Rethinking Speculative Execution from a Security Perspective

Författare: Christos Sakalis; Magnus Själander; Alexandra Jimborean; Stefanos Kaxiras; Josep Torrellas; Uppsala Universitet; []

Nyckelord: NATURAL SCIENCES; NATURVETENSKAP; NATURVETENSKAP; NATURAL SCIENCES; computer architecture; speculative execution; processor; security; out-of-order execution; side-channel; microarchitectural replay; microarchitecture; Delay-on-Miss; Ghosts; Delay-on-Squash; Computer Science; Datavetenskap;

Sammanfattning: Speculative out-of-order execution is one of the fundamental building blocks of modern, high-performance processors. To maximize the utilization of the system's resources, hardware and software security checks in the speculative domain can be temporarily ignored, without affecting the correctness of the application, as long as no architectural changes are made before transitioning to the non-speculative domain. Similarly, the microarchitectural state of the system, which is by necessity modified for every single operation (speculative or otherwise) also does not affect the correctness of the application, as such state is meant to be invisible on the architectural level. Unfortunately, while the microarchitectural state of the system is indeed separate from the architectural state and is typically hidden from the users, it can still be observed indirectly through its side-effects, through the use of "side-channels". Starting with Meltdown and Spectre, speculative execution, combined with existing side-channel attacks, can be abused to bypass both hardware and software security barriers and illegally gain access to data that would not be accessible otherwise.Embroiled in a battle between security and efficiency, computer architects have designed numerous microarchitectural solutions to this issue, all the while new attacks are being constantly discovered. This thesis proposes two such speculative side-channel defenses, Ghost loads and Delay-on-Miss, both of which protect against speculative side-channel attacks targeting the cache and memory hierarchy as their side-channel. Ghost loads work by making speculative loads invisible in the memory hierarchy, while Delay-on-Miss, which is both simpler and more secure than Ghost loads, restricts speculative loads from even reaching many levels of the hierarchy.At the same time, this thesis also tackles security problems brought on by speculative execution that are not themselves speculative side-channel attacks, namely microarchitectural replay attacks. In the latter, the attacker abuses speculative execution not to gain access to data but to amplify an otherwise already existing side-channel. This is achieved by trapping the execution of a victim application in a repeating window of speculation, forcing it to constantly squash and re-execute the same side-channel instructions again and again. To counter such attacks, Delay-on-Squash is introduced, which prevents instructions from being replayed in the same window of speculation, hence stopping any microarchitectural replay attempts.Overall, between Delay-on-Squash, Delay-on-Miss, and Ghost loads, this thesis covers a wide range of insecure microarchitectural behaviors and secure countermeasures for them, all the while balancing the trade-offs between security, performance, and complexity.

  KLICKA HÄR FÖR ATT SE AVHANDLINGEN I FULLTEXT. (PDF-format)