TY - GEN
T1 - Speculative taint tracking (STT)
T2 - 52nd Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2019
AU - Yu, Jiyong
AU - Yan, Mengjia
AU - Khyzha, Artem
AU - Morrison, Adam
AU - Torrellas, Josep
AU - Fletcher, Christopher W.
N1 - Publisher Copyright:
© 2019 Association for Computing Machinery.
PY - 2019/10/12
Y1 - 2019/10/12
N2 - Speculative execution attacks present an enormous security threat, capable of reading arbitrary program data under malicious speculation, and later exfiltrating that data over microarchitectural covert channels. Since these attacks first rely on being able to read arbitrary data (potential secrets), a conservative approach to defeat all attacks is to delay the execution of instructions that read those secrets, until those instructions become non-speculative. This paper's premise is that it is safe to execute and selectively forward the results of speculative instructions that read secrets, which improves performance, as long as we can prove that the forwarded results do not reach potential covert channels.We propose a comprehensive hardware protection based on this idea, called Speculative Taint Tracking (STT), capable of protecting all speculatively accessed data. Our work addresses two key challenges. First, to safely selectively forward secrets, we must understand what instruction(s) can form covert channels. We provide a comprehensive study of covert channels on speculative microarchitectures, and use this study to develop hardware mechanisms that block each class of channel. Along the way, we find new classes of covert channels related to implicit flow on speculative machines. Second, for performance, it is essential to disable protection on previously protected data, as soon as doing so is safe. We identify that the earliest time is when the instruction( s) producing the protected data become non-speculative, and design a novel microarchitecture for disabling protection at this moment. We provide an extensive formal analysis showing that STT enforces a novel form of non-interference, with respect to all speculatively accessed data. We further evaluate STT on 21 SPEC and 9 PARSEC workloads, and find it adds only 8.5%/14.5% overhead (depending on attack model) relative to an insecure machine, while reducing overhead by 4.7/18.8 relative to a baseline secure scheme.
AB - Speculative execution attacks present an enormous security threat, capable of reading arbitrary program data under malicious speculation, and later exfiltrating that data over microarchitectural covert channels. Since these attacks first rely on being able to read arbitrary data (potential secrets), a conservative approach to defeat all attacks is to delay the execution of instructions that read those secrets, until those instructions become non-speculative. This paper's premise is that it is safe to execute and selectively forward the results of speculative instructions that read secrets, which improves performance, as long as we can prove that the forwarded results do not reach potential covert channels.We propose a comprehensive hardware protection based on this idea, called Speculative Taint Tracking (STT), capable of protecting all speculatively accessed data. Our work addresses two key challenges. First, to safely selectively forward secrets, we must understand what instruction(s) can form covert channels. We provide a comprehensive study of covert channels on speculative microarchitectures, and use this study to develop hardware mechanisms that block each class of channel. Along the way, we find new classes of covert channels related to implicit flow on speculative machines. Second, for performance, it is essential to disable protection on previously protected data, as soon as doing so is safe. We identify that the earliest time is when the instruction( s) producing the protected data become non-speculative, and design a novel microarchitecture for disabling protection at this moment. We provide an extensive formal analysis showing that STT enforces a novel form of non-interference, with respect to all speculatively accessed data. We further evaluate STT on 21 SPEC and 9 PARSEC workloads, and find it adds only 8.5%/14.5% overhead (depending on attack model) relative to an insecure machine, while reducing overhead by 4.7/18.8 relative to a baseline secure scheme.
KW - Hardware
KW - Information flow
KW - Security
KW - Speculative execution attacks
UR - http://www.scopus.com/inward/record.url?scp=85074449667&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85074449667&partnerID=8YFLogxK
U2 - 10.1145/3352460.3358274
DO - 10.1145/3352460.3358274
M3 - Conference contribution
AN - SCOPUS:85074449667
T3 - Proceedings of the Annual International Symposium on Microarchitecture, MICRO
SP - 954
EP - 968
BT - MICRO 2019 - 52nd Annual IEEE/ACM International Symposium on Microarchitecture, Proceedings
PB - IEEE Computer Society
Y2 - 12 October 2019 through 16 October 2019
ER -