Mitigating Speculation-based Attacks through Configurable Hardware/Software Co-design
Date Issued
June 20, 2023
DOI
10.48550/arXiv.2306.11291
Abstract
New speculation-based attacks that affect large numbers of modern systems are
disclosed regularly. Currently, CPU vendors regularly fall back to heavy-handed
mitigations like using barriers or enforcing strict programming guidelines
resulting in significant performance overhead. What is missing is a solution
that allows for efficient mitigation and is flexible enough to address both
current and future speculation vulnerabilities, without additional hardware
changes.
In this work, we present SpecControl, a novel hardware/software co-design,
that enables new levels of security while reducing the performance overhead
that has been demonstrated by state-of-the-art methodologies. SpecControl
introduces a communication interface that allows compilers and application
developers to inform the hardware about true branch dependencies, confidential
control-flow instructions, and fine-grained instruction constraints in order to
apply restrictions only when necessary. We evaluate SpecControl against known
speculative execution attacks and in addition, present a new speculative fetch
attack variant on the Pattern History Table (PHT) in branch predictors that
shows how similar previously reported vulnerabilities are more dangerous by
enabling unprivileged attacks, especially with the state-of-the-art branch
predictors. SpecControl provides stronger security guarantees compared to the
existing defenses while reducing the performance overhead of two
state-of-the-art defenses from 51% and 43% to just 23%.
disclosed regularly. Currently, CPU vendors regularly fall back to heavy-handed
mitigations like using barriers or enforcing strict programming guidelines
resulting in significant performance overhead. What is missing is a solution
that allows for efficient mitigation and is flexible enough to address both
current and future speculation vulnerabilities, without additional hardware
changes.
In this work, we present SpecControl, a novel hardware/software co-design,
that enables new levels of security while reducing the performance overhead
that has been demonstrated by state-of-the-art methodologies. SpecControl
introduces a communication interface that allows compilers and application
developers to inform the hardware about true branch dependencies, confidential
control-flow instructions, and fine-grained instruction constraints in order to
apply restrictions only when necessary. We evaluate SpecControl against known
speculative execution attacks and in addition, present a new speculative fetch
attack variant on the Pattern History Table (PHT) in branch predictors that
shows how similar previously reported vulnerabilities are more dangerous by
enabling unprivileged attacks, especially with the state-of-the-art branch
predictors. SpecControl provides stronger security guarantees compared to the
existing defenses while reducing the performance overhead of two
state-of-the-art defenses from 51% and 43% to just 23%.