Pavlos Aimoniotis
Magnus Själander
ABSTRACT
In a speculative side-channel attack, a secret is improperly accessed and then leaked by passing it to a transmitter instruction. Several proposed defenses effectively close this security hole by either delaying the secret from being loaded or propagated, or by delaying dependent transmitters (e.g., loads) from executing when fed with tainted input derived from an earlier speculative load. This results in a loss of memory-level parallelism and performance.
A security definition proposed recently, in which data already leaked in non-speculative execution need not be considered secret during speculative execution, can provide a solution to the loss of performance. However, detecting and tracking non-speculative leakage carries its own cost, increasing complexity. The key insight of our work that enables us to exploit non-speculative leakage as an optimization to other secure speculation schemes is that the majority of non-speculative leakage is simply due to pointer dereferencing (or base-address indexing) — essentially what many secure speculation schemes prevent from taking place speculatively.
We present ReCon that: i) efficiently detects non-speculative leakage by limiting detection to pairs of directly-dependent loads that dereference pointers (or index a base-address); and ii) piggybacks non-speculative leakage information on the coherence protocol. In ReCon, the coherence protocol remembers and propagates the knowledge of what has leaked and therefore what is safe to dereference under speculation. To demonstrate the effectiveness of ReCon, we show how two state-of-the-art secure speculation schemes, Non-speculative Data Access (NDA) and speculative Taint Tracking (STT), leverage this information to enable more memory-level parallelism both in a single core scenario and in a multicore scenario: NDA with ReCon reduces the performance loss by 28.7% for SPEC2017, 31.5% for SPEC2006, and 46.7% for PARSEC; STT with ReCon reduces the loss by 45.1%, 39%, and 78.6%, respectively.
- Niket Agarwal, Tushar Krishna, Li-Shiuan Peh, and Niraj K. Jha. 2009. GARNET: A detailed on-chip network model inside a full-system simulator. In Proceedings of the International Symposium on Performance Analysis of Systems and Software. 33–42. https://doi.org/10.1109/ISPASS.2009.4919636Google Scholar
Cross Ref
- Pavlos Aimoniotis, Amund Bergland Kvalsvik, Magnus Själander, and Stefanos Kaxiras. 2022. Data-Out Instruction-In (DOIN!): Leveraging Inclusive Caches to Attack Speculative Delay Schemes. In Proceedings of the IEEE International Symposium on Secure and Private Execution Environment Design. 49–60. https://doi.org/10.1109/SEED55351.2022.00012Google ScholarCross Ref
- Pavlos Aimoniotis, Christos Sakalis, Magnus Själander, and Stefanos Kaxiras. 2021. Reorder Buffer Contention: A Forward Speculative Interference Attack for Speculation Invariant Instructions. IEEE Computer Architecture Letters 20 (July 2021), 162–165. Issue 2. https://doi.org/10.1109/LCA.2021.3123408Google ScholarCross Ref
- Sam Ainsworth. 2021. GhostMinion: A Strictness-Ordered Cache System for Spectre Mitigation. In Proceedings of the IEEE/ACM International Symposium on Microarchitecture. 592–606. https://doi.org/10.1145/3466752.3480074Google ScholarDigital Library
- Sam Ainsworth and Timothy M. Jones. 2020. MuonTrap: Preventing Cross-Domain Spectre-Like Attacks by Capturing Speculative State. In Proceedings of the International Symposium on Computer Architecture. 132–144. https://doi.org/10.1109/ISCA45697.2020.00022Google ScholarDigital Library
- A.R. Alameldeen and D.A. Wood. 2006. IPC Considered Harmful for Multiprocessor Workloads. IEEE Micro 26 (July 2006), 8–17. Issue 4. https://doi.org/10.1109/MM.2006.73Google ScholarDigital Library
- AMD 2023. AMD Zen 3 Microarchitecture. https://en.wikichip.org/wiki/amd/microarchitectures/zen_3Google Scholar
