Abstract:The newly discovered spectre attack poses severe challenges to computer security. The attacker leaks secret data by exploiting the indelible micro-architecture (such as cache) state changes left by speculative execution commands combined with the cache side channels. This paper first describes the instruction execution process of the spectre attack, presents a stage model for the attack, and identifies the competition conditions when a vulnerability can be exploited. Then, a defense entitled exLCL (extended L1 cache latency) is presented for preventing an attacker from meeting the competition conditions. Simulations based on gem5 show the effectiveness and feasibility of the exLCL defense which has simpler logic than existing defenses.
[1] KOCHER P, HORN J, FOGH A, et al. Spectre attacks:Exploiting speculative execution[C]//Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). San Francisco, USA, 2019:1-19. [2] LIPP M, SCHWARZ M, GRUSS D, et al. Meltdown:Reading kernel memory from user space[C]//Proceedings of the 27th USENIX Security Symposium. Baltimore, USA, 2018:973-990. [3] HORN J. Speculative execution, variant 4:Speculative store bypass[EB/OL]. (2018-05-22)[2020-08-18]. https://bugs.chromium.org/p/project-zero/issues/detail. [4] KORUYEH E M, KHASAWNEH K N, SONG C Y, et al. Spectre returns! Speculation attacks using the return stack buffer[C]//Proceedings of the 12th USENIX Conference on Offensive Technologies. Baltimore, USA, 2018. [5] SCHWARZ M, SCHWARZL M, LIPP M, et al. NetSpectre:Read arbitrary memory over network[C]//Proceedings of the 24th European Symposium on Research in Computer Security. Cham, Switzerland:Springer, 2019:279-299. [6] CHEN G X, CHEN S C, XIAO Y, et al. SgxPectre:Stealing Intel secrets from SGX enclaves via speculative execution[C]//Proceedings of 2019 IEEE European Symposium on Security and Privacy (EuroS&P). Stockholm, Sweden, 2019:142-157. [7] WEISSE O, VAN BULCK J, MINKIN M, et al. Foreshadow-NG:Breaking the virtual memory abstraction with transient out-of-order execution[R/OL]. (2018-08-14)[2020-08-18]. https://foreshadowattack.eu/foreshadow-NG.pdf. [8] YU J Y, YAN M J, KHYZHA A, et al. Speculative taint tracking (STT):A comprehensive protection for speculatively accessed data[C]//Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture. Columbus, USA, 2019:954-968. [9] Intel. Speculative execution side channel mitigations[R/OL].(2018-05-23)[2020-08-18]. https://software.intel.com/…/speculative-execution-side-channel-mitigations.html. [10] AMD:Software techniques for managing speculation on AMD processors[R/OL]. (2018-01-26)[2020-08-18]. https://firmwaresecurity.com/2018/01/26/amd-software-techniques-for-managing-speculation-on-amd-processors/. [11] AINSWORTH S, JONES T M. MuonTrap:Preventing cross-domain spectre-like attacks by capturing speculative state[C]//Proceedings of ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA). Valencia, Spain, 2020:132-144. [12] TARAM M, VENKAT A, TULLSEN D. Context-sensitive fencing:Securing speculative execution via microcode customization[C]//Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems. Providence, USA, 2019:395-410. [13] KORUYEH E M, SHIRAZI S H A, KHASAWNEH K N, et al. SPECCFI:Mitigating spectre attacks using CFI informed speculation[C]//Proceedings of 2020 IEEE Symposium on Security and Privacy (SP). San Francisco, USA, 2020:39-53. [14] KIRIANSKY V, LEBEDEV I, AMARASINGHE S, et al. DAWG:A defense against cache timing attacks in speculative execution processors[C]//Proceedings of the 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). Fukuoka, Japan, 2018:974-987. [15] XIAO Y, ZHANG Y Q, TEODORESCU R. SPEECHMINER:A framework for investigating and measuring speculative execution vulnerabilities[C]//Proceedings of the Network and Distributed Systems Security (NDSS) Symposium. San Diego, USA, 2020. [16] CANELLA C, KHASAWNEH K N, GRUSS D. The evolution of transient-execution attacks[C]//Proceedings of 2020 on Great Lakes Symposium on VLSI. Virtual Event, Beijing, China, 2020:163-168. [17] KOCHER P C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems[C]//Proceedings of the 16th Annual International Cryptology Conference. Berlin, Germany:Springer, 1996:104-113. [18] OSVIK D A, SHAMIR A, TROMER E. Cache attacks and countermeasures:The case of AES[C]//Proceedings of the Topics in Cryptology:CT-RSA 2006. Berlin, Germany:Springer, 2006:1-20. [19] PERCIVAL C. Cache missing for fun and profit[C]//Proceedings of BSDCan 2005. Ottawa, Canada, 2005. [20] YAROM Y, FALKNER K. FLUSH+RELOAD:A high resolution, low noise, L3 cache side-channel attack[C]//Proceedings of the 23rd USENIX Conference on Security Symposium. San Diego, USA, 2014:719-732. [21] KIRIANSKY V, WALDSPURGER C. Speculative buffer overflows:Attacks and defenses[Z/OL]. arXiv preprint arXiv:1807.03757, 2018. [22] CANELLA C, VAN BULCK J, SCHWARZ M, et al. A systematic evaluation of transient execution attacks and defenses[C]//Proceedings of the 28th USENIX Conference on Security Symposium. Santa Clara, USA, 2019:249-266. [23] BINKERT N, BECKMANN B, BLACK G, et al. The gem5 simulator[J]. ACM SIGARCH Computer Architecture News, 2011, 39(2):1-7. [24] WOO S C, OHARA M, TORRIE E, et al. The SPLASH-2 programs:Characterization and methodological considerations[J]. ACM SIGARCH Computer Architecture News, 1995, 23(2):24-36. [25] HENNING J L. SPEC CPU 2006 benchmark descriptions[J]. ACM SIGARCH Computer Architecture News, 2006, 34(4):1-17. [26] Intel. Intel analysis of speculative execution side channels[R/OL]. (2010-01-00)[2020-08-18]. https://www.intel.com/content/www/us/en/architecture-and-technology/intel-analysis-of-speculative-execution-side-channels-paper.html. [27] LI P N, ZHAO L T, HOU R, et al. Conditional speculation:An effective approach to safeguard out-of-order execution against spectre attacks[C]//Proceedings of 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA). Washington DC, USA, 2019:264-276. [28] YAN M J, CHOI J, SKARLATOS D, et al. InvisiSpec:Making speculative execution invisible in the cache hierarchy[C]//Proceedings of the 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). Fukuoka, Japan, 2018:428-441. [29] KHASAWNEH K N, KORUYEH E M, SONG C Y, et al. SafeSpec:Banishing the spectre of a meltdown with leakage-free speculation[C]//Proceedings of the 56th ACM/IEEE Design Automation Conference (DAC). Las Vegas, USA, 2019:1-6.