqian Zhang. 2019. Defeating Speculative-Execution Attacks on SGX with Hyper Race. In DSC.Google Scholar
- Chromium Projects. 2018. Actions required to mitigate Speculative Side-Channel Attack techniques.Google Scholar
- Chromium Projects. 2018. Site Isolation.Google Scholar
- Jonathan Corbet. 2017. The current state of kernel page-table isolation.Google Scholar
- Microsoft Corp. 2019. https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887Google Scholar
- Sai Manoj P D, Sairaj Amberkar, Sahil Bhat, Abhijitt Dhavlle, Hossein Sayadi,Avesta Sasan, Houman Homayoun, and Setareh Rafatirad. 2019. Adversarial attack on microarchitectural events based malware detectors. In DAC.Google Scholar
- Jonas Depoix and Philipp Altmeyer. 2018. Detecting Spectre Attacks by identifying Cache Side-Channel Attacks using Machine Learning. WAMOS(2018).Google Scholar
- Xiaowan Dong, Zhuojia Shen, John Criswell, Alan Cox, and Sandhya Dwarkadas. 2018. Spectres, virtual ghosts, and hardware support. In HASP.Google Scholar
- Swastika Dutta and Sayan Sinha. 2019. Performance statistics and learning based detection of exploitative speculative attacks. In CF.Google Scholar
- R Earnshaw. 2018. Mitigation against unsafe data speculation (CVE-2017--5753).Google Scholar
- Mohammad Rahmani Fadiheh, Dominik Stoffel, Clark Barrett, Subhasish Mitra, and Wolfgang Kunz. 2019. Processor hardware security vulnerabilities and their detection by unique program execution checking. In DATE.Google Scholar
- Andrew Ferraiuolo, Mark Zhao, Andrew C Myers, and G Edward Suh. 2018. Hyper Flow: A processor architecture for nonmalleable, timing-safe information flow security. In CCS.Google Scholar
- Jacob Fustos, Farzad Farshchi, and Heechul Yun. 2019. Spectre Guard: An Efficient Data-centric Defense Mechanism against Spectre Attacks. In DAC.Google Scholar
- Jingquan Ge, Neng Gao, Chenyang Tu, Ji Xiang, and Zeyi Liu. 2019. AdapTimer: Hardware/Software Collaborative Timer Resistant to Flush-Based Cache Attacks on ARM-FPGA Embedded SoC. In ICCD.Google Scholar
- Abraham Gonzalez, Ben Korpan, Jerry Zhao, Ed Younis, and Krste Asanovi?. 2019. Replicating and Mitigating Spectre Attacks on an Open Source RISC-V Microarchitecture. In CARRV.Google Scholar
- Daniel Gruss, Dave Hansen, and Brendan Gregg. 2018. Kernel isolation: Froman academic idea to an efficient patch for every computer.; login: the USENIX Magazine(2018).Google Scholar
- Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clémentine Maurice, and Stefan Mangard. 2017. Kaslr is dead: long live kaslr. In ESSoS.Google Scholar
- Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, and Stefan Mangard. 2016. Prefetch side-channel attacks: Bypassing SMAP and kernel ASLR. In CCS.Google Scholar
- Austin Harris, Shijia Wei, Prateek Sahu, Pranav Kumar, Todd Austin, and Mohit Tiwari. 2019. Cyclone: Detecting Contention-Based Cache Information Leaks Through Cyclic Interference. In MICRO.Google Scholar
- Wei-Ming Hu. 1992. Reducing timing channels with fuzzy time.Journal of computer security(1992).Google Scholar
- Zhichao Hua, Dong Du, Yubin Xia, Haibo Chen, and Binyu Zang. 2018. EPTI: Efficient Defense against Meltdown Attack for Unpatched VMs. In USENIXATC.Google Scholar
- Intel. 2018. Deep Dive: Intel Analysis of L1 Terminal Fault.Google Scholar
- Intel. 2018. Intel Analysis of Speculative Execution Side Channels.Google Scholar
- Intel. 2018. Retpoline: A Branch Target Injection Mitigation. Revision.Google Scholar
- Intel. 2018. Speculative Execution Side Channel Mitigations.Google Scholar
