research-article

Public Access

Secure TLBs

Authors:

Jakub SzeferAuthors Info & Claims

ISCA '19: Proceedings of the 46th International Symposium on Computer Architecture

Pages 346 - 359

https://doi.org/10.1145/3307650.3322238

Published: 22 June 2019 Publication History

Abstract

This paper focuses on a new attack vector in modern processors: the timing-based side and covert channel attacks due to the Translation Look-aside Buffers (TLBs). This paper first presents a novel three-step modeling approach that is used to exhaustively enumerate all possible TLB timing-based vulnerabilities. Building on the three-step model, this paper then shows how to automatically generate micro security benchmarks that test for the TLB vulnerabilities. After showing the insecurity of standard TLBs, two new secure TLB designs are presented: a Static-Partition (SP) TLB and a Random-Fill (RF) TLB. The new secure TLBs are evaluated using the Rocket Core implementation of the RISC-V processor architecture enhanced with the two new designs. The three-step model and the security benchmarks are used to analyze the security of the new designs in simulation. Based on the analysis, the proposed secure TLBs can defend not only against the previously publicized attacks but also against other new timing-based attacks in TLBs found using the new three-step model. The performance overhead is evaluated on an FPGA-based setup, and, for example, shows that the RF TLB has less than 10% overhead while defending all the attacks.

References

[1]

Onur Acıiçmez and Çetin Kaya Koç. 2006. Trace-Driven Cache Attacks on AES (Short Paper). In International Conference on Information and Communications Security. Springer, 112--121.

Digital Library

[2]

Daniel J Bernstein. 2005. Cache-Timing Attacks on AES. (2005).

[3]

Joseph Bonneau and Ilya Mironov. 2006. Cache-Collision Timing Attacks against AES. In International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 201--215.

Digital Library

[4]

Victor Costan, Ilia A Lebedev, and Srinivas Devadas. 2016. Sanctum: Minimal Hardware Extensions for Strong Software Isolation. In USENIX Security Symposium. 857--874.

Digital Library

[5]

Shuwen Deng, Wenjie Xiong, and Jakub Szefer. 2018. Cache Timing Side-Channel Vulnerability Checking With Computation Tree Logic. In Proceedings of the 7th International Workshop on Hardware and Architectural Support for Security and Privacy. ACM, 2.

Digital Library

[6]

Leonid Domnitser, Aamer Jaleel, Jason Loew, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2012. Non-Monopolizable Caches: Low-Complexity Mitigation of Cache Side Channel Attacks. ACM Transactions on Architecture and Code Optimization (TACO) 8, 4 (2012), 35.

Digital Library

[7]

Andrea J Goldsmith and Pravin P Varaiya. 1997. Capacity of Fading Channels with Channel Side Information. IEEE Transactions on Information Theory 43, 6 (1997), 1986--1992.

Digital Library

[8]

Ben Gras, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2018. Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks. In USENIX Security Symposium. USENIX, 955--972.

[9]

Part Guide. 2011. Intel® 64 and Ia-32 Architectures Software Developer's Manual. Volume 3B: System programming Guide, Part 2 (2011).

[10]

David Gullasch, Endre Bangerter, and Stephan Krenn. 2011. Cache Games-Bringing Access-Based Cache Attacks on AES to Practice. In IEEE Symposium on Security and Privacy. IEEE, 490--505.

Digital Library

[11]

Zecheng He and Ruby B Lee. 2017. How Secure is Your Cache against Side-Channel Attacks?. In International Symposium on Microarchitecture (MICRO). ACM, 341--353.

Digital Library

[12]

Ralf Hund, Carsten Willems, and Thorsten Holz. 2013. Practical Timing Side Channel Attacks Against Kernel Space ASLR. In IEEE Symposium on Security and Privacy. IEEE, 191--205.

Digital Library

[13]

Intel Intel. 64. IA-32 Architectures Software Developer's Manual. Volume 3A: System Programming Guide, Part 1, 64 (64), 64.

[14]

Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2018. Spectre Attacks: Exploiting Speculative Execution. ArXiv e-prints (Jan. 2018). arXiv:1801.01203.

[15]

Nasser Kurd, Jonathan Douglas, Praveen Mosalikanti, and Rajesh Kumar. 2008. Next Generation Intel® Micro-Architecture (Nehalem) Clocking Architecture. In Symposium on VLSI Circuits. IEEE, 62--63.

[16]

Ruby B Lee, Peter Kwan, John P McGregor, Jeffrey Dwoskin, and Zhenghong Wang. 2005. Architecture for Protecting Critical Secrets in Microprocessors. In ACM SIGARCH Computer Architecture News, Vol. 33. IEEE Computer Society, 2--13.

Digital Library

[17]

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown. ArXiv e-prints (Jan. 2018). arXiv:1801.01207

[18]

Fangfei Liu and Ruby B Lee. 2014. Random Fill Cache Architecture. In International Symposium on Microarchitecture (MICRO). IEEE, 203--215.