- AMD 2023. AMD Zen 4 Microarchitecture. https://en.wikichip.org/wiki/amd/microarchitectures/zen_4Google Scholar
- Mohammad Behnia, Prateek Sahu, Riccardo Paccagnella, Jiyong Yu, Zirui Neil Zhao, Xiang Zou, Thomas Unterluggauer, Josep Torrellas, Carlos Rozas, Adam Morrison, Frank Mckeen, Fangfei Liu, Ron Gabor, Christopher W. Fletcher, Abhishek Basak, and Alaa Alameldeen. 2021. Speculative interference attacks: breaking invisible speculation schemes. In Proceedings of the Architectural Support for Programming Languages and Operating Systems. 1046–1060. https://doi.org/10.1145/3445814.3446708Google ScholarDigital Library
- Atri Bhattacharyya, Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, Babak Falsafi, Mathias Payer, and Anil Kurmus. 2019. SMoTherSpectre: Exploiting Speculative Execution through Port Contention. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 785–800. https://doi.org/10.1145/3319535.3363194Google ScholarDigital Library
- Christian Bienia, Sanjeev Kumar, Jaswinder Pal Singh, and Kai Li. 2008. The PARSEC benchmark suite: characterization and architectural implications. In Proceedings of the International Conference on Parallel Architectural and Compilation Techniques. 72–81. https://doi.org/10.1145/1454115.1454128Google ScholarDigital Library
- Nathan Binkert, Bradford Beckmann, Gabriel Black, Steven K. Reinhardt, Ali Saidi, Arkaprava Basu, Joel Hestness, Derek R. Hower, Tushar Krishna, Somayeh Sardashti, Rathijit Sen, Korey Sewell, Muhammad Shoaib, Nilay Vaish, Mark D. Hill, and David A. Wood. 2011. The gem5 simulator. ACM SIGARCH Computer Architecture News 39 (May 2011), 1–7. Issue 2. https://doi.org/10.1145/2024716.2024718Google ScholarDigital Library
- Xiaoyue Chen, Pavlos Aimoniotis, and Stefanos Kaxiras. 2023. Clueless: A Tool Characterising Values Leaking as Addresses. arXiv preprint arXiv:2301.10618 (Jan. 2023). https://doi.org/10.48550/arXiv.2301.10618 arXiv:arXiv:2301.10618Google ScholarCross Ref
- Rutvik Choudhary, Jiyong Yu, Christopher Fletcher, and Adam Morrison. 2021. Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy. In Proceedings of the IEEE/ACM International Symposium on Microarchitecture. 607–622. https://doi.org/10.1145/3466752.3480068Google ScholarDigital Library
- G.Z. Chrysos and J.S. Emer. 1998. Memory dependence prediction using store sets. In Proceedings of the International Symposium on Computer Architecture. 142–153. https://doi.org/10.1109/ISCA.1998.694770Google ScholarCross Ref
- Standard Performance Evaluation Corporation. 2006. SPEC CPU2006 Benchmark Suite. http://www.specbench.org/cpu2006/Google Scholar
- Standard Performance Evaluation Corporation. 2017. SPEC CPU2017 Benchmark Suite. http://www.specbench.org/cpu2017/Google Scholar
- Stefan Gast, Jonas Juffinger, Martin Schwarzl, Gururaj Saileshwar, Andreas Kogler, Simone Franza, Markus Köstl, and Daniel Gruss. 2023. SQUIP: Exploiting the Scheduler Queue Contention Side Channel. In Proceedings of the IEEE Symposium on Security and Privacy. 468–484.Google ScholarCross Ref
- Nathan Gober, Gino Chacon, Lei Wang, Paul V. Gratz, Daniel A. Jimenez, Elvira Teran, Seth Pugsley, and Jinchun Kim. 2022. The Championship Simulator: Architectural Simulation for Education and Competition. arXiv preprint arXiv:2210.14324 (Oct. 2022). https://doi.org/10.48550/arXiv.2210.14324 arXiv:arXiv:2210.14324Google ScholarCross Ref
- Intel 2022. Guidelines for Mitigating Timing Side Channels Against Cryptographic Implementations. https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/mitigate-timing-side-channel-crypto-implementation.htmlGoogle Scholar
- Intel 2023. Intel Skylake Microarchitecture. https://en.wikichip.org/wiki/intel/microarchitectures/skylake_(client)Google Scholar
- [email protected]. 2018. Issue 1528: speculative execution, variant 4: speculative store bypass - project-zero. https://bugs.chromium.org/p/project-zero/issues/detail?id=1528Google Scholar
- Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative Buffer Overflows: Attacks and Defenses. arXiv preprint arXiv:1807.03757 (July 2018). arxiv:1807.03757 [cs] http://arxiv.org/abs/1807.03757Google Scholar
- Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In Proceedings of the IEEE Symposium on Security and Privacy. 1–19. https://doi.org/10.1109/SP.2019.00002Google ScholarCross Ref
- Esmaeil Mohammadian Koruyeh, Khaled N. Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh. 2018. Spectre Returns! Speculation Attacks using the Return Stack Buffer. In Proceedings of the USENIX Workshop on Offensive Technologies. https://www.usenix.org/conference/woot18/presentation/koruyehGoogle Scholar
- Amund Bergland Kvalsvik, Pavlos Aimoniotis, Stefanos Kaxiras, and Magnus Själander. 2023. Doppelganger Loads: A Safe, Complexity-Effective Optimization for Secure Speculation Schemes. In Proceedings of the International Symposium on Computer Architecture. 1–13. https://doi.org/10.1145/3579371.3589088Google ScholarDigital Library
- Mengming Li, Chenlu Miao, Yilong Yang, and Kai Bu. 2022. unXpec: Breaking Undo-based Safe Speculation. In Proceedings of the International Symposium High-Performance Computer Architecture. 98–112. https://doi.org/10.1109/HPCA53966.2022.00016Google ScholarCross Ref
- Peinan Li, Lutan Zhao, Rui Hou, Lixin Zhang, and Dan Meng. 2019. Conditional Speculation: An Effective Approach to Safeguard Out-of-Order Execution Against Spectre Attacks. In Proceedings of the International Symposium High-Performance Computer Architecture. 264–276. https://doi.org/10.1109/HPCA.2019.00043Google ScholarCross Ref
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In Proceedings of the USENIX Security Symposium.Google Scholar
- Giorgi Maisuradze and Christian Rossow. 2018. ret2spec: Speculative Execution Using Return Stack Buffers. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2109–2122. https://doi.org/10.1145/3243734.3243761Google ScholarDigital Library
- Andreas Ioannis Moshovos. 1998. Memory Dependence Prediction. Ph. D. Dissertation. University of Wisconsin.Google Scholar
- Joseph Ravichandran, Weon Taek Na, Jay Lang, and Mengjia Yan. 2022. PACMAN: attacking ARM pointer authentication with speculative execution. In Proceedings of the International Symposium on Computer Architecture. 685–698. https://doi.org/10.1145/3470496.3527429Google ScholarDigital Library
- Red Hat) 2022. Simultaneous Multithreading in Red Hat Enterprise Linux. https://access.redhat.com/solutions/rhel-smtGoogle Scholar
- Charles Reis, Alexander Moshchuk, and Nasko Oskov. 2019. Site Isolation: Process Separation for Web Sites within the Browser. In Proceedings of the IEEE Symposium on Security and Privacy. 1661–1678. https://www.usenix.org/conference/usenixsecurity19/presentation/reisGoogle Scholar
- Xida Ren, Logan Moody, Mohammadkazem Taram, Matthew Jordan, Dean M Tullsen, and Ashish Venkat. 2021. I See Dead µops: Leaking Secrets via Intel/AMD Micro-Op Caches. In Proceedings of the International Symposium on Computer Architecture. 14. https://doi.org/10.1109/ISCA52012.2021.00036Google ScholarDigital Library
- Alberto Ros, Trevor E. Carlson, Mehdi Alipour, and Stefanos Kaxiras. 2017. Non-Speculative Load-Load Reordering in TSO. In ACM SIGARCH Computer Architecture News, Vol. 45. 187–200. https://doi.org/10.1145/3140659.3080220Google ScholarDigital Library
- Gururaj Saileshwar and Moinuddin K. Qureshi. 2019. CleanupSpec: An "Undo" Approach to Safe Speculation. In Proceedings of the IEEE/ACM International Symposium on Microarchitecture. 73–86. https://doi.org/10.1145/3352460.3358314Google ScholarDigital Library
