exLCL：一种针对spectre攻击的防御方法

doi:10.16511/j.cnki.qhdxxb.2020.22.040

摘要
图/表
参考文献
相关文章
Metrics

全文: PDF(1172 KB) HTML
输出: BibTeX | EndNote (RIS)

摘要新近发现的spectre攻击对计算机安全提出了严峻挑战。该攻击利用处理器推测执行过程中留下的不可消除的微架构（如缓存）状态变化，结合侧信道技术，泄露私密数据。该文首先研究spectre攻击的指令执行流程，提出阶段模型并深入分析利用漏洞所需满足的竞争条件，随后提出一种旨在避免攻击者满足竞争条件的防御方案，即exLCL。基于gem5的模拟实验证明了exLCL的有效性和可行性。与现有防御方案相比，exLCL处理逻辑更简单。

	服务

	把本文推荐给朋友
	加入引用管理器
	E-mail Alert
	RSS

	作者相关文章
	王少清
	赵有健
	吕志远

关键词 ： spectre攻击, 侧信道, 阶段模型, 缓存访问时延

Abstract：The newly discovered spectre attack poses severe challenges to computer security. The attacker leaks secret data by exploiting the indelible micro-architecture (such as cache) state changes left by speculative execution commands combined with the cache side channels. This paper first describes the instruction execution process of the spectre attack, presents a stage model for the attack, and identifies the competition conditions when a vulnerability can be exploited. Then, a defense entitled exLCL (extended L1 cache latency) is presented for preventing an attacker from meeting the competition conditions. Simulations based on gem5 show the effectiveness and feasibility of the exLCL defense which has simpler logic than existing defenses.

Key words： spectre attack side channels stage model cache latency

收稿日期: 2020-09-21 出版日期: 2021-10-19

通讯作者: 赵有健,教授,E-mail:zhaoyoujian@tsinghua.edu.cn E-mail: zhaoyoujian@tsinghua.edu.cn

引用本文:

王少清, 赵有健, 吕志远. exLCL：一种针对spectre攻击的防御方法[J]. 清华大学学报（自然科学版）, 2021, 61(11): 1221-1227.
WANG Shaoqing, ZHAO Youjian, L�Zhiyuan. exLCL for defense against spectre attacks. Journal of Tsinghua University(Science and Technology), 2021, 61(11): 1221-1227.

链接本文:

http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2020.22.040 或 http://jst.tsinghuajournals.com/CN/Y2021/V61/I11/1221

