Speculative Interference Attacks: Breaking Invisible Speculation Schemes
Recent security vulnerabilities that target speculative execution (e.g., Spectre) present a significant challenge for processor design. The highly publicized vulnerability uses speculative execution to learn victim secrets by changing cache state. As a result, recent computer architecture research h...
Gespeichert in:
| Veröffentlicht in: | arXiv.org 2021-04 |
|---|---|
| Hauptverfasser: | , , , , , , , , , , , , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | arXiv.org |
| container_volume | |
| creator | Behnia, Mohammad Sahu, Prateek Paccagnella, Riccardo Yu, Jiyong Zhao, Zirui Zou, Xiang Unterluggauer, Thomas Torrellas, Josep Rozas, Carlos Morrison, Adam Mckeen, Frank Liu, Fangfei Gabor, Ron Fletcher, Christopher W Basak, Abhishek Alameldeen, Alaa |
| description | Recent security vulnerabilities that target speculative execution (e.g., Spectre) present a significant challenge for processor design. The highly publicized vulnerability uses speculative execution to learn victim secrets by changing cache state. As a result, recent computer architecture research has focused on invisible speculation mechanisms that attempt to block changes in cache state due to speculative execution. Prior work has shown significant success in preventing Spectre and other vulnerabilities at modest performance costs. In this paper, we introduce speculative interference attacks, which show that prior invisible speculation mechanisms do not fully block these speculation-based attacks. We make two key observations. First, misspeculated younger instructions can change the timing of older, bound-to-retire instructions, including memory operations. Second, changing the timing of a memory operation can change the order of that memory operation relative to other memory operations, resulting in persistent changes to the cache state. Using these observations, we demonstrate (among other attack variants) that secret information accessed by mis-speculated instructions can change the order of bound-to-retire loads. Load timing changes can therefore leave secret-dependent changes in the cache, even in the presence of invisible speculation mechanisms. We show that this problem is not easy to fix: Speculative interference converts timing changes to persistent cache-state changes, and timing is typically ignored by many cache-based defenses. We develop a framework to understand the attack and demonstrate concrete proof-of-concept attacks against invisible speculation mechanisms. We provide security definitions sufficient to block speculative interference attacks; describe a simple defense mechanism with a high performance cost; and discuss how future research can improve its performance. |
| format | Article |
| fullrecord | <record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_2426697946</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2426697946</sourcerecordid><originalsourceid>FETCH-proquest_journals_24266979463</originalsourceid><addsrcrecordid>eNqNi7EOgjAUABsTE4nyD02cSfAVirip0eCsO6nNQwtYsK_w_TIYZ6cb7m7GAhBiE20TgAULieo4jkFmkKYiYMW1Rz20ypsR-cV6dBU6tBr53nulG9rxg0PVGPuY9GjI3Fvkv6mz_Kqf-EJasXmlWsLwyyVbn0-3YxH1rnsPSL6su8HZSZWQgJR5lidS_Fd9AHRsPHY</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2426697946</pqid></control><display><type>article</type><title>Speculative Interference Attacks: Breaking Invisible Speculation Schemes</title><source>Freely Accessible Journals</source><creator>Behnia, Mohammad ; Sahu, Prateek ; Paccagnella, Riccardo ; Yu, Jiyong ; Zhao, Zirui ; Zou, Xiang ; Unterluggauer, Thomas ; Torrellas, Josep ; Rozas, Carlos ; Morrison, Adam ; Mckeen, Frank ; Liu, Fangfei ; Gabor, Ron ; Fletcher, Christopher W ; Basak, Abhishek ; Alameldeen, Alaa</creator><creatorcontrib>Behnia, Mohammad ; Sahu, Prateek ; Paccagnella, Riccardo ; Yu, Jiyong ; Zhao, Zirui ; Zou, Xiang ; Unterluggauer, Thomas ; Torrellas, Josep ; Rozas, Carlos ; Morrison, Adam ; Mckeen, Frank ; Liu, Fangfei ; Gabor, Ron ; Fletcher, Christopher W ; Basak, Abhishek ; Alameldeen, Alaa</creatorcontrib><description>Recent security vulnerabilities that target speculative execution (e.g., Spectre) present a significant challenge for processor design. The highly publicized vulnerability uses speculative execution to learn victim secrets by changing cache state. As a result, recent computer architecture research has focused on invisible speculation mechanisms that attempt to block changes in cache state due to speculative execution. Prior work has shown significant success in preventing Spectre and other vulnerabilities at modest performance costs. In this paper, we introduce speculative interference attacks, which show that prior invisible speculation mechanisms do not fully block these speculation-based attacks. We make two key observations. First, misspeculated younger instructions can change the timing of older, bound-to-retire instructions, including memory operations. Second, changing the timing of a memory operation