Skip to main content
SpringerLink
Log in

Secure Speculation via Speculative Secret Flow Tracking

  • Regular Paper
  • Published:
Journal of Computer Science and Technology Aims and scope Submit manuscript

Abstract

Speculative execution attacks can leak arbitrary program data under malicious speculation, presenting a severe security threat. Based on two key observations, this paper presents a software-transparent defense mechanism called speculative secret flow tracking (SSFT), which is capable of defending against all cache-based speculative execution attacks with a low performance overhead. First, we observe that the attacker must use array or pointer variables in the victim code to access arbitrary memory data. Therefore, we propose a strict definition of secret data to reduce the amount of data to be protected. Second, if the load is not data-dependent and control-dependent on secrets, its speculative execution will not leak any secrets. Thus, this paper introduces the concept of speculative secret flow to analyze how secret data are obtained and propagated during speculative execution. By tracking speculative secret flow in hardware, SSFT can identify all unsafe speculative loads (USLs) that are dependent on secrets. Moreover, SSFT exploits three different methods to constrain USLs’ speculative execution and prevent them from leaking secrets into the cache and translation lookaside buffer (TLB) states. This paper evaluates the performance of SSFT on the SPEC CPU 2006 workloads, and the results show that SSFT is effective and its performance overhead is very low. To defend against all speculative execution attack variants, SSFT only incurs an average slowdown of 4.5% (Delay USL-L1Miss) or 3.8% (Invisible USLs) compared to a non-secure processor. Our analysis also shows that SSFT maintains a low hardware overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

References

  1. Kocher P, Horn J, Fogh A, Genkin D, Gruss D, Haas W, Hamburg M, Lipp M, Mangard S, Prescher T, Schwarz M, Yarom Y. Spectre attacks: Exploiting speculative execution. In Proc. the 2019 IEEE Symposium on Security and Privacy, May 2019, pp.1–19. DOI: 10.1109/SP.2019.00002.

  2. Lipp M, Schwarz M, Gruss D, Prescher T, Haas W, Fogh A, Horn J, Mangard S, Kocher P, Genkin D, Yarom Y, Hamburg M. Meltdown: Reading kernel memory from user space. In Proc. the 27th USENIX Security Symposium, Aug. 2018, pp.973–990. DOI: 10.1145/3357033.

  3. Bhattacharyya A, Sandulescu A, Neugschwandtner M, Sorniotti A, Falsafi B, Payer M, Kurmus A. SMoTHer- Spectre: Exploiting speculative execution through port contention. In Proc. the 2019 ACM SIGSAC Conference on Computer and Communications Security, Nov. 2019, pp.785–800. DOI: 10.1145/3319535.3363194.

  4. Van Bulck J, Minkin M, Weisse O, Genkin D, Kasikci B, Piessens F, Silberstein M, Wenisch T F, Yarom Y, Strackx R. Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In Proc. the 27th USENIX Security Symposium, Aug. 2018, pp.991–1008. DOI: 10.5555/3277203.3277277.

  5. Chen G X, Chen S C, Xiao Y, Zhang Y Q, Lin Z Q, Lai T H. SgxPectre attacks: Stealing intel secrets from SGX enclaves via speculative execution. arXiv: 1802.09085, 2018. https://arxiv.org/abs/1802.09085, Dec. 2022.

  6. Neve M, Seifert J P. Advances on access-driven cache attacks on AES. In Proc. the 13th International Workshop on Selected Areas in Cryptography, Aug. 2006, pp.147–162. DOI: 10.1007/978-3-540-74462-7_11.

  7. Acıiçmez O, Brumley B B, Grabher P. New results on instruction cache attacks. In Proc. the 12th International Workshop on Cryptographic Hardware and Embedded Systems, Aug. 2010, pp.110–124. DOI: 10.1007/978-3-642-15031-9_8.

  8. Liu F F, Yarom Y, Ge Q, Heiser G, Lee R B. Last-level cache side-channel attacks are practical. In Proc. the 2015 IEEE Symposium on Security and Privacy, May 2015, pp.605–622. DOI: 10.1109/SP.2015.43.

  9. Yan M J, Sprabery R, Gopireddy B, Fletcher C, Campbell R, Torrellas J. Attack directories, not caches: Side channel attacks in a non-inclusive world. In Proc. the 2019 IEEE Symposium on Security and Privacy, May 2019, pp.888–904. DOI: 10.1109/SP.2019.00004.

  10. Liu F F, Ge Q, Yarom Y, Mckeen F, Rozas C, Heiser G, Lee R B. CATalyst: Defeating last-level cache side channel attacks in cloud computing. In Proc. the 2016 IEEE International Symposium on High Performance Computer Architecture, Mar. 2016, pp.406–418. DOI: 10.1109/HPCA.2016.7446082.

  11. Taylor G, Davies P, Farmwald M. The TLB slice—A lowcost high-speed address translation mechanism. In Proc. the 17th Annual International Symposium on Computer Architecture, May 1990, pp.355–363. DOI: 10.1109/ISCA.1990.134546.

  12. Zhang X, Dwarkadas S, Shen K. Towards practical page coloring-based multicore cache management. In Proc. the 4th ACM European Conference on Computer Systems, Apr. 2009, pp.89–102. DOI: 10.1145/1519065.1519076.

  13. Shen C Q, Chen C C, Zhang J L. Micro-architectural cache side-channel attacks and countermeasures. In Proc. the 26th Asia and South Pacific Design Automation Conference, Jan. 2021, pp.441–448. DOI: 10.1145/3394885.3431638.

