MuonTrap: Preventing Cross-Domain Spectre-Like Attacks by Capturing Speculative State

by   Sam Ainsworth, et al.
University of Cambridge

The disclosure of the Spectre speculative-execution attacks in January 2018 has left a severe vulnerability that systems are still struggling with how to patch. The solutions that currently exist tend to have incomplete coverage, perform badly, or have highly undesirable edge cases that cause application domains to break. MuonTrap allows processors to continue to speculate, avoiding significant reductions in performance, without impacting security. We instead prevent the propagation of any state based on speculative execution, by placing the results of speculative cache accesses into a small, fast L0 filter cache, that is non-inclusive, non-exclusive with the rest of the cache hierarchy. This isolates all parts of the system that can't be quickly cleared on any change in threat domain. MuonTrap uses these speculative filter caches, which are cleared on context and protection-domain switches, along with a series of extensions to the cache coherence protocol and prefetcher. This renders systems immune to cross-domain information leakage via Spectre and a host of similar attacks based on speculative execution, with low performance impact and few changes to the CPU design.


page 8

page 10

page 11


PREFENDER: A Prefetching Defender against Cache Side Channel Attacks as A Pretender

Cache side channel attacks are increasingly alarming in modern processor...

KLEESPECTRE: Detecting Information Leakage through Speculative Cache Attacks via Symbolic Execution

Spectre attacks disclosed in early 2018 expose data leakage scenarios vi...

On the Incomparability of Cache Algorithms in Terms of Timing Leakage

Modern computer architectures rely on caches to reduce the latency gap b...

HybCache: Hybrid Side-Channel-Resilient Caches for Trusted Execution Environments

Modern multi-core processors share cache resources for maximum cache uti...

Chunked-Cache: On-Demand and Scalable Cache Isolation for Security Architectures

Shared cache resources in multi-core processors are vulnerable to cache ...

ReversiSpec: Reversible Coherence Protocol for Defending Transient Attacks

The recent works such as InvisiSpec, SafeSpec, and Cleanup-Spec, among o...

oo7: Low-overhead Defense against Spectre Attacks

The Spectre vulnerability in modern processors has been reported earlier...

Please sign up or login with your details

Forgot password? Click here to reset