Speculative taint tracking (STT): A comprehensive protection for speculatively accessed data

Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, Christopher W. Fletcher

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Speculative execution attacks present an enormous security threat, capable of reading arbitrary program data under malicious speculation, and later exfiltrating that data over microarchitectural covert channels. Since these attacks first rely on being able to read arbitrary data (potential secrets), a conservative approach to defeat all attacks is to delay the execution of instructions that read those secrets, until those instructions become non-speculative. This paper's premise is that it is safe to execute and selectively forward the results of speculative instructions that read secrets, which improves performance, as long as we can prove that the forwarded results do not reach potential covert channels.We propose a comprehensive hardware protection based on this idea, called Speculative Taint Tracking (STT), capable of protecting all speculatively accessed data. Our work addresses two key challenges. First, to safely selectively forward secrets, we must understand what instruction(s) can form covert channels. We provide a comprehensive study of covert channels on speculative microarchitectures, and use this study to develop hardware mechanisms that block each class of channel. Along the way, we find new classes of covert channels related to implicit flow on speculative machines. Second, for performance, it is essential to disable protection on previously protected data, as soon as doing so is safe. We identify that the earliest time is when the instruction( s) producing the protected data become non-speculative, and design a novel microarchitecture for disabling protection at this moment. We provide an extensive formal analysis showing that STT enforces a novel form of non-interference, with respect to all speculatively accessed data. We further evaluate STT on 21 SPEC and 9 PARSEC workloads, and find it adds only 8.5%/14.5% overhead (depending on attack model) relative to an insecure machine, while reducing overhead by 4.7/18.8 relative to a baseline secure scheme.

Original languageEnglish (US)
Title of host publicationMICRO 2019 - 52nd Annual IEEE/ACM International Symposium on Microarchitecture, Proceedings
PublisherIEEE Computer Society
Pages954-968
Number of pages15
ISBN (Electronic)9781450369381
DOIs
StatePublished - Oct 12 2019
Event52nd Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2019 - Columbus, United States
Duration: Oct 12 2019Oct 16 2019

Publication series

NameProceedings of the Annual International Symposium on Microarchitecture, MICRO
ISSN (Print)1072-4451

Conference

Conference52nd Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2019
CountryUnited States
CityColumbus
Period10/12/1910/16/19

Keywords

  • Hardware
  • Information flow
  • Security
  • Speculative execution attacks

ASJC Scopus subject areas

  • Hardware and Architecture

Fingerprint Dive into the research topics of 'Speculative taint tracking (STT): A comprehensive protection for speculatively accessed data'. Together they form a unique fingerprint.

Cite this