  14. Kiriansky V, Lebedev I, Amarasinghe S, Devadas S, Emer J. DAWG: A defense against cache timing attacks in speculative execution processors. In Proc. the 51st Annual IEEE/ACM International Symposium on Microarchitecture, Oct. 2018, pp.974–987. DOI: 10.1109/MICRO.2018.00083.

  15. Keramidas G, Antonopoulos A, Serpanos D N, Kaxiras S. Non deterministic caches: A simple and effective defense against side channel attacks. Design Automation for Embedded Systems, 2008, 12(3): 221–230. DOI: https://doi.org/10.1007/s10617-008-9018-y.

    Article  Google Scholar 

  16. Li P N, Zhao L T, Hou R, Zhang L X, Meng D. Conditional speculation: An effective approach to safeguard out-of-order execution against spectre attacks. In Proc. the 2019 IEEE International Symposium on High Performance Computer Architecture, Feb. 2019, pp.264–276. DOI: 10.1109/HPCA.2019.00043.

  17. Sakalis C, Kaxiras S, Ros A, Jimborean A. Efficient invisible speculative execution through selective delay and value prediction. In Proc. the 46th International Symposium on Computer Architecture, Jun. 2019, pp.723–735. DOI: 10.1145/3307650.3322216.

  18. Yan M J, Choi J, Skarlatos D, Morrison A, Fletcher C, Torrellas J. InvisiSpec: Making speculative execution invisible in the cache hierarchy. In Proc. the 51st Annual IEEE/ACM International Symposium on Microarchitecture, Oct. 2018, pp.428–441. DOI: 10.1109/MICRO.2018.00042.

  19. Yu J Y, Yan M J, Khyzha A, Morrison A. Speculative taint tracking (STT): A comprehensive protection for speculatively accessed data. In Proc. the 52nd Annual IEEE/ACM International Symposium on Microarchitecture, Oct. 2019, pp.954–968. DOI: 10.1145/3352460.3358274.

  20. Zhao J, Korpan B, Gonzalez A, Asanovic K. SonicBOOM: The 3rd generation Berkeley out-of-order machine. In Proc. the 4th Workshop on Computer Architecture Research with RISC-V, May 2020.

  21. Binkert N, Beckmann B, Black G, Reinhardt S K, Saidi A, Basu A, Hestness J, Hower D R, Krishna T, Sardashti S, Sen R, Sewell K, Shoaib M, Vaish N, Hill M D, Wood D A. The gem5 simulator. ACM SIGARCH Computer Architecture News, 2011, 39(2): 1–7. DOI: https://doi.org/10.1145/2024716.2024718.

    Article  Google Scholar 

  22. Dalton M, Kannan H, Kozyrakis C. Raksha: A flexible information flow architecture for software security. ACM SIGARCH Computer Architecture News, 2007, 35(2): 482–493. DOI: https://doi.org/10.1145/1273440.1250722.

    Article  Google Scholar 

  23. Sherwood T, Perelman E, Hamerly G, Calder B. Automatically characterizing large scale program behavior. In Proc. the 10th International Conference on Architectural Support for Programming Languages and Operating Systems, Oct. 2002, pp.45–57. DOI: 10.1145/605397.605403.

  24. Kiriansky V, Waldspurger C. Speculative buffer overflows: Attacks and defenses. arXiv: 1807.03757, 2018. https://arxiv.org/abs/1807.03757, Dec. 2022.

  25. Maisuradze G, Rossow C. Ret2spec: Speculative execution using return stack buffers. In Proc. the 2018 ACM SIGSAC Conference on Computer and Communications Security, Oct. 2018, pp.2109–2122. DOI: 10.1145/3243734.3243761.

  26. Canella C, Van Bulck J, Schwarz M, Lipp M, von Berg B, Ortner P, Piessens F, Evtyushkin D, Gruss D. A systematic evaluation of transient execution attacks and defenses. In Proc. the 28th USENIX Security Symposium, Aug. 2019, pp.249–266. DOI: 10.5555/3361338.3361356.

  27. Evtyushkin D, Riley R, Nael CSE and ECE Abu-Ghazaleh, Ponomarev D. BranchScope: A new side-channel attack on directional branch predictor. In Proc. the 23rd International Conference on Architectural Support for Programming Languages and Operating Systems, Mar. 2018, pp.693–707. DOI: 10.1145/3173162.3173204.

  28. Weisse O, Neal I, Loughlin K, Wenisch T F. NDA: Preventing speculative execution attacks at their source. In Proc. the 52nd Annual IEEE/ACM International Symposium on Microarchitecture, Oct. 2019, pp.572–586. DOI: 10.1145/3352460.3358306.

  29. Barber K, Bacha A, Zhou L, Zhang Y Q, Teodorescu R. SpecShield: Shielding speculative data from microarchitectural covert channels. In Proc. the 28th International Conference on Parallel Architectures and Compilation Techniques, Sept. 2019, pp.151–164. DOI: 10.1109/PACT.2019.00020.

Download references

Author information

Authors and Affiliations

  1. School of Computer Science, Engineering Research Center of Microprocessor and System Peking University, Beijing, 100871, China

    Hong-Wei Cui, Chun Yang & Xu Cheng

Authors
  1. Hong-Wei Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chun Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xu Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chun Yang.

Supplementary Information

ESM 1

(PDF 120 kb)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Cui, HW., Yang, C. & Cheng, X. Secure Speculation via Speculative Secret Flow Tracking. J. Comput. Sci. Technol. 38, 422–438 (2023). https://doi.org/10.1007/s11390-021-1249-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11390-021-1249-4

Keywords

Search

Navigation