InvisiSpec: Making Speculative Execution Invisible

InvisiSpec presents a novel defense mechanism to address speculative execution attacks in the cache hierarchy. By making speculative execution invisible to potential attackers, this holistic approach aims to mitigate the risks associated with exploiting side effects on incorrect paths, such as Spectre variants. The research emphasizes the importance of efficiently addressing vulnerabilities in hardware speculative execution to enhance system security.

• Speculative Execution
• Security
• Cache Hierarchy
• Vulnerabilities
• Research

tcoz Follow

Uploaded on Oct 01, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Mengjia Yan , Jiho Choi , Dimitrios Skarlatos, Adam Morrison , Christopher W. Fletcher, and Josep Torrellas University of Illinois at Urbana-Champaign Tel Aviv University Authors contributed equally to this work.

2. 2 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Motivation: Speculative Execution Attacks o Hardware speculative execution offers a big attack surface for covert and side channels o Speculative execution attacks exploit the side effects of instructions on incorrect speculative paths (squashed) Compilers and programmers can not reason about it. o It is crucial to fix this vulnerability efficiently

3. 3 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Outline o Background o A comprehensive threat model o Invisible Speculation (InvisiSpec): the first holistic defense mechanism o Evaluation results and current work

4. 4 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Speculative Execution Attacks o An example of Spectre Variant 1 (array bound checking attack). Victim code Attack to read arbitrary memory: 1) Train branch predictor 1: if (x < array1_size) { 2) Trigger branch misprediction 2: val = array1[x] 3) Side channel 3: ld array2[val] Leaves side effects in cache 4: } Speculative execution attacks exploit side effects of instructions on paths that will be squashed

5. 5 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Generalization of Speculative Execution Attacks o Transient instructions: speculatively-executed instructions that are destined to be squashed. o Speculative execution attack exploits side effects of transient instructions. Sources of Transient Instructions Control-flow misprediction Attack 1: if (x < array1_size) { Spectre Meltdown 2: val = array1[x] 3: ld array2[val] Virtual memory exception L1 Terminal Fault 4: } Transient Instruction SpeculativeStore Bypass Address alias between a load and an earlier store

6. 6 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Futuristic Speculative Attack Model o Futuristic speculative attack model An attacker can exploit any speculative load (load not at the head of ROB). It includes all existing attacks and future speculative execution attacks Attack Model Sources of Transient Instructions Various events, such as: Exceptions Control-flow mispredictions Address alias between a load and an earlier store Address alias between two loads Memory consistency model violations Interrupts Control-flow misprediction Futuristic Spectre

7. 7 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Lifetime of a load instruction Load is issued to memory Load reaches head of ROB All prior branches are resolved Load is speculative safe unsafe Spectre attack model safe unsafe Futuristic attack model Visibility Point The load becomes unsquashable o Na ve solution Delay issuing the load until its visibility point

8. 8 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy InvisiSpec o The first holistic defense mechanism against speculative execution attacks o Key idea: Make unsafe loads invisible in the cache hierarchy Load reaches head of ROB Load is issued to memory Visibility Point Issue an invisible load request Obtain the value and proceed to use it Make the load visible in cache Speculative loads are issued as early as in a conventional machine

9. MICRO18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy 9 Making Unsafe Loads Invisible o Invisible load request No modification to cache states, including Cache occupancy Replacement information Coherence information TLB state Bring the data, store in Speculative Buffer (SB) and in register core core L1 cache L1 cache SB SB LLC Invisible load request Returned data

10. 10 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Making Safe Loads Visible Load reaches head of ROB Load is issued to memory Visibility Point Issue an invisible load request Obtain the value and proceed to use it Make the load visible in cache Risk of memory consistency violations Window of invisibility o Make the load visible: HW issues a normal request (which changes the caches) o While in the window of invisibility, processor does not receive invalidations

11. 11 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy An Example of Memory Consistency Violation P1 o An example under TSO P1 will see the lock is free, but has read old counter. Ld lock Ld counter Ld Ld counter lock P1 will not receive an invalidation! P1 time caches Wr release lock counter

12. 12 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Maintaining Memory Consistency o Need to issue another access at Visibility Point: Validation 1) HW issues a request (which changes caches) 2) Data goes into cache. Compare the incoming data and the one in the SB 3) If mismatch, squash the load as it violates memory consistency model Problem: validations may cause a processor stall squash and retry o Visibility point Ld counter Visibility point Ld lock Ld Ld counter lock P1 time caches Wr release lock counter

13. 13 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Maintaining Memory Consistency (II) o For loads with no risk of memory consistency violation: Exposure HW issues a request at the Visibility Point Load does not need to wait for response to retire Data goes into cache. No need to compare data o High performance: does not cause a stall See the paper for the many cases where a load can use exposures Visibility point Ld X Ld X P1 time caches Wr X

14. 14 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Pros & Cons of InvisiSpec o Security Successfully prevent attacks in both Spectre and Futuristic attack models o High performance Speculative loads are issued as early as in a conventional machine o Applicability Handle multi-threaded issues o No software changes o Performance overhead Double accesses May stall due to validations BUT: - Many can be converted to exposures - Most hit in L1, and return very quickly

15. 15 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Average Execution Time for SPEC and PARSEC (Normalized) 3.50 3.08 3.00 2.50 2.00 1.74 1.72 1.50 1.21 1.00 0.50 0.00 Delay load until visibility point Conventional insecure baseline Delay load until visibility point InvisiSpec InvisiSpec Spectre attack model Futuristic attack model

16. 16 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Current Work o Reduce performance overhead: selectively enable InvisiSpec

17. 17 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy More in the paper o Security analysis o Details of when to use validations and exposures, and overlapping of them o Details of implementation o Detailed performance and area overhead evaluation results

18. 18 MICRO 18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Conclusion o InvisiSpec is the first comprehensive defense mechanism against speculative execution attacks in the cache hierarchy o We published the code of our architecture simulator: https://github.com/mjyan0720/InvisiSpec-1.0