Ghostbusting: mitigating spectre with intraprocess memory isolation

Spectre attacks have drawn much attention since their announcement. Speculative execution creates so-called transient instructions, those whose results are ephemeral and not committed architecturally. However, various side-channels exist to extract these transient results from the microarchitecture, e.g., caches. Spectre Variant 1, the so-called Bounds Check Bypass, was the first such attack to be demonstrated. Leveraging transient read instructions and cache-timing effects, the adversary can read secret data. In this work, we explore the ability of intraprocess memory isolation to mitigate Spectre Variant 1 attacks. We demonstrate this using Executable and Linkable Format-based access control (ELFbac) which is a technique for achieving intraprocess memory isolation at the application binary interface (ABI) level. Additionally, we consider Memory Protection Keys (MPKs), a recent extension to Intel processors, that partition virtual pages into security domains. Using the original Spectre proof-of-concept (POC) code, we show how ELFbac and MPKs can be used to thwart Spectre Variant 1 by constructing explicit policies to allow and disallow the exploit. We compare our techniques against the commonly suggested mitigation using serialized instructions, e.g., lfence. Additionally, we consider other Spectre variants based on transient execution that intraprocess memory isolation would naturally mitigate.

[1]  Christian Rossow,et al.  ret2spec: Speculative Execution Using Return Stack Buffers , 2018, CCS.

[2]  Michael Schwarz,et al.  ConTExT: A Generic Approach for Mitigating Spectre , 2020, NDSS.

[3]  Herbert Bos,et al.  ASLR on the Line: Practical Cache Attacks on the MMU , 2017, NDSS.

[4]  Nael B. Abu-Ghazaleh,et al.  Spectre Returns! Speculation Attacks Using the Return Stack Buffer , 2018, IEEE Design & Test.

[5]  Herbert Bos,et al.  RIDL: Rogue In-Flight Data Load , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[6]  Craig Disselkoen,et al.  Constant-time foundations for the new spectre era , 2020, PLDI.

[7]  Carl A. Waldspurger,et al.  Speculative Buffer Overflows: Attacks and Defenses , 2018, ArXiv.

[8]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[9]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[10]  Daniel Gruss,et al.  ZombieLoad: Cross-Privilege-Boundary Data Sampling , 2019, CCS.

[11]  Michael L. Scott,et al.  Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries , 2019, USENIX Annual Technical Conference.

[12]  Sergey Bratus,et al.  Reinventing the privilege drop: how principled preservation of programmer intent would prevent security bugs , 2018, HotSoS.

[13]  Guanhua Wang,et al.  oo7: Low-overhead Defense against Spectre Attacks via Program Analysis , 2018 .

[14]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[15]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[16]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[17]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[18]  Sergey Bratus,et al.  ELFbac: Using the Loader Format for Intent-Level Semantics and Fine-Grained Protection , 2013 .

[19]  Peter Druschel,et al.  ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK) , 2019, USENIX Security Symposium.

[20]  Xi Chen,et al.  No Need to Hide: Protecting Safe Regions on Commodity Hardware , 2017, EuroSys.

[21]  Jean-Pierre Seifert,et al.  On the power of simple branch prediction analysis , 2007, ASIACCS '07.

[22]  Heechul Yun,et al.  SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks , 2019, 2019 56th ACM/IEEE Design Automation Conference (DAC).