Efficiently Mitigating Transient Execution Attacks using the Unmapped Speculation Contract

Today’s kernels pay a performance penalty for mitigations— such as KPTI, retpoline, return stack stuffing, speculation barriers—to protect against transient execution side-channel attacks such as Meltdown [21] and Spectre [16]. To address this performance penalty, this paper articulates the unmapped speculation contract, an observation that memory that isn’t mapped in a page table cannot be leaked through transient execution. To demonstrate the value of this contract, the paper presents WARD, a new kernel design that maintains a separate kernel page table for every process. This page table contains mappings for kernel memory that is safe to expose to that process. Because a process doesn’t map data of other processes, this design allows for many system calls to execute without any mitigation overhead. When a process needs access to sensitive data, WARD switches to a kernel page table that provides access to all of memory and executes with all mitigations. An evaluation of the WARD design implemented in the sv6 research kernel [8] shows that LEBench [24] can execute many system calls without mitigations. For some hardware generations, this results in performance improvement ranging from a few percent (huge page fault) to several factors (getpid), compared to a standard design with mitigations.

[1]  Li Zhou,et al.  SpecShield: Shielding Speculative Data from Microarchitectural Covert Channels , 2019, 2019 28th International Conference on Parallel Architectures and Compilation Techniques (PACT).

[2]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[3]  Xiao Zhang,et al.  CPI2: CPU performance isolation for shared compute clusters , 2013, EuroSys '13.

[4]  Josep Torrellas,et al.  Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data , 2019, IEEE Micro.

[5]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[6]  Nael B. Abu-Ghazaleh,et al.  SpecCFI: Mitigating Spectre Attacks using CFI Informed Speculation , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[7]  Abhishek Verma,et al.  Large-scale cluster management at Google with Borg , 2015, EuroSys.

[8]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[9]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[10]  Daniel Gruss,et al.  ZombieLoad: Cross-Privilege-Boundary Data Sampling , 2019, CCS.

[11]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[12]  Daniel Genkin,et al.  SGAxe: How SGX Fails in Practice , 2020 .

[13]  Herbert Bos,et al.  RIDL: Rogue In-Flight Data Load , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[14]  Austin T. Clements,et al.  The scalable commutativity rule: designing scalable software for multicore processors , 2013, SOSP.

[15]  Ofir Weisse,et al.  NDA: Preventing Speculative Execution Attacks at Their Source , 2019, MICRO.

[16]  Krste Asanovic,et al.  Mondrix: memory isolation for linux using mondriaan memory protection , 2005, SOSP '05.

[17]  M. Frans Kaashoek,et al.  RadixVM: scalable address spaces for multithreaded applications , 2013, EuroSys '13.

[18]  Kaveh Razavi,et al.  CrossTalk: Speculative Data Leaks Across Cores Are Real , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[19]  Stefan Mangard,et al.  KASLR is Dead: Long Live KASLR , 2017, ESSoS.

[20]  Frank Piessens,et al.  Fallout: Leaking Data on Meltdown-resistant CPUs , 2019, CCS.

[21]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[22]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[23]  Jon Masters,et al.  On the Spectre and Meltdown Processor Security Vulnerabilities , 2019, IEEE Micro.

[24]  Michael Stumm,et al.  An analysis of performance evolution of Linux's core operations , 2019, SOSP.

[25]  Robert Schilling,et al.  ConTExT: Leakage-Free Transient Execution , 2019, ArXiv.