[1] KOCHER P, HORN J, FOGH A, et al. Spectre attacks:Exploiting speculative execution[C]//Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). San Francisco, USA, 2019:1-19.
[2] LIPP M, SCHWARZ M, GRUSS D, et al. Meltdown:Reading kernel memory from user space[C]//Proceedings of the 27th USENIX Security Symposium. Baltimore, USA, 2018:973-990.
[3] HORN J. Speculative execution, variant 4:Speculative store bypass[EB/OL]. (2018-05-22)[2020-08-18]. https://bugs.chromium.org/p/project-zero/issues/detail.
[4] KORUYEH E M, KHASAWNEH K N, SONG C Y, et al. Spectre returns! Speculation attacks using the return stack buffer[C]//Proceedings of the 12th USENIX Conference on Offensive Technologies. Baltimore, USA, 2018.
[5] SCHWARZ M, SCHWARZL M, LIPP M, et al. NetSpectre:Read arbitrary memory over network[C]//Proceedings of the 24th European Symposium on Research in Computer Security. Cham, Switzerland:Springer, 2019:279-299.
[6] CHEN G X, CHEN S C, XIAO Y, et al. SgxPectre:Stealing Intel secrets from SGX enclaves via speculative execution[C]//Proceedings of 2019 IEEE European Symposium on Security and Privacy (EuroS&P). Stockholm, Sweden, 2019:142-157.
[7] WEISSE O, VAN BULCK J, MINKIN M, et al. Foreshadow-NG:Breaking the virtual memory abstraction with transient out-of-order execution[R/OL]. (2018-08-14)[2020-08-18]. https://foreshadowattack.eu/foreshadow-NG.pdf.
[8] YU J Y, YAN M J, KHYZHA A, et al. Speculative taint tracking (STT):A comprehensive protection for speculatively accessed data[C]//Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture. Columbus, USA, 2019:954-968.
[9] Intel. Speculative execution side channel mitigations[R/OL].(2018-05-23)[2020-08-18]. https://software.intel.com/…/speculative-execution-side-channel-mitigations.html.
[10] AMD:Software techniques for managing speculation on AMD processors[R/OL]. (2018-01-26)[2020-08-18]. https://firmwaresecurity.com/2018/01/26/amd-software-techniques-for-managing-speculation-on-amd-processors/.
[11] AINSWORTH S, JONES T M. MuonTrap:Preventing cross-domain spectre-like attacks by capturing speculative state[C]//Proceedings of ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA). Valencia, Spain, 2020:132-144.
[12] TARAM M, VENKAT A, TULLSEN D. Context-sensitive fencing:Securing speculative execution via microcode customization[C]//Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems. Providence, USA, 2019:395-410.
[13] KORUYEH E M, SHIRAZI S H A, KHASAWNEH K N, et al. SPECCFI:Mitigating spectre attacks using CFI informed speculation[C]//Proceedings of 2020 IEEE Symposium on Security and Privacy (SP). San Francisco, USA, 2020:39-53.
[14] KIRIANSKY V, LEBEDEV I, AMARASINGHE S, et al. DAWG:A defense against cache timing attacks in speculative execution processors[C]//Proceedings of the 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). Fukuoka, Japan, 2018:974-987.
[15] XIAO Y, ZHANG Y Q, TEODORESCU R. SPEECHMINER:A framework for investigating and measuring speculative execution vulnerabilities[C]//Proceedings of the Network and Distributed Systems Security (NDSS) Symposium. San Diego, USA, 2020.
[16] CANELLA C, KHASAWNEH K N, GRUSS D. The evolution of transient-execution attacks[C]//Proceedings of 2020 on Great Lakes Symposium on VLSI. Virtual Event, Beijing, China, 2020:163-168.
[17] KOCHER P C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems[C]//Proceedings of the 16th Annual International Cryptology Conference. Berlin, Germany:Springer, 1996:104-113.
[18] OSVIK D A, SHAMIR A, TROMER E. Cache attacks and countermeasures:The case of AES[C]//Proceedings of the Topics in Cryptology:CT-RSA 2006. Berlin, Germany:Springer, 2006:1-20.
[19] PERCIVAL C. Cache missing for fun and profit[C]//Proceedings of BSDCan 2005. Ottawa, Canada, 2005.
[20] YAROM Y, FALKNER K. FLUSH+RELOAD:A high resolution, low noise, L3 cache side-channel attack[C]//Proceedings of the 23rd USENIX Conference on Security Symposium. San Diego, USA, 2014:719-732.
[21] KIRIANSKY V, WALDSPURGER C. Speculative buffer overflows:Attacks and defenses[Z/OL]. arXiv preprint arXiv:1807.03757, 2018.
[22] CANELLA C, VAN BULCK J, SCHWARZ M, et al. A systematic evaluation of transient execution attacks and defenses[C]//Proceedings of the 28th USENIX Conference on Security Symposium. Santa Clara, USA, 2019:249-266.
[23] BINKERT N, BECKMANN B, BLACK G, et al. The gem5 simulator[J]. ACM SIGARCH Computer Architecture News, 2011, 39(2):1-7.
[24] WOO S C, OHARA M, TORRIE E, et al. The SPLASH-2 programs:Characterization and methodological considerations[J]. ACM SIGARCH Computer Architecture News, 1995, 23(2):24-36.
[25] HENNING J L. SPEC CPU 2006 benchmark descriptions[J]. ACM SIGARCH Computer Architecture News, 2006, 34(4):1-17.
[26] Intel. Intel analysis of speculative execution side channels[R/OL]. (2010-01-00)[2020-08-18]. https://www.intel.com/content/www/us/en/architecture-and-technology/intel-analysis-of-speculative-execution-side-channels-paper.html.
[27] LI P N, ZHAO L T, HOU R, et al. Conditional speculation:An effective approach to safeguard out-of-order execution against spectre attacks[C]//Proceedings of 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA). Washington DC, USA, 2019:264-276.
[28] YAN M J, CHOI J, SKARLATOS D, et al. InvisiSpec:Making speculative execution invisible in the cache hierarchy[C]//Proceedings of the 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). Fukuoka, Japan, 2018:428-441.
[29] KHASAWNEH K N, KORUYEH E M, SONG C Y, et al. SafeSpec:Banishing the spectre of a meltdown with leakage-free speculation[C]//Proceedings of the 56th ACM/IEEE Design Automation Conference (DAC). Las Vegas, USA, 2019:1-6.

[1]	彭双和, 赵佳利, 韩静. 基于性能分析的Cache侧信道攻击循环定位[J]. 清华大学学报（自然科学版）, 2020, 60(6): 449-455.
[2]	陈佳哲, 李贺鑫, 王蓓蓓. 改进的SM4算法的选择明文DPA攻击[J]. 清华大学学报（自然科学版）, 2017, 57(11): 1134-1138.
[3]	陈佳哲, 李贺鑫, 王亚楠, 王宇航. 运用t检验评估3DES算法的侧信道信息泄露[J]. 清华大学学报（自然科学版）, 2016, 56(5): 499-503.
[4]	任燕婷, 乌力吉, 李翔宇, 王安, 张向民. 抗攻击低功耗RSA处理器设计与实现[J]. 清华大学学报（自然科学版）, 2016, 56(1): 1-6.

Viewed

Full text

Abstract

Cited

Shared

Discussed