- Christos Sakalis, Mehdi Alipour, Alberto Ros, Alexandra Jimborean, Stefanos Kaxiras, and Magnus Själander. 2019. Ghost loads: What is the cost of invisible speculation?. In Proceedings of the ACM International Conference on Computing Frontiers. 153–163. https://doi.org/10.1145/3310273.3321558Google ScholarDigital Library
- Christos Sakalis, Stefanos Kaxiras, Alberto Ros, Alexandra Jimborean, and Magnus Själander. 2019. Efficient Invisible Speculative Execution through Selective Delay and Value Prediction. In Proceedings of the International Symposium on Computer Architecture. 723–735. https://doi.org/10.1145/3307650.3322216Google ScholarDigital Library
- Christos Sakalis, Stefanos Kaxiras, Alberto Ros, Alexandra Jimborean, and Magnus Själander. 2020. Understanding Selective Delay as a Method for Efficient Secure Speculative Execution. IEEE Trans. Comput. 69 (Nov. 2020), 1584–1595. Issue 11. https://doi.org/10.1109/TC.2020.3014456Google ScholarCross Ref
- Michael Schwarz, Martin Schwarzl, Moritz Lipp, Jon Masters, and Daniel Gruss. 2019. NetSpectre: Read Arbitrary Memory over Network. In Proceedings of the European Symposium on Research in Computer Security. 279–299. https://doi.org/10.1007/978-3-030-29959-0_14Google ScholarDigital Library
- Martin Schwarzl, Pietro Borrello, Andreas Kogler, Kenton Varda, Thomas Schuster, Michael Schwarz, and Daniel Gruss. 2022. Robust and Scalable Process Isolation Against Spectre in the Cloud. In Proceedings of the European Symposium on Research in Computer Security, Vijayalakshmi Atluri, Roberto Di Pietro, Christian D. Jensen, and Weizhi Meng (Eds.). 167–186. https://doi.org/10.1007/978-3-031-17146-8_9Google ScholarDigital Library
- Peter Sewell, Susmit Sarkar, Scott Owens, Francesco Zappa Nardelli, and Magnus O. Myreen. 2010. x86-TSO: a rigorous and usable programmer’s model for x86 multiprocessors. Commun. ACM 53 (July 2010), 89–97. Issue 7. https://doi.org/10.1145/1785414.1785443Google ScholarDigital Library
- Timothy Sherwood, Erez Perelman, Greg Hamerly, and Brad Calder. 2002. Automatically characterizing large scale program behavior. In Proceedings of the Architectural Support for Programming Languages and Operating Systems. 45–57. https://doi.org/10.1145/605397.605403Google ScholarDigital Library
- G Edward Suh, Jaewook Lee, and Srinivas Devadas. 2004. Secure Program Execution via Dynamic Information Flow Tracking. ACM SIGPLAN Notices 39 (2004), 85–96. Issue 11.Google ScholarDigital Library
- Mohammadkazem Taram, Xida Ren, Ashish Venkat, and Dean Tullsen. 2022. SecSMT: Securing SMT Processors against Contention-Based Covert Channels. In Proceedings of the USENIX Security Symposium. 3165–3182. https://www.usenix.org/conference/usenixsecurity22/presentation/taramGoogle Scholar
- Mohammadkazem Taram, Ashish Venkat, and Dean Tullsen. 2019. Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization. In Proceedings of the Architectural Support for Programming Languages and Operating Systems. 395–410. https://doi.org/10.1145/3297858.3304060Google ScholarDigital Library
- Kim-Anh Tran, Christos Sakalis, Magnus Själander, Alberto Ros, Stefanos Kaxiras, and Alexandra Jimborean. 2020. Clearing the Shadows: Recovering Lost Performance for Invisible Speculative Execution through HW/SW Co-Design. In Proceedings of the International Conference on Parallel Architectural and Compilation Techniques. 241–254. https://doi.org/10.1145/3410463.3414640Google ScholarDigital Library
- Caroline Trippel, Yatin A. Manerkar, Daniel Lustig, Michael Pellauer, and Margaret Martonosi. 2017. TriCheck: Memory Model Verification at the Trisection of Software, Hardware, and ISA. ACM SIGARCH Computer Architecture News 45 (March 2017), 119–133. Issue 1. https://doi.org/10.1145/3093337.3037719Google ScholarDigital Library
- Dean M. Tullsen, Susan J. Eggers, and Henry M. Levy. 1995. Simultaneous multithreading: maximizing on-chip parallelism. In Proceedings of the International Symposium on Computer Architecture. 392–403. https://doi.org/10.1145/223982.224449Google ScholarDigital Library
