Speculative Interference Attacks: Breaking Invisible Speculation Schemes
Recent security vulnerabilities that target speculative execution (e.g., Spectre) present a significant challenge for processor design. The highly publicized vulnerability uses speculative execution to learn victim secrets by changing cache state. As a result, recent computer architecture research h...
Gespeichert in:
| Hauptverfasser: | , , , , , , , , , , , , , , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Behnia, Mohammad Sahu, Prateek Paccagnella, Riccardo Yu, Jiyong Zhao, Zirui Zou, Xiang Unterluggauer, Thomas Torrellas, Josep Rozas, Carlos Morrison, Adam Mckeen, Frank Liu, Fangfei Gabor, Ron Fletcher, Christopher W Basak, Abhishek Alameldeen, Alaa |
| description | Recent security vulnerabilities that target speculative execution (e.g.,
Spectre) present a significant challenge for processor design. The highly
publicized vulnerability uses speculative execution to learn victim secrets by
changing cache state. As a result, recent computer architecture research has
focused on invisible speculation mechanisms that attempt to block changes in
cache state due to speculative execution. Prior work has shown significant
success in preventing Spectre and other vulnerabilities at modest performance
costs. In this paper, we introduce speculative interference attacks, which show
that prior invisible speculation mechanisms do not fully block these
speculation-based attacks. We make two key observations. First, misspeculated
younger instructions can change the timing of older, bound-to-retire
instructions, including memory operations. Second, changing the timing of a
memory operation can change the order of that memory operation relative to
other memory operations, resulting in persistent changes to the cache state.
Using these observations, we demonstrate (among other attack variants) that
secret information accessed by mis-speculated instructions can change the order
of bound-to-retire loads. Load timing changes can therefore leave
secret-dependent changes in the cache, even in the presence of invisible
speculation mechanisms. We show that this problem is not easy to fix:
Speculative interference converts timing changes to persistent cache-state
changes, and timing is typically ignored by many cache-based defenses. We
develop a framework to understand the attack and demonstrate concrete
proof-of-concept attacks against invisible speculation mechanisms. We provide
security definitions sufficient to block speculative interference attacks;
describe a simple defense mechanism with a high performance cost; and discuss
how future research can improve its performance. |
| doi_str_mv | 10.48550/arxiv.2007.11818 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2007_11818</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2007_11818</sourcerecordid><originalsourceid>FETCH-LOGICAL-a678-6a82c90ffb0181c483fb58321c2978274929febbde8be32ba048276ead093a083</originalsourceid><addsrcrecordid>eNo9j81OwzAQhH3hgAoPwAm_QMLazs-aW6mAVqrEob1Ha3fdWk1D5YQI3p5QEKeRZjQz-oS4U5AXWJbwQOkzjrkGqHOlUOG1WG7O7D9aGuLIctUNnAIn7jzL-TCQP_aP8ikxHWO3n-Ix9tG1LP9L753c-AOfuL8RV4Hanm__dCa2L8_bxTJbv72uFvN1RlWNWUWovYUQHEz_vkATXIlGK69tjbourLaBndsxOjbaERSTWzHtwBoCNDNx_zt7QWnOKZ4ofTU_SM0FyXwD2GBG3Q</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Speculative Interference Attacks: Breaking Invisible Speculation Schemes</title><source>arXiv.org</source><creator>Behnia, Mohammad ; Sahu, Prateek ; Paccagnella, Riccardo ; Yu, Jiyong ; Zhao, Zirui ; Zou, Xiang ; Unterluggauer, Thomas ; Torrellas, Josep ; Rozas, Carlos ; Morrison, Adam ; Mckeen, Frank ; Liu, Fangfei ; Gabor, Ron ; Fletcher, Christopher W ; Basak, Abhishek ; Alameldeen, Alaa</creator><creatorcontrib>Behnia, Mohammad ; Sahu, Prateek ; Paccagnella, Riccardo ; Yu, Jiyong ; Zhao, Zirui ; Zou, Xiang ; Unterluggauer, Thomas ; Torrellas, Josep ; Rozas, Carlos ; Morrison, Adam ; Mckeen, Frank ; Liu, Fangfei ; Gabor, Ron ; Fletcher, Christopher W ; Basak, Abhishek ; Alameldeen, Alaa</creatorcontrib><description>Recent security vulnerabilities that target speculative execution (e.g.,
Spectre) present a significant challenge for processor design. The highly
publicized vulnerability uses speculative execution to learn victim secrets by
changing cache state. As a result, recent computer architecture research has
focused on invisible speculation mechanisms that attempt to block changes in
cache state due to speculative execution. Prior work has shown significant
success in preventing Spectre and other vulnerabilities at modest performance
costs. In this paper, we introduce speculative interference attacks, which show
that prior invisible speculation mechanisms do not fully block these
speculation-based attacks. We make two key observations. First, misspeculated
younger instructions can change the timing of older, bound-to-retire
instructions, including memory operations. Second, changing the timing of a
memory operation can change the order of that memory operation relative to
other memory operations, resulting in persistent changes to the cache state.
