Log In Sign Up

Selectively Delaying Instructions to Prevent Microarchitectural Replay Attacks

by   Christos Sakalis, et al.

MicroScope, and microarchitectural replay attacks in general, take advantage of the characteristics of speculative execution to trap the execution of the victim application in an infinite loop, enabling the attacker to amplify a side-channel attack by executing it indefinitely. Due to the nature of the replay, it can be used to effectively attack security critical trusted execution environments (secure enclaves), even under conditions where a side-channel attack would not be possible. At the same time, unlike speculative side-channel attacks, MicroScope can be used to amplify the correct path of execution, rendering many existing speculative side-channel defences ineffective. In this work, we generalize microarchitectural replay attacks beyond MicroScope and present an efficient defence against them. We make the observation that such attacks rely on repeated squashes of so-called "replay handles" and that the instructions causing the side-channel must reside in the same reorder buffer window as the handles. We propose Delay-on-Squash, a technique for tracking squashed instructions and preventing them from being replayed by speculative replay handles. Our evaluation shows that it is possible to achieve full security against microarchitectural replay attacks with very modest hardware requirements, while still maintaining 97 insecure baseline performance.


page 10

page 11


Detecting Replay Attacks Using Multi-Channel Audio: A Neural Network-Based Method

With the rapidly growing number of security-sensitive systems that use v...

SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation

Speculative execution which is used pervasively in modern CPUs can leave...

Security Analysis and Fault Detection Against Stealthy Replay Attacks

This paper investigates the security issue of the data replay attacks on...

Mitigating Power Attacks through Fine-Grained Instruction Reordering

Side-channel attacks are a security exploit that take advantage of infor...

"It's a Trap!"-How Speculation Invariance Can Be Abused with Forward Speculative Interference

Speculative side-channel attacks access sensitive data and use transmitt...

CHEX: Multiversion Replay with Ordered Checkpoints

In scientific computing and data science disciplines, it is often necess...

You Shall Not Bypass: Employing data dependencies to prevent Bounds Check Bypass

A recent discovery of a new class of microarchitectural attacks called S...