- Jose Rodrigo Sanchez Vicarte, Michael Flanders, Riccardo Paccagnella, Grant Garrett-Grossman, Adam Morrison, Christopher W. Fletcher, and David Kohlbrenner. 2022. Augury: Using Data Memory-Dependent Prefetchers to Leak Data at Rest. In Proceedings of the IEEE Symposium on Security and Privacy. 1491–1505. https://doi.org/10.1109/SP46214.2022.9833570Google ScholarCross Ref
- Ofir Weisse, Ian Neal, Kevin Loughlin, Thomas F. Wenisch, and Baris Kasikci. 2019. NDA: Preventing Speculative Execution Attacks at Their Source. In Proceedings of the IEEE/ACM International Symposium on Microarchitecture. 572–586. https://doi.org/10.1145/3352460.3358306Google ScholarDigital Library
- Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher Fletcher, and Josep Torrellas. 2018. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy. In Proceedings of the IEEE/ACM International Symposium on Microarchitecture. 428–441. https://doi.org/10.1109/MICRO.2018.00042Google ScholarDigital Library
- Jiyong Yu, Lucas Hsiung, Mohamad El Hajj, and Christopher W. Fletcher. 2018. Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing. Cryptology ePrint Archive (2018). https://eprint.iacr.org/2018/808Google Scholar
- Jiyong Yu, Namrata Mantri, Josep Torrellas, Adam Morrison, and Christopher W. Fletcher. 2020. Speculative Data-Oblivious Execution: Mobilizing Safe Prediction For Safe and Efficient Speculative Execution. In Proceedings of the International Symposium on Computer Architecture. 707–720. https://doi.org/10.1109/ISCA45697.2020.00064Google ScholarDigital Library
- Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, and Christopher W. Fletcher. 2019. Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data. In Proceedings of the IEEE/ACM International Symposium on Microarchitecture. 954–968. https://doi.org/10.1145/3352460.3358274Google ScholarDigital Library
- Zirui Neil Zhao, Houxiang Ji, Adam Morrison, Darko Marinov, and Josep Torrellas. 2022. Pinned loads: taming speculative loads in secure processors. In Proceedings of the Architectural Support for Programming Languages and Operating Systems. 314–328. https://doi.org/10.1145/3503222.3507724Google ScholarDigital Library
- Zirui Neil Zhao, Houxiang Ji, Mengjia Yan, Jiyong Yu, Christopher W. Fletcher, Adam Morrison, Darko Marinov, and Josep Torrellas. 2020. Speculation Invariance (InvarSpec): Faster Safe Execution Through Program Analysis. In Proceedings of the IEEE/ACM International Symposium on Microarchitecture. 1138–1152. https://doi.org/10.1109/MICRO50266.2020.00094Google ScholarCross Ref
Index Terms
- ReCon: Efficient Detection, Management, and Use of Non-Speculative Information Leakage
Recommendations
An evaluation of speculative instruction execution on simultaneous multithreaded processors
Modern superscalar processors rely heavily on speculative execution for performance. For example, our measurements show that on a 6-issue superscalar, 93% of committed instructions for SPECINT95 are speculative. Without speculation, processor resources ...
Post-pass binary adaptation for software-based speculative precomputation
Recently, a number of thread-based prefetching techniques have been proposed. These techniques aim at improving the latency of single-threaded applications by leveraging multithreading resources to perform memory prefetching via speculative prefetch ...
Post-pass binary adaptation for software-based speculative precomputation
PLDI '02: Proceedings of the ACM SIGPLAN 2002 conference on Programming language design and implementationRecently, a number of thread-based prefetching techniques have been proposed. These techniques aim at improving the latency of single-threaded applications by leveraging multithreading resources to perform memory prefetching via speculative prefetch ...
Comments