can change the order of that memory operation relative to other memory operations, resulting in persistent changes to the cache state. Using these observations, we demonstrate (among other attack variants) that secret information accessed by mis-speculated instructions can change the order of bound-to-retire loads. Load timing changes can therefore leave secret-dependent changes in the cache, even in the presence of invisible speculation mechanisms. We show that this problem is not easy to fix: Speculative interference converts timing changes to persistent cache-state changes, and timing is typically ignored by many cache-based defenses. We develop a framework to understand the attack and demonstrate concrete proof-of-concept attacks against invisible speculation mechanisms. We provide security definitions sufficient to block speculative interference attacks; describe a simple defense mechanism with a high performance cost; and discuss how future research can improve its performance.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Computer architecture ; Interference ; Microprocessors</subject><ispartof>arXiv.org, 2021-04</ispartof><rights>2021. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>781,785</link.rule.ids></links><search><creatorcontrib>Behnia, Mohammad</creatorcontrib><creatorcontrib>Sahu, Prateek</creatorcontrib><creatorcontrib>Paccagnella, Riccardo</creatorcontrib><creatorcontrib>Yu, Jiyong</creatorcontrib><creatorcontrib>Zhao, Zirui</creatorcontrib><creatorcontrib>Zou, Xiang</creatorcontrib><creatorcontrib>Unterluggauer, Thomas</creatorcontrib><creatorcontrib>Torrellas, Josep</creatorcontrib><creatorcontrib>Rozas, Carlos</creatorcontrib><creatorcontrib>Morrison, Adam</creatorcontrib><creatorcontrib>Mckeen, Frank</creatorcontrib><creatorcontrib>Liu, Fangfei</creatorcontrib><creatorcontrib>Gabor, Ron</creatorcontrib><creatorcontrib>Fletcher, Christopher W</creatorcontrib><creatorcontrib>Basak, Abhishek</creatorcontrib><creatorcontrib>Alameldeen, Alaa</creatorcontrib><title>Speculative Interference Attacks: Breaking Invisible Speculation Schemes</title><title>arXiv.org</title><description>Recent security vulnerabilities that target speculative execution (e.g., Spectre) present a significant challenge for processor design. The highly publicized vulnerability uses speculative execution to learn victim secrets by changing cache state. As a result, recent computer architecture research has focused on invisible speculation mechanisms that attempt to block changes in cache state due to speculative execution. Prior work has shown significant success in preventing Spectre and other vulnerabilities at modest performance costs. In this paper, we introduce speculative interference attacks, which show that prior invisible speculation mechanisms do not fully block these speculation-based attacks. We make two key observations. First, misspeculated younger instructions can change the timing of older, bound-to-retire instructions, including memory operations. Second, changing the timing of a memory operation can change the order of that memory operation relative to other memory operations, resulting in persistent changes to the cache state. Using these observations, we demonstrate (among other attack variants) that secret information accessed by mis-speculated instructions can change the order of bound-to-retire loads. Load timing changes can therefore leave secret-dependent changes in the cache, even in the presence of invisible speculation mechanisms. We show that this problem is not easy to fix: Speculative interference converts timing changes to persistent cache-state changes, and timing is typically ignored by many cache-based defenses. We develop a framework to understand the attack and demonstrate concrete proof-of-concept attacks against invisible speculation mechanisms. We provide security definitions sufficient to block speculative interference attacks; describe a simple defense mechanism with a high performance cost; and discuss how future research can improve its performance.</description><subject>Computer architecture</subject><subject>Interference</subject><subject>Microprocessors</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2021</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><recordid>eNqNi7EOgjAUABsTE4nyD02cSfAVirip0eCsO6nNQwtYsK_w_TIYZ6cb7m7GAhBiE20TgAULieo4jkFmkKYiYMW1Rz20ypsR-cV6dBU6tBr53nulG9rxg0PVGPuY9GjI3Fvkv6mz_Kqf-EJasXmlWsLwyyVbn0-3YxH1rnsPSL6su8HZSZWQgJR5lidS_Fd9AHRsPHY</recordid><startdate>20210423</startdate><enddate>20210423</enddate><creator>Behnia, Mohammad</creator><creator>Sahu, Prateek</creator><creator>Paccagnella, Riccardo</creator><creator>Yu, Jiyong</creator><creator>Zhao, Zirui</creator><creator>Zou, Xiang</creator><creator>Unterluggauer, Thomas</creator><creator>Torrellas, Josep</creator><creator>Rozas, Carlos</creator><creator>Morrison, Adam</creator><creator>Mckeen, Frank</creator><creator>Liu, Fangfei</creator><creator>Gabor, Ron</creator><creator>Fletcher, Christopher