Speculative Interference Attacks: Breaking Invisible Speculation Schemes

07/23/2020
by   Mohammad Behnia, et al.
0

Recent security vulnerabilities that target speculative execution (e.g., Spectre) present a significant challenge for processor design. The highly publicized vulnerability uses speculative execution to learn victim secrets by changing cache state. As a result, recent computer architecture research has focused on invisible speculation mechanisms that attempt to block changes in cache state due to speculative execution. Prior work has shown significant success in preventing Spectre and other vulnerabilities at modest performance costs. In this paper, we introduce speculative interference attacks, which show that prior invisible speculation mechanisms do not fully block these speculation-based attacks. We make two key observations. First, misspeculated younger instructions can change the timing of older, bound-to-retire instructions, including memory operations. Second, changing the timing of a memory operation can change the order of that memory operation relative to other memory operations, resulting in persistent changes to the cache state. Using these observations, we demonstrate (among other attack variants) that secret information accessed by mis-speculated instructions can change the order of bound-to-retire loads. Load timing changes can therefore leave secret-dependent changes in the cache, even in the presence of invisible speculation mechanisms. We show that this problem is not easy to fix: Speculative interference converts timing changes to persistent cache-state changes, and timing is typically ignored by many cache-based defenses. We develop a framework to understand the attack and demonstrate concrete proof-of-concept attacks against invisible speculation mechanisms. We provide security definitions sufficient to block speculative interference attacks; describe a simple defense mechanism with a high performance cost; and discuss how future research can improve its performance.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
04/21/2023

Timing the Transient Execution: A New Side-Channel Attack on Intel CPUs

The transient execution attack is a type of attack leveraging the vulner...
research
09/22/2021

"It's a Trap!"-How Speculation Invariance Can Be Abused with Forward Speculative Interference

Speculative side-channel attacks access sensitive data and use transmitt...
research
11/19/2019

A Benchmark Suite for Evaluating Caches' Vulnerability to Timing Attacks

Timing-based side or covert channels in processor caches continue to pre...
research
12/01/2016

When to Reset Your Keys: Optimal Timing of Security Updates via Learning

Cybersecurity is increasingly threatened by advanced and persistent atta...
research
06/30/2020

ReversiSpec: Reversible Coherence Protocol for Defending Transient Attacks

The recent works such as InvisiSpec, SafeSpec, and Cleanup-Spec, among o...
research
07/31/2020

Hardware/Software Obfuscation against Timing Side-channel Attack on a GPU

GPUs are increasingly being used in security applications, especially fo...
research
09/08/2023

Penetrating Shields: A Systematic Analysis of Memory Corruption Mitigations in the Spectre Era

This paper provides the first systematic analysis of a synergistic threa...

Please sign up or login with your details

Forgot password? Click here to reset