[19]

Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache Attacks and Countermeasures: the Case of AES. In Cryptographers' Track at the RSA Conference. Springer, 1--20.

Digital Library

[20]

Colin Percival. 2005. Cache Missing for Fun and Profit.

[21]

Binh Pham, Viswanathan Vaidyanathan, Aamer Jaleel, and Abhishek Bhattacharjee. 2012. Colt: Coalesced Large-Reach TLBs. In Proceedings of the 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture. IEEE Computer Society, 258--269.

Digital Library

[22]

Efraim Rotem and Senior Principal Engineer. 2015. Intel Architecture, Code Name Skylake Deep Dive: A New Architecture to Manage Power Performance and Energy Efficiency. In Intel Developer Forum.

[23]

Jakub Szefer. 2018. Survey of Microarchitectural Side and Covert Channels, Attacks, and Defenses. Journal of Hardware and Systems Security (2018), 1--16.

[24]

Stephan Van Schaik, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018. Malicious Management Unit: Why Stopping Cache Attacks in Software is Harder Than You Think. In USENIX Security Symposium. 937--954.

Digital Library

[25]

AMD Virtualization. 2008. AMD-v Nested Paging. White paper (2008).

[26]

Wenhao Wang, Guoxing Chen, Xiaorui Pan, Yinqian Zhang, XiaoFeng Wang, Vincent Bindschaedler, Haixu Tang, and Carl A Gunter. 2017. Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX. In Conference on Computer and Communications Security. ACM, 2421--2434.

Digital Library

[27]

Yao Wang, Andrew Ferraiuolo, Danfeng Zhang, Andrew C Myers, and G Edward Suh. 2016. SecDCP: Secure Dynamic Cache Partitioning for Efficient Timing Channel Protection. In Design Automation Conference. ACM, 74.

Digital Library

[28]

Zhenghong Wang and Ruby B Lee. 2007. New Cache Designs for Thwarting Software Cache-Based Side Channel Attacks. In ACM SIGARCH Computer Architecture News, Vol. 35. ACM, 494--505.

Digital Library

[29]

Zhenghong Wang and Ruby B Lee. 2008. A Novel Cache Architecture With Enhanced Performance and Security. In International Symposium on Microarchitecture (MICRO). IEEE, 83--93.

[30]

Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher W Fletcher, and Josep Torrellas. 2018. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy. In International Symposium on Microarchitecture (MICRO). IEEE, 428--441.

[31]

Mengjia Yan, Bhargava Gopireddy, Thomas Shull, and Josep Torrellas. 2017. Secure Hierarchy-Aware Cache Replacement Policy (SHARP): Defending Against Cache-Based Side Channel Attacks. In International Symposium on Computer Architecture. ACM, 347--360.

Digital Library

[32]

Danfeng Zhang, Aslan Askarov, and Andrew C Myers. 2012. Language-Based Control and Mitigation of Timing Channels. ACM SIGPLAN Notices 47, 6 (2012), 99--110.

Digital Library

[33]

Danfeng Zhang, Yao Wang, G Edward Suh, and Andrew C Myers. 2015. A Hardware Design Language for Timing-Sensitive Information-Flow Security. In ACM SIGARCH Computer Architecture News, Vol. 43. ACM, 503--516.

Digital Library

Cited By

Agredo CLangehaug TGraham S(2024)Inferring TLB Configuration with Performance ToolsJournal of Cybersecurity and Privacy10.3390/jcp40400444:4(951-971)Online publication date: 12-Nov-2024
https://doi.org/10.3390/jcp4040044
Jin YWang CQiu PLiu CYang YZheng HLyu YLi XQu GWang DDe V(2024)Whisper: Timing the Transient Execution to Leak Secrets and Break KASLRProceedings of the 61st ACM/IEEE Design Automation Conference10.1145/3649329.3656213(1-6)Online publication date: 23-Jun-2024
https://dl.acm.org/doi/10.1145/3649329.3656213
Kim TRudo DZhao KZhao ZSkarlatos D(2024)Perspective: A Principled Framework for Pliable and Secure Speculation in Operating Systems2024 ACM/IEEE 51st Annual International Symposium on Computer Architecture (ISCA)10.1109/ISCA59077.2024.00059(739-755)Online publication date: 29-Jun-2024
https://doi.org/10.1109/ISCA59077.2024.00059
Show More Cited By

Index Terms

Secure TLBs
1. Computer systems organization
  1. Architectures
    1. Serial architectures
      1. Reduced instruction set computing
  2. Embedded and cyber-physical systems
    1. Embedded systems
      1. Embedded hardware
2. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures
      1. Side-channel analysis and countermeasures

Recommendations

Leveraging Sharing in Second Level Translation-Lookaside Buffers for Chip Multiprocessors