Using these observations, we demonstrate (among other attack variants) that
secret information accessed by mis-speculated instructions can change the order
of bound-to-retire loads. Load timing changes can therefore leave
secret-dependent changes in the cache, even in the presence of invisible
speculation mechanisms. We show that this problem is not easy to fix:
Speculative interference converts timing changes to persistent cache-state
changes, and timing is typically ignored by many cache-based defenses. We
develop a framework to understand the attack and demonstrate concrete
proof-of-concept attacks against invisible speculation mechanisms. We provide
security definitions sufficient to block speculative interference attacks;
describe a simple defense mechanism with a high performance cost; and discuss
how future research can improve its performance.</description><identifier>DOI: 10.48550/arxiv.2007.11818</identifier><language>eng</language><subject>Computer Science - Cryptography and Security ; Computer Science - Hardware Architecture</subject><creationdate>2020-07</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,781,886</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2007.11818$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2007.11818$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Behnia, Mohammad</creatorcontrib><creatorcontrib>Sahu, Prateek</creatorcontrib><creatorcontrib>Paccagnella, Riccardo</creatorcontrib><creatorcontrib>Yu, Jiyong</creatorcontrib><creatorcontrib>Zhao, Zirui</creatorcontrib><creatorcontrib>Zou, Xiang</creatorcontrib><creatorcontrib>Unterluggauer, Thomas</creatorcontrib><creatorcontrib>Torrellas, Josep</creatorcontrib><creatorcontrib>Rozas, Carlos</creatorcontrib><creatorcontrib>Morrison, Adam</creatorcontrib><creatorcontrib>Mckeen, Frank</creatorcontrib><creatorcontrib>Liu, Fangfei</creatorcontrib><creatorcontrib>Gabor, Ron</creatorcontrib><creatorcontrib>Fletcher, Christopher W</creatorcontrib><creatorcontrib>Basak, Abhishek</creatorcontrib><creatorcontrib>Alameldeen, Alaa</creatorcontrib><title>Speculative Interference Attacks: Breaking Invisible Speculation Schemes</title><description>Recent security vulnerabilities that target speculative execution (e.g.,
Spectre) present a significant challenge for processor design. The highly
publicized vulnerability uses speculative execution to learn victim secrets by
changing cache state. As a result, recent computer architecture research has
focused on invisible speculation mechanisms that attempt to block changes in
cache state due to speculative execution. Prior work has shown significant
success in preventing Spectre and other vulnerabilities at modest performance
costs. In this paper, we introduce speculative interference attacks, which show
that prior invisible speculation mechanisms do not fully block these
speculation-based attacks. We make two key observations. First, misspeculated
younger instructions can change the timing of older, bound-to-retire
instructions, including memory operations. Second, changing the timing of a
memory operation can change the order of that memory operation relative to
other memory operations, resulting in persistent changes to the cache state.
Using these observations, we demonstrate (among other attack variants) that
secret information accessed by mis-speculated instructions can change the order
of bound-to-retire loads. Load timing changes can therefore leave
secret-dependent changes in the cache, even in the presence of invisible
speculation mechanisms. We show that this problem is not easy to fix:
Speculative interference converts timing changes to persistent cache-state
changes, and timing is typically ignored by many cache-based defenses. We
develop a framework to understand the attack and demonstrate concrete
proof-of-concept attacks against invisible speculation mechanisms. We provide
security definitions sufficient to block speculative interference attacks;
describe a simple defense mechanism with a high performance cost; and discuss
how future research can improve its performance.</description><subject>Computer Science - Cryptography and Security</subject><subject>Computer Science - Hardware Architecture</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2020</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNo9j81OwzAQhH3hgAoPwAm_QMLazs-aW6mAVqrEob1Ha3fdWk1D5YQI3p5QEKeRZjQz-oS4U5AXWJbwQOkzjrkGqHOlUOG1WG7O7D9aGuLIctUNnAIn7jzL-TCQP_aP8ikxHWO3n-Ix9tG1LP9L753c-AOfuL8RV4Hanm__dCa2L8_bxTJbv72uFvN1RlWNWUWovYUQHEz_vkATXIlGK69tjbourLaBndsxOjbaERSTWzHtwBoCNDNx_zt7QWnOKZ4ofTU_SM0FyXwD2GBG3Q</recordid><startdate>20200723</startdate><enddate>20200723</enddate><creator>Behnia, Mohammad</creator><creator>Sahu, Prateek</creator><creator>Paccagnella, Riccardo</creator><creator>Yu, Jiyong</creator><creator>Zhao, Zirui</creator><creator>Zou, Xiang</creator><creator>Unterluggauer, Thomas</creator><creator>Torrellas, Josep</creator><creator>Rozas, Carlos</creator><creator>Morrison, Adam</creator><creator>Mckeen, Frank</creator><creator>Liu, Fangfei</creator><creator>Gabor, Ron</creator><creator>Fletcher, Christopher