- Intel. 2019. Intel 64 and IA-32 architectures software developer's manual.Google Scholar
- Intel. 2020. Deep Dive: Load Value Injection.Google Scholar
- Intel. 2020. Side Channel Mitigation by Product CPU Model.Google Scholar
- Ira Ray Jenkins, Prashant Anantharaman, Rebecca Shapiro, J Peter Brady, Sergey Bratus, and Sean W Smith. 2020. Ghostbusting: Mitigating spectre with intraprocess memory isolation. In HoTSoS.Google Scholar
- Khaled N Khasawneh, Nael Abu-Ghazaleh, Dmitry Ponomarev, and Lei Yu. 2017. RHMD: Evasion-resilient hardware malware detectors. In MICRO.Google ScholarDigital Library
- Khaled N Khasawneh, Nael B Abu-Ghazaleh, Dmitry Ponomarev, and Lei Yu. 2018. Adversarial Evasion-Resilient Hardware Malware Detectors. In ICCAD.Google Scholar
- Khaled N Khasawneh, Esmaeil Mohammadian Koruyeh, Chengyu Song, Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2019. Safespec: Banishing the spectre of a meltdown with leakage-free speculation. In DAC.Google Scholar
- Russel King. 2018. Spectre-v2: harden branch predictor on context switches.Google Scholar
- Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, and Joel Emer. 2018. DAWG: A defense against cache timing attacks in speculative execution processors. In MICRO.Google Scholar
- Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative buffer overflows: Attacks and defenses. arXiv:1807.03757(2018).Google Scholar
- Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, et al.2019. Spectre attacks: Exploiting speculative execution. In S&P.Google Scholar
- Igor Korkin. 2018. Divide et Impera: Memory Ranger Runs Drivers in Isolated Kernel Spaces. arXiv:1812.09920(2018).Google Scholar
- Esmaeil Mohammadian Koruyeh, Shirin Haji Amin Shirazi, Khaled N Kha-sawneh, Chengyu Song, and Nael Abu-Ghazaleh. 2019. SPECCFI: Mitigating Spectre Attacks using CFI Informed Speculation.arXiv:1906.01345(2019).Google Scholar
- Congmiao Li and Jean-Luc Gaudiot. 2020. Challenges in Detecting an "Evasive Spectre". IEEE Computer Architecture Letters(2020).Google Scholar
- Peinan Li, Lutan Zhao, Rui Hou, Lixin Zhang, and Dan Meng. 2019. Conditional Speculation: An effective approach to safeguard out-of-order execution against spectre attacks. In HPCA.Google Scholar
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory fromUser Space. In USENIX Security.Google Scholar
- Jason Lowe-Power, Venkatesh Akella, Matthew K Farrens, Samuel T King, and Christopher J Nitta. 2018. Position Paper: A case for exposing extra-architectural state in the ISA. In HASP.Google Scholar
- Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L Titzer, and Toon Verwaest. 2019. Spectre is here to stay: An analysis of side-channels and speculative execution. arXiv:1902.05178(2019).Google Scholar
- Avi Mendelson. 2019. Secure Speculative Core. In IEEE SOCC.Google Scholar
- Microsoft. 2018. Microsoft Techcommunity. Hyper-V Hyper Clear Mitigation for L1 Terminal Fault.Google Scholar
- Microsoft. 2018. Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer.Google Scholar
- Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan. 2020. Retrofitting Fine Grain Isolation in the Firefox Renderer. In USENIX Security.Google Scholar
- Ejebagom John Ojogbo, Mithuna Thottethodi, and TN Vijaykumar. 2020. Secure automatic bounds checking: prevention is simpler than cure. In CGO.Google Scholar
- Oleksii Oleksenko, Bohdan Trach, Tobias Reiher, Mark Silberstein, and Christof Fetzer. 2018. You shall not bypass: Employing data dependencies to prevent bounds check bypass. arXiv:1805.08506(2018).Google Scholar