Traversing page table during virtual to physical address translation causes significant pipeline stalls when misses occur in the translation-lookaside buffer (TLB). To mitigate this penalty, we propose a fast, scalable, multi-level TLB organization that ...
Shared last-level TLBs for chip multiprocessors
HPCA '11: Proceedings of the 2011 IEEE 17th International Symposium on High Performance Computer Architecture

Translation Lookaside Buffers (TLBs) are critical to processor performance. Much past research has addressed uniprocessor TLBs, lowering access times and miss rates. However, as chip multiprocessors (CMPs) become ubiquitous, TLB design must be re-...
Synergistic TLBs for High Performance Address Translation in Chip Multiprocessors
MICRO '43: Proceedings of the 2010 43rd Annual IEEE/ACM International Symposium on Microarchitecture

Translation Look-aside Buffers (TLBs) are vital hardware support for virtual memory management in high performance computer systems and have a momentous influence on overall system performance. Numerous techniques to reduce TLB miss latencies including ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ISCA '19: Proceedings of the 46th International Symposium on Computer Architecture

June 2019

849 pages

ISBN:9781450366694

DOI:10.1145/3307650

General Chair:
Srilatha (Bobbie) Manne
Microsoft
,
Program Chairs:
Hillery Hunter
IBM
,
Erik Altman
IBM Research

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGARCH: ACM Special Interest Group on Computer Architecture

In-Cooperation

IEEE-CS\DATC: IEEE Computer Society

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 June 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ISCA '19

Sponsor:

SIGARCH

ISCA '19: The 46th Annual International Symposium on Computer Architecture

June 22 - 26, 2019

Arizona, Phoenix

Acceptance Rates

ISCA '19 Paper Acceptance Rate 62 of 365 submissions, 17%;

Overall Acceptance Rate 543 of 3,203 submissions, 17%

Upcoming Conference

ISCA '25

Sponsor:
sigarch

The 52nd Annual International Symposium on Computer Architecture

June 21 - 25, 2025

Tokyo , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
1,516
Total Downloads

Downloads (Last 12 months)234
Downloads (Last 6 weeks)21

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Agredo CLangehaug TGraham S(2024)Inferring TLB Configuration with Performance ToolsJournal of Cybersecurity and Privacy10.3390/jcp40400444:4(951-971)Online publication date: 12-Nov-2024
https://doi.org/10.3390/jcp4040044
Jin YWang CQiu PLiu CYang YZheng HLyu YLi XQu GWang DDe V(2024)Whisper: Timing the Transient Execution to Leak Secrets and Break KASLRProceedings of the 61st ACM/IEEE Design Automation Conference10.1145/3649329.3656213(1-6)Online publication date: 23-Jun-2024
https://dl.acm.org/doi/10.1145/3649329.3656213
Kim TRudo DZhao KZhao ZSkarlatos D(2024)Perspective: A Principled Framework for Pliable and Secure Speculation in Operating Systems2024 ACM/IEEE 51st Annual International Symposium on Computer Architecture (ISCA)10.1109/ISCA59077.2024.00059(739-755)Online publication date: 29-Jun-2024
https://doi.org/10.1109/ISCA59077.2024.00059
Tang BWu CWang ZJia LYew PCheng YZhang YWang CXu G(2023)SpecBox: A Label-Based Transparent Speculation Scheme Against Transient Execution AttacksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314428720:1(827-840)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2022.3144287
Gerlach LWeber DZhang RSchwarz M(2023)A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179399(2321-2338)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179399
Kim TPark HLee SShin SHur JShin Y(2023)DevIOus: Device-Driven Side-Channel Attacks on the IOMMU2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179283(2288-2305)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179283
Thoma JGüneysu T(2022)Write Me and I’ll Tell You Secrets – Write-After-Write Effects On Intel CPUsProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545987(72-85)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545987
Li ASudvarg MLiu HYu ZGill CZhang N(2022)PolyRhythm: Adaptive Tuning of a Multi-Channel Attack Template for Timing Interference2022 IEEE Real-Time Systems Symposium (RTSS)10.1109/RTSS55097.2022.00028(225-239)Online publication date: Dec-2022
https://doi.org/10.1109/RTSS55097.2022.00028
Liu YZhu ZZhang YTong ZCai WMeng D(2022)Analysis of DRAM Vulnerability Using Computation Tree LogicICC 2022 - IEEE International Conference on Communications10.1109/ICC45855.2022.9839097(986-991)Online publication date: 16-May-2022
https://doi.org/10.1109/ICC45855.2022.9839097
Di BHu DXie ZSun JChen HRen JLi D(2021)TLB-pilot: Mitigating TLB Contention Attack on GPUs with Microarchitecture-Aware SchedulingACM Transactions on Architecture and Code Optimization10.1145/349121819:1(1-23)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3491218
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents