TY - JOUR
T1 - Speculative taint tracking (STT)
T2 - A Comprehensive Protection for Speculatively Accessed Data
AU - Yu, Jiyong
AU - Yan, Mengjia
AU - Khyzha, Artem
AU - Morrison, Adam
AU - Torrellas, Josep
AU - Fletcher, Christopher W.
N1 - This work was funded in part by NSF under grant CNS-1816226, Blavatnik ICRC at TAU, ISF under grant 2005/17, and by an Intel Strategic Research Alliance (ISRA) grant. We thank Joel Emer, Sarita Adve, and Shubu Mukherjee for very helpful discussions. We would especially like to thank our colleagues at Intel who contributed significant feedback throughout the project\u2019s development, in particular Fangfei Liu, Matthew Fernandez, Frank McKeen, and Carlos Rozas.
PY - 2021/12
Y1 - 2021/12
N2 - Speculative execution attacks present an enormous security threat, capable of reading arbitrary program data under malicious speculation, and later exfiltrating that data over microarchitectural covert channels. This paper proposes speculative taint tracking (STT), a high security and high performance hardware mechanism to block these attacks. The main idea is that it is safe to execute and selectively forward the results of speculative instructions that read secrets, as long as we can prove that the forwarded results do not reach potential covert channels. The technical core of the paper is a new abstraction to help identify all micro-architectural covert channels, and an architecture to quickly identify when a covert channel is no longer a threat. We further conduct a detailed formal analysis on the scheme in a companion document. When evaluated on SPEC06 workloads, STT incurs 8.5% or 14.5% performance overhead relative to an insecure machine.
AB - Speculative execution attacks present an enormous security threat, capable of reading arbitrary program data under malicious speculation, and later exfiltrating that data over microarchitectural covert channels. This paper proposes speculative taint tracking (STT), a high security and high performance hardware mechanism to block these attacks. The main idea is that it is safe to execute and selectively forward the results of speculative instructions that read secrets, as long as we can prove that the forwarded results do not reach potential covert channels. The technical core of the paper is a new abstraction to help identify all micro-architectural covert channels, and an architecture to quickly identify when a covert channel is no longer a threat. We further conduct a detailed formal analysis on the scheme in a companion document. When evaluated on SPEC06 workloads, STT incurs 8.5% or 14.5% performance overhead relative to an insecure machine.
UR - http://www.scopus.com/inward/record.url?scp=85120379998&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85120379998&partnerID=8YFLogxK
U2 - 10.1145/3491201
DO - 10.1145/3491201
M3 - Article
AN - SCOPUS:85120379998
SN - 0001-0782
VL - 64
SP - 105
EP - 112
JO - Communications of the ACM
JF - Communications of the ACM
IS - 12
ER -