- Hamza Omar and Omer Khan. 2019. IRONHIDE: A Secure Multicore Architecture that Leverages Hardware Isolation Against Microarchitecture State Attacks. arXiv:1904.12729(2019).Google Scholar
- Tapti Palit, Fabian Monrose, and Michalis Polychronakis. 2019. Mitigating data leakage by protecting memory-resident sensitive data. In ACSAC.Google Scholar
- Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz, and Stefan Mangard. 2016. DRAMA: Exploiting DRAM addressing for cross-cpu attacks. In USENIX Security.Google Scholar
- Filip Pizlo. 2018. What Spectre and Meltdown mean for WebKit.Google Scholar
- Charles Reis, Alexander Moshchuk, and Nasko Oskov. 2019. Site isolation:process separation for web sites within the browser. In USENIX Security.Google Scholar
- Simon Rokicki. 2020. GhostBusters: Mitigating Spectre Attacks on a DBT-Based Processor. In DATE.Google Scholar
- Majid Sabbagh, Yunsi Fei, Thomas Wahl, and A Adam Ding. 2018. SCADET: aside-channel attack detection tool for tracking Prime+ Probe. InICCAD.Google Scholar
- Gururaj Saileshwar and Moinuddin K Qureshi. 2019. Cleanup Spec: An "Undo" Approach to Safe Speculation. In MICRO.Google Scholar
- Christos Sakalis, Mehdi Alipour, Alberto Ros, Alexandra Jimborean, Stefanos Kaxiras, and Magnus Själander. 2019. Ghost loads: what is the cost of invisible speculation?. In CF.Google Scholar
- Christos Sakalis, Stefanos Kaxiras, Alberto Ros, Alexandra Jimborean, and Magnus Själander. 2019. Efficient invisible speculative execution through selective delay and value prediction. In ISCA.Google Scholar
- Michael Schwarz, Moritz Lipp, Claudio Canella, Robert Schilling, Florian Kargl, and Daniel Gruss. 2020. ConTExT: A Generic Approach for Mitigating Spectre. In NDSS.Google Scholar
- Michael Schwarz, Moritz Lipp, and Daniel Gruss. 2018. JavaScript Zero: Real Java Script and Zero Side-Channel Attacks. In NDSS.Google Scholar
- Michael Schwarz, Clémentine Maurice, Daniel Gruss, and Stefan Mangard. 2017.Fantastic timers and where to find them: high-resolution microarchitectural attacks in JavaScript. In FC.Google Scholar
- Michael Schwarz, Martin Schwarzl, Moritz Lipp, Jon Masters, and Daniel Gruss.2019. Netspectre: Read arbitrary memory over network. In ESORICS.Google Scholar
- Zhuojia Shen, Jie Zhou, Divya Ojha, and John Criswell. 2018. Restricting control flow during speculative execution. In CCS.Google Scholar
- Johannes Sianipar, Muhammad Sukmana, and Christoph Meinel. 2018. Moving Sensitive Data Against Live Memory Dumping, Spectre and Meltdown Attacks. In 2018 26th International Conference on Systems Engineering (ICSEng). IEEE.Google ScholarCross Ref
- Ben Smith. 2018. Enable Shared Array Buffer by default on non-android.Google Scholar
- Julian Stecklina and Thomas Prescher. 2018. Lazyfp: Leaking fpu register state using microarchitectural side-channels.arXiv:1806.07480(2018).Google Scholar
- SUSE. 2018. Security update for kernel-firmware. https://www.suse.com/support/update/announcement/2018/suse-su-20180008--1Google Scholar
- Mohammadkazem Taram, Ashish Venkat, and Dean Tullsen. 2019. Context-sensitive fencing: Securing speculative execution via microcode customization. In ASPLOS.Google Scholar
- Paul Turner. 2018. Retpoline: a software construct for preventing branch-target-injection.Google Scholar
- Eben Upton. 2018. Why Raspberry Pi isn't vulnerable to Spectre or Meltdown.Google Scholar
- Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yarom Yuval, Berk Sunar, Daniel Gruss, and Frank Piessens.2020. LVI: Hijacking Transient Execution through Microarchitectural LoadValue Injection. In S&P.Google Scholar
- Marco Vassena, Klaus V Gleissenthall, Rami Gökhan Kici, Deian Stefan, and Ranjit Jhala. 2020. Automatically eliminating speculative leaks with blade. arXiv:2005.00294(2020).Google Scholar
- Ilias Vougioukas, Nikos Nikoleris, Andreas Sandberg, Stephan Diestelhorst, Bashir M Al-Hashimi, and Geoff V Merrett. 2019. BRB: Mitigating Branch Predictor Side-Channels. In HPCA.Google Scholar
- Luke Wagner. 2018. Mitigations landing for new class of timing attack.Google Scholar
- Han Wang, Hossein Sayadi, Tinoosh Mohsenin, Liang Zhao, Avesta Sasan,Setareh Rafatirad, and Houman Homayoun. 2020. Mitigating Cache-BasedSide-Channel Attacks through Randomization: A Comprehensive System and Architecture Level Analysis. DATE.Google Scholar
- Robert NM Watson, Jonathan Woodruff, Michael Roe, Simon W Moore, and Peter G Neumann. 2018. Capability hardware enhanced RISC instructions (CHERI):Notes on the Meltdown and Spectre attacks. Technical Report.Google Scholar
- Ofir Weisse, Ian Neal, Kevin Loughlin, Thomas F Wenisch, and Baris Kasikci. 2019. Nda: Preventing speculative execution attacks at their source. InMICRO.Google ScholarDigital Library
- Ofir Weisse, Jo Van Bulck, Marina Minkin, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Raoul Strackx, Thomas F Wenisch, and Yuval Yarom. 2018. Foreshadow-NG: Breaking the virtual memory abstraction with transientout-of-order execution.Google Scholar
- Wenjie Xiong and Jakub Szefer. 2020. Survey of Transient Execution Attacks. arXiv:2005.13435(2020).Google Scholar
- Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher Fletcher, and Josep Torrellas. 2018. Invisispec: Making speculative execution invisible in the cache hierarchy. InMICRO.Google Scholar
- Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, and Christopher W Fletcher. 2019. Speculative Taint Tracking (STT) A Comprehensive Protection for Speculatively Accessed Data. In MICRO.Google Scholar
- Lutan Zhao, Peinan Li, Rui Hou, Jiazhen Li, Michael C Huang, Lixin Zhang, Xuehai Qian, and Dan Meng. 2020. A Lightweight Isolation Mechanism for Secure Branch Predictors. arXiv:2005.08183(2020).Google Scholar
Index Terms
- Evolution of Defenses against Transient-Execution Attacks
Recommendations
The Evolution of Transient-Execution Attacks
GLSVLSI '20: Proceedings of the 2020 on Great Lakes Symposium on VLSIHistorically, non-architectural state was considered non-observable. Side-channel attacks, in particular on caches, already showed that this is not entirely correct and meta-information, such as the cache state, can be extracted. Transient-execution ...
A Review on Vulnerabilities to Modern Processors and its Mitigation for Various Variants
AbstractRecently, security researchers have found two hardware security vulnerabilities namely Spectre and Meltdown, related to computer memory. They are not singular, many variants of these two vulnerabilities are being a head ache for secure hardware ...
Performance evolution of mitigating transient execution attacks
EuroSys '22: Proceedings of the Seventeenth European Conference on Computer SystemsToday's applications pay a performance penalty for mitigations to protect against transient execution attacks such as Meltdown [32] and Spectre [25]. Such a reduction in performance directly translates to higher operating costs and degraded user ...
Comments