Hardware-Software Contracts for Secure Speculation

Since the discovery of Spectre, a large number of hardware mechanisms for secure speculation has been proposed. Intuitively, more defensive mechanisms are less efficient but can securely execute a larger class of programs, while more permissive mechanisms may offer more performance but require more defensive programming. Unfortunately, there are no hardware-software contracts that would turn this intuition into a basis for principled co-design.In this paper, we put forward a framework for specifying such contracts, and we demonstrate its expressiveness and flexibility.On the hardware side, we use the framework to provide the first formalization and comparison of the security guarantees provided by a representative class of mechanisms for secure speculation.On the software side, we use the framework to characterize program properties that guarantee secure co-design in two scenarios traditionally investigated in isolation: (1) ensuring that a benign program does not leak information while computing on confidential data, and (2) ensuring that a potentially malicious program cannot read outside of its designated sandbox. Finally, we show how the properties corresponding to both scenarios can be checked based on existing tools for software verification, and we use them to validate our findings on executable code.

[1]  Li Zhou,et al.  SpecShield: Shielding Speculative Data from Microarchitectural Covert Channels , 2019, 2019 28th International Conference on Parallel Architectures and Compilation Techniques (PACT).

[2]  Gernot Heiser,et al.  For Safety’s Sake: We Need a New Hardware-Software Contract! , 2018, IEEE Design & Test.

[3]  Dan Meng,et al.  Conditional Speculation: An Effective Approach to Safeguard Out-of-Order Execution Against Spectre Attacks , 2019, 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[4]  Sam Ainsworth,et al.  MuonTrap: Preventing Cross-Domain Spectre-Like Attacks by Capturing Speculative State , 2019, 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA).

[5]  Matt Kaufmann,et al.  Engineering a Formal, Executable x86 ISA Simulator for Software Verification , 2017, Provably Correct Systems.

[6]  Robert M. Norton,et al.  ISA semantics for ARMv8-a, RISC-v, and CHERI-MIPS , 2019, Proc. ACM Program. Lang..

[7]  Margaret Martonosi,et al.  MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols , 2018, ArXiv.

[8]  Ulan Degenbaev,et al.  Formal specification of the x86 instruction set architecture , 2012 .

[9]  Michael Schwarz,et al.  ConTExT: A Generic Approach for Mitigating Spectre , 2020, NDSS.

[10]  Gilles Barthe,et al.  Verifying Constant-Time Implementations , 2016, USENIX Security Symposium.

[11]  Yinqian Zhang,et al.  SgxPectre: Stealing Intel Secrets From SGX Enclaves via Speculative Execution , 2020, IEEE Security & Privacy.

[12]  Josep Torrellas,et al.  InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[13]  Gilles Barthe,et al.  System-level Non-interference for Constant-time Cryptography , 2014, IACR Cryptol. ePrint Arch..

[14]  Craig Disselkoen,et al.  The Code That Never Ran: Modeling Attacks on Speculative Evaluation , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[15]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[16]  Marco Guarnieri,et al.  Spectector: Principled Detection of Speculative Information Flows , 2018, 2020 IEEE Symposium on Security and Privacy (SP).

[17]  Christian Rossow,et al.  ret2spec: Speculative Execution Using Return Stack Buffers , 2018, CCS.

[18]  Babak Falsafi,et al.  SMoTherSpectre: Exploiting Speculative Execution through Port Contention , 2019, CCS.

[19]  Nael B. Abu-Ghazaleh,et al.  Spectre Returns! Speculation Attacks Using the Return Stack Buffer , 2018, IEEE Design & Test.

[20]  Alon Zakai,et al.  Bringing the web up to speed with WebAssembly , 2017, PLDI.

[21]  Rui Zhang,et al.  End-to-End Automated Exploit Generation for Validating the Security of Processor Designs , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[22]  Josep Torrellas,et al.  Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data , 2019, IEEE Micro.

[23]  Julian Stecklina,et al.  LazyFP: Leaking FPU Register State using Microarchitectural Side-Channels , 2018, ArXiv.

[24]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[25]  Mohamad El Hajj,et al.  Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing , 2018, IACR Cryptol. ePrint Arch..

[26]  Stefanos Kaxiras,et al.  Efficient Invisible Speculative Execution through Selective Delay and Value Prediction , 2019, 2019 ACM/IEEE 46th Annual International Symposium on Computer Architecture (ISCA).

[27]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[28]  Nael B. Abu-Ghazaleh,et al.  SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation , 2018, 2019 56th ACM/IEEE Design Automation Conference (DAC).

[29]  Roberto Guanciale,et al.  InSpectre: Breaking and Fixing Microarchitectural Vulnerabilities by Formal Analysis , 2019, CCS.

[30]  Deian Stefan,et al.  Automatically Eliminating Speculative Leaks With Blade , 2020, ArXiv.

[31]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[32]  Goran Doychev,et al.  Rigorous analysis of software countermeasures against cache attacks , 2017, PLDI.

[33]  Benjamin Grégoire,et al.  FaCT: a DSL for timing-sensitive computation , 2019, PLDI.

[34]  Gernot Heiser,et al.  No Security Without Time Protection: We Need a New Hardware-Software Contract , 2018, APSys.

[35]  Dean M. Tullsen,et al.  Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization , 2019, ASPLOS.

[36]  Martin Schwarzl,et al.  NetSpectre: Read Arbitrary Memory over Network , 2018, ESORICS.

[37]  Craig Disselkoen,et al.  Constant-time foundations for the new spectre era , 2020, PLDI.

[38]  Fernando Magno Quintão Pereira,et al.  Sparse representation of implicit flows with applications to side-channel detection , 2016, CC.

[39]  Josep Torrellas,et al.  Speculative interference attacks: breaking invisible speculation schemes , 2021, ASPLOS.

[40]  Gilles Barthe,et al.  System-Level Non-interference of Constant-Time Cryptography. Part I: Model , 2017, Journal of Automated Reasoning.

[41]  Gururaj Saileshwar,et al.  CleanupSpec: An "Undo" Approach to Safe Speculation , 2019, MICRO.

[42]  Benjamin Grégoire,et al.  Formal Verification of a Constant-Time Preserving C Compiler : 3 by theoretical justifications : in [ , 2019 .

[43]  G. Edward Suh,et al.  Using Information Flow to Design an ISA that Controls Timing Channels , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[44]  Daniel Gruss,et al.  ZombieLoad: Cross-Privilege-Boundary Data Sampling , 2019, CCS.

[45]  Toon Verwaest,et al.  Spectre is here to stay: An analysis of side-channels and speculative execution , 2019, ArXiv.

[46]  Herbert Bos,et al.  RIDL: Rogue In-Flight Data Load , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[47]  Jakub Szefer,et al.  Survey of Transient Execution Attacks , 2020, ArXiv.

[48]  Dominik Stoffel,et al.  Processor Hardware Security Vulnerabilities and their Detection by Unique Program Execution Checking , 2018, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[49]  Srinivas Devadas,et al.  DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[50]  Jaisook Landauer,et al.  A lattice of information , 1993, [1993] Proceedings Computer Security Foundations Workshop VI.

[51]  David Schultz,et al.  The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks , 2005, ICISC.

[52]  Ofir Weisse,et al.  NDA: Preventing Speculative Execution Attacks at Their Source , 2019, MICRO.