W</creator><creator>Basak, Abhishek</creator><creator>Alameldeen, Alaa</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20210423</creationdate><title>Speculative Interference Attacks: Breaking Invisible Speculation Schemes</title><author>Behnia, Mohammad ; Sahu, Prateek ; Paccagnella, Riccardo ; Yu, Jiyong ; Zhao, Zirui ; Zou, Xiang ; Unterluggauer, Thomas ; Torrellas, Josep ; Rozas, Carlos ; Morrison, Adam ; Mckeen, Frank ; Liu, Fangfei ; Gabor, Ron ; Fletcher, Christopher W ; Basak, Abhishek ; Alameldeen, Alaa</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_24266979463</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2021</creationdate><topic>Computer architecture</topic><topic>Interference</topic><topic>Microprocessors</topic><toplevel>online_resources</toplevel><creatorcontrib>Behnia, Mohammad</creatorcontrib><creatorcontrib>Sahu, Prateek</creatorcontrib><creatorcontrib>Paccagnella, Riccardo</creatorcontrib><creatorcontrib>Yu, Jiyong</creatorcontrib><creatorcontrib>Zhao, Zirui</creatorcontrib><creatorcontrib>Zou, Xiang</creatorcontrib><creatorcontrib>Unterluggauer, Thomas</creatorcontrib><creatorcontrib>Torrellas, Josep</creatorcontrib><creatorcontrib>Rozas, Carlos</creatorcontrib><creatorcontrib>Morrison, Adam</creatorcontrib><creatorcontrib>Mckeen, Frank</creatorcontrib><creatorcontrib>Liu, Fangfei</creatorcontrib><creatorcontrib>Gabor, Ron</creatorcontrib><creatorcontrib>Fletcher, Christopher W</creatorcontrib><creatorcontrib>Basak, Abhishek</creatorcontrib><creatorcontrib>Alameldeen, Alaa</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Access via ProQuest (Open Access)</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Behnia, Mohammad</au><au>Sahu, Prateek</au><au>Paccagnella, Riccardo</au><au>Yu, Jiyong</au><au>Zhao, Zirui</au><au>Zou, Xiang</au><au>Unterluggauer, Thomas</au><au>Torrellas, Josep</au><au>Rozas, Carlos</au><au>Morrison, Adam</au><au>Mckeen, Frank</au><au>Liu, Fangfei</au><au>Gabor, Ron</au><au>Fletcher, Christopher W</au><au>Basak, Abhishek</au><au>Alameldeen, Alaa</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>Speculative Interference Attacks: Breaking Invisible Speculation Schemes</atitle><jtitle>arXiv.org</jtitle><date>2021-04-23</date><risdate>2021</risdate><eissn>2331-8422</eissn><abstract>Recent security vulnerabilities that target speculative execution (e.g., Spectre) present a significant challenge for processor design. The highly publicized vulnerability uses speculative execution to learn victim secrets by changing cache state. As a result, recent computer architecture research has focused on invisible speculation mechanisms that attempt to block changes in cache state due to speculative execution. Prior work has shown significant success in preventing Spectre and other vulnerabilities at modest performance costs. In this paper, we introduce speculative interference attacks, which show that prior invisible speculation mechanisms do not fully block these speculation-based attacks. We make two key observations. First, misspeculated younger instructions can change the timing of older, bound-to-retire instructions, including memory operations. Second, changing the timing of a memory operation can change the order of that memory operation relative to other memory operations, resulting in persistent changes to the cache state. Using these observations, we demonstrate (among other attack variants) that secret information accessed by mis-speculated instructions can change the order of bound-to-retire loads. Load timing changes can therefore leave secret-dependent changes in the cache, even in the presence of invisible speculation mechanisms. We show that this problem is not easy to fix: Speculative interference converts timing changes to persistent cache-state changes, and timing is typically ignored by many cache-based defenses. We develop a framework to understand the attack and demonstrate concrete proof-of-concept attacks against invisible speculation mechanisms. We provide security definitions sufficient to block speculative interference attacks; describe a simple defense mechanism with a high performance cost; and discuss how future research can improve its performance.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | EISSN: 2331-8422 |
| ispartof | arXiv.org, 2021-04 |
| issn | 2331-8422 |
| language | eng |
| recordid | cdi_proquest_journals_2426697946 |
| source | Freely Accessible Journals |
| subjects | Computer architecture Interference Microprocessors |
| title | Speculative Interference Attacks: Breaking Invisible Speculation Schemes |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-17T01%3A32%3A06IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=Speculative%20Interference%20Attacks:%20Breaking%20Invisible%20Speculation%20Schemes&rft.jtitle=arXiv.org&rft.au=Behnia,%20Mohammad&rft.date=2021-04-23&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E2426697946%3C/proquest%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2426697946&rft_id=info:pmid/&rfr_iscdi=true |