W</creator><creator>Basak, Abhishek</creator><creator>Alameldeen, Alaa</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20200723</creationdate><title>Speculative Interference Attacks: Breaking Invisible Speculation Schemes</title><author>Behnia, Mohammad ; Sahu, Prateek ; Paccagnella, Riccardo ; Yu, Jiyong ; Zhao, Zirui ; Zou, Xiang ; Unterluggauer, Thomas ; Torrellas, Josep ; Rozas, Carlos ; Morrison, Adam ; Mckeen, Frank ; Liu, Fangfei ; Gabor, Ron ; Fletcher, Christopher W ; Basak, Abhishek ; Alameldeen, Alaa</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a678-6a82c90ffb0181c483fb58321c2978274929febbde8be32ba048276ead093a083</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2020</creationdate><topic>Computer Science - Cryptography and Security</topic><topic>Computer Science - Hardware Architecture</topic><toplevel>online_resources</toplevel><creatorcontrib>Behnia, Mohammad</creatorcontrib><creatorcontrib>Sahu, Prateek</creatorcontrib><creatorcontrib>Paccagnella, Riccardo</creatorcontrib><creatorcontrib>Yu, Jiyong</creatorcontrib><creatorcontrib>Zhao, Zirui</creatorcontrib><creatorcontrib>Zou, Xiang</creatorcontrib><creatorcontrib>Unterluggauer, Thomas</creatorcontrib><creatorcontrib>Torrellas, Josep</creatorcontrib><creatorcontrib>Rozas, Carlos</creatorcontrib><creatorcontrib>Morrison, Adam</creatorcontrib><creatorcontrib>Mckeen, Frank</creatorcontrib><creatorcontrib>Liu, Fangfei</creatorcontrib><creatorcontrib>Gabor, Ron</creatorcontrib><creatorcontrib>Fletcher, Christopher W</creatorcontrib><creatorcontrib>Basak, Abhishek</creatorcontrib><creatorcontrib>Alameldeen, Alaa</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Behnia, Mohammad</au><au>Sahu, Prateek</au><au>Paccagnella, Riccardo</au><au>Yu, Jiyong</au><au>Zhao, Zirui</au><au>Zou, Xiang</au><au>Unterluggauer, Thomas</au><au>Torrellas, Josep</au><au>Rozas, Carlos</au><au>Morrison, Adam</au><au>Mckeen, Frank</au><au>Liu, Fangfei</au><au>Gabor, Ron</au><au>Fletcher, Christopher W</au><au>Basak, Abhishek</au><au>Alameldeen, Alaa</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Speculative Interference Attacks: Breaking Invisible Speculation Schemes</atitle><date>2020-07-23</date><risdate>2020</risdate><abstract>Recent security vulnerabilities that target speculative execution (e.g.,
Spectre) present a significant challenge for processor design. The highly
publicized vulnerability uses speculative execution to learn victim secrets by
changing cache state. As a result, recent computer architecture research has
focused on invisible speculation mechanisms that attempt to block changes in
cache state due to speculative execution. Prior work has shown significant
success in preventing Spectre and other vulnerabilities at modest performance
costs. In this paper, we introduce speculative interference attacks, which show
that prior invisible speculation mechanisms do not fully block these
speculation-based attacks. We make two key observations. First, misspeculated
younger instructions can change the timing of older, bound-to-retire
instructions, including memory operations. Second, changing the timing of a
memory operation can change the order of that memory operation relative to
other memory operations, resulting in persistent changes to the cache state.
Using these observations, we demonstrate (among other attack variants) that
secret information accessed by mis-speculated instructions can change the order
of bound-to-retire loads. Load timing changes can therefore leave
secret-dependent changes in the cache, even in the presence of invisible
speculation mechanisms. We show that this problem is not easy to fix:
Speculative interference converts timing changes to persistent cache-state
changes, and timing is typically ignored by many cache-based defenses. We
develop a framework to understand the attack and demonstrate concrete
proof-of-concept attacks against invisible speculation mechanisms. We provide
security definitions sufficient to block speculative interference attacks;
describe a simple defense mechanism with a high performance cost; and discuss
how future research can improve its performance.</abstract><doi>10.48550/arxiv.2007.11818</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.2007.11818 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_2007_11818 |
| source | arXiv.org |
| subjects | Computer Science - Cryptography and Security Computer Science - Hardware Architecture |
| title | Speculative Interference Attacks: Breaking Invisible Speculation Schemes |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-17T01%3A54%3A03IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Speculative%20Interference%20Attacks:%20Breaking%20Invisible%20Speculation%20Schemes&rft.au=Behnia,%20Mohammad&rft.date=2020-07-23&rft_id=info:doi/10.48550/arxiv.2007.11818&rft_dat=%3Carxiv_GOX%3E2007_11818%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |