Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/3471621.3471857acmotherconferencesArticle/Chapter ViewAbstractPublication PagesraidConference Proceedingsconference-collections
research-article
Open access

BasicBlocker: ISA Redesign to Make Spectre-Immune CPUs Faster

Published: 07 October 2021 Publication History

Abstract

Recent research has revealed an ever-growing class of microarchitectural attacks that exploit speculative execution, a standard feature in modern processors. Proposed and deployed countermeasures involve a variety of compiler updates, firmware updates, and hardware updates. None of the deployed countermeasures have convincing security arguments, and many of them have already been broken.
The obvious way to simplify the analysis of speculative-execution attacks is to eliminate speculative execution. This is normally dismissed as being unacceptably expensive, but the underlying cost analyses consider only software written for current instruction-set architectures, so they do not rule out the possibility of a new instruction-set architecture providing acceptable performance without speculative execution. A new ISA requires compiler and hardware updates, but these are happening in any case.
This paper introduces BasicBlocker, a generic ISA modification that works for all common ISAs and that allows non-speculative CPUs to obtain most of the performance benefit that would have been provided by speculative execution. To demonstrate the feasibility of BasicBlocker, this paper defines a variant of the RISC-V ISA called BBRISC-V and provides a thorough evaluation on both a 5-stage in-order soft core and a superscalar out-of-order processor using an associated compiler and a variety of benchmarks.

References

[1]
2020. Arm® Architecture Reference Manual, Armv8, for Armv8-A architecture profile. Technical Report. ARM.
[2]
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC) 13, 1(2009), 1–40.
[3]
Onur Aciiçmez, Billy Bob Brumley, and Philipp Grabher. 2010. New Results on Instruction Cache Attacks. In Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17-20, 2010. Proceedings(Lecture Notes in Computer Science), Stefan Mangardand François-Xavier Standaert (Eds.), Vol. 6225. Springer, Santa Barbara, CA, 110–124. https://doi.org/10.1007/978-3-642-15031-9_8
[4]
Krste Asanović and David A. Patterson. 2014. Instruction Sets Should Be Free: The Case For RISC-V. (2014). https://people.eecs.berkeley.edu/~krste/papers/EECS-2014-146.pdf.
[5]
Kristin Barber, Anys Bacha, Li Zhou, Yinqian Zhang, and Radu Teodorescu. 2019. Specshield: Shielding speculative data from microarchitectural covert channels. In 2019 28th International Conference on Parallel Architectures and Compilation Techniques (PACT). IEEE, 151–164.
[6]
Mohammad Behnia, Prateek Sahu, Riccardo Paccagnella, Jiyong Yu, Zirui Neil Zhao, Xiang Zou, Thomas Unterluggauer, Josep Torrellas, Carlos V. Rozas, Adam Morrison, Frank McKeen, Fangfei Liu, Ron Gabor, Christopher W. Fletcher, Abhishek Basak, and Alaa R. Alameldeen. 2020. Speculative Interference Attacks: Breaking Invisible Speculation Schemes. CoRR abs/2007.11818(2020). arxiv:2007.11818https://arxiv.org/abs/2007.11818
[7]
Daniel J. Bernstein. 2019. djbsort. (2019). https://sorting.cr.yp.to/
[8]
Nathan Binkert, Bradford Beckmann, Gabriel Black, Steven K Reinhardt, Ali Saidi, Arkaprava Basu, Joel Hestness, Derek R Hower, Tushar Krishna, Somayeh Sardashti, 2011. The gem5 simulator. ACM SIGARCH computer architecture news 39, 2 (2011), 1–7.
[9]
Erich Bloch. 1959. The engineering design of the Stretch computer. In Papers presented at the December 1–3, 1959, eastern joint IRE-AIEE-ACM computer conference. 48–58.
[10]
Benjamin A Braun, Suman Jana, and Dan Boneh. 2015. Robust and efficient elimination of cache and timing side channels. arXiv preprint arXiv:1506.00189(2015).
[11]
Brad Calder and Dirk Grunwald. 1994. Fast and Accurate Instruction Fetch and Branch Prediction. In Proceedings of the 21st Annual International Symposium on Computer Architecture. Chicago, IL, USA, April 1994, David A. Patterson(Ed.). IEEE Computer Society, 2–11. https://doi.org/10.1109/ISCA.1994.288166
[12]
Claudio Canella, Daniel Genkin, Lukas Giner, Daniel Gruss, Moritz Lipp, Marina Minkin, Daniel Moghimi, Frank Piessens, Michael Schwarz, Berk Sunar, 2019. Fallout: Leaking data on meltdown-resistant CPUs. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 769–784.
[13]
Claudio Canella, Sai Manoj Pudukotai Dinakarrao, Daniel Gruss, and Khaled N Khasawneh. 2020. Evolution of defenses against transient-execution attacks. In Proceedings of the 2020 on Great Lakes Symposium on VLSI. 169–174.
[14]
Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A Systematic Evaluation of Transient Execution Attacks and Defenses. In USENIX Security Symposium. extended classification tree at https://transient.fail/.
[15]
Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, and Ten H Lai. 2019. SgxPectre: Stealing intel secrets from SGX enclaves via speculative execution. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 142–157.
[16]
Youngsoo Choi, Allan Knies, Luke Gerke, and Tin-Fook Ngai. 2001. The impact of if-conversion and branch prediction on program execution on the intel itanium processor. In Proceedings. 34th ACM/IEEE International Symposium on Microarchitecture. MICRO-34. Citeseer, 182–182.
[17]
Douglas W. Clark and Henry M. Levy. 1982. Measurement and analysis of instruction use in the VAX-11/780. (1982), 9–17 pages. https://dl.acm.org/doi/pdf/10.1145/1067649.801709.
[18]
Lucas Davi, Matthias Hanreich, Debayan Paul, Ahmad-Reza Sadeghi, Patrick Koeberl, Dean Sullivan, Orlando Arias, and Yier Jin. 2015. HAFIX: Hardware-assisted flow integrity extension. In 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC). IEEE, 1–6.
[19]
John A. DeRosa and Henry M. Levy. 1987. An Evaluation of Branch Architectures. In Proceedings of the 14th Annual International Symposium on Computer Architecture. Pittsburgh, PA, USA, June 1987, Daniel C. St. Clair (Ed.). 10–16. https://doi.org/10.1145/30350.30352
[20]
Scott DiPasquale, Khaled Elmeleegy, CJ Ganier, and Erik Swanson. 2003. Hardware Loop Buffering. (2003).
[21]
Reem Elkhouly, Ahmed El-Mahdy, and Amr Elmasry. 2015. Pattern-Driven Branchless Code Generation. JEC-ECC (2015).
[22]
Amr Elmasry and Jyrki Katajainen. 2013. Branchless search programs. In International Symposium on Experimental Algorithms. Springer, 127–138.
[23]
Joseph A Fisher. 1983. Very long instruction word architectures and the ELI-512. In Proceedings of the 10th annual international symposium on Computer architecture. 140–150.
[24]
Agner Fog. 2020. The microarchitecture of Intel, AMD and VIA CPUs: An optimization guide for assembly programmers and compiler makers. (2020). https://www.agner.org/optimize/.
[25]
Free and Open Source Silicon Foundation. 2020. Embench IOT. https://www.embench.org/. (May 2020). Accessed: 2020-05-29.
[26]
Shay Gal-On and Markus Levy. 2012. Exploring coremark a benchmark maximizing simplicity and efficacy. The Embedded Microprocessor Benchmark Consortium(2012).
[27]
Shay Gueron. 2010. Intel Advanced Encryption Standard (AES) New Instructions Set. (2010). https://www.intel.com/content/dam/doc/white-paper/advanced-encryption-standard-new-instructions-set-paper.pdf.
[28]
Linley Gwennap. 2010. Sandy Bridge spans generations. (2010). http://people.eecs.berkeley.edu/~kubitron/cs252/handouts/papers/Microprocessor-Report-Sandy-Bridge-Spans-Generations-243901.pdf.
[29]
Jann Horn. 2018. speculative execution, variant 4: speculative store bypass. (2018). https://bugs.chromium.org/p/project-zero/issues/detail?id=1528/.
[30]
J Johnston and T Fitzsimmons. 2021. The newlib homepage. URL http://sourceware. org/newlib(2021).
[31]
Toni Juan, Sanji Sanjeevan, and Juan J. Navarro. 1998. Dynamic History-length Fitting: A Third Level of Adaptivity for Branch Prediction. In Proceedings of the 25th Annual International Symposium on Computer Architecture, ISCA 1998, Barcelona, Spain, June 27 - July 1, 1998, Mateo Valero, Gurindar S. Sohi, and Doug DeGroot(Eds.). IEEE Computer Society, 155–166. https://doi.org/10.1109/ISCA.1998.694771
[32]
Khaled N. Khasawneh, Esmaeil Mohammadian Koruyeh, Chengyu Song, Dmitry Evtyushkin, Dmitry Ponomarev, and Nael B. Abu-Ghazaleh. 2018. SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation. CoRR abs/1806.05179(2018).
[33]
Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, and Joel Emer. 2018. DAWG: A defense against cache timing attacks in speculative execution processors. In 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). IEEE, 974–987.
[34]
Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative buffer overflows: Attacks and defenses. arXiv preprint arXiv:1807.03757(2018).
[35]
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, 2019. Spectre attacks: Exploiting speculative execution. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1–19.
[36]
Esmaeil Mohammadian Koruyeh, Khaled N Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh. 2018. Spectre returns! speculation attacks using the return stack buffer. In 12th USENIX Workshop on Offensive Technologies (WOOT 18).
[37]
Chris Lattner and Vikram Adve. 2004. LLVM: A compilation framework for lifelong program analysis & transformation. In International Symposium on Code Generation and Optimization, 2004. CGO 2004.IEEE, 75–86.
[38]
Edward A. Lee, Jan Reineke, and Michael Zimmer. 2017. Abstract PRET Machines. In 2017 IEEE Real-Time Systems Symposium, RTSS 2017, Paris, France, December 5-8, 2017. 1–11. https://doi.org/10.1109/RTSS.2017.00041
[39]
Peinan Li, Lutan Zhao, Rui Hou, Lixin Zhang, and Dan Meng. 2019. Conditional speculation: An effective approach to safeguard out-of-order execution against spectre attacks. In 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA). IEEE, 264–276.
[40]
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, 2018. Meltdown: Reading kernel memory from user space. In 27th USENIX Security Symposium (USENIX Security 18). 973–990.
[41]
Giorgi Maisuradze and Christian Rossow. 2018. ret2spec: Speculative execution using return stack buffers. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2109–2122.
[42]
Hamed Nemati, Roberto Guanciale, Pablo Buiras, and Andreas Lindner. 2020. Speculative Leakage in ARM Cortex-A53. arXiv preprint arXiv:2007.06865(2020).
[43]
Charles Papon. 2020. VexRiscv. https://github.com/SpinalHDL/VexRiscv. (May 2020). Accessed: 2020-05-28.
[44]
Praveen Raghavan, Andy Lambrechts, Murali Jayapala, Francky Catthoor, and Diederik Verkest. 2008. Distributed loop controller for multithreading in unithreaded ILP architectures. IEEE Trans. Comput. 58, 3 (2008), 311–321.
[45]
Christos Sakalis, Stefanos Kaxiras, Alberto Ros, Alexandra Jimborean, and Magnus Själander. 2019. Efficient invisible speculative execution through selective delay and value prediction. In 2019 ACM/IEEE 46th Annual International Symposium on Computer Architecture (ISCA). IEEE, 723–735.
[46]
Michael Schwarz, Moritz Lipp, Claudio Canella, Robert Schilling, Florian Kargl, and Daniel Gruss. 2020. Context: A generic approach for mitigating spectre. In Proc. Network and Distributed System Security Symposium. https://doi. org/10.14722/ndss, Vol. 10.
[47]
Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, and Daniel Gruss. 2019. ZombieLoad: Cross-privilege-boundary data sampling. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 753–768.
[48]
Jakub Szefer. 2019. Survey of microarchitectural side and covert channels, attacks, and defenses. Journal of Hardware and Systems Security 3, 3 (2019), 219–234.
[49]
Andrew S Tanenbaum. 2016. Structured computer organization. Pearson Education India.
[50]
Jan Philipp Thoma, Christian Niesler, Dominic A. Funke, Gregor Leander, Pierre Mayr, Nils Pohl, Lucas Davi, and Tim Güneysu. 2021. ClepsydraCache - Preventing Cache Attacks with Time-Based Evictions. CoRR abs/2104.11469(2021). arxiv:2104.11469https://arxiv.org/abs/2104.11469
[51]
Paul Turner. 2018. Retpoline: A software construct for preventing branch-target-injection. URL https://support. google. com/faqs/answer/7625886(2018).
[52]
Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution. In 27th USENIX Security Symposium (USENIX Security 18). 991–1008.
[53]
Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2019. Addendum to RIDL: Rogue in-flight data load. (2019). https://mdsattacks.com/.
[54]
Stephan Van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2019. RIDL: Rogue in-flight data load. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 88–105.
[55]
Venkatanathan Varadarajan, Thomas Ristenpart, and Michael Swift. 2014. Scheduler-based defenses against cross-VM side-channels. In 23rd USENIX Security Symposium (USENIX Security 14). 687–702.
[56]
Ofir Weisse, Ian Neal, Kevin Loughlin, Thomas F Wenisch, and Baris Kasikci. 2019. NDA: Preventing speculative execution attacks at their source. In Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture. 572–586.
[57]
Ofir Weisse, Jo Van Bulck, Marina Minkin, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Raoul Strackx, Thomas F. Wenisch, and Yuval Yarom. 2018. Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution. Technical report (2018). See also USENIX Security paper Foreshadow.
[58]
Mario Werner, Thomas Unterluggauer, Lukas Giner, Michael Schwarz, Daniel Gruss, and Stefan Mangard. 2019. ScatterCache: Thwarting Cache Attacks via Cache Set Randomization. In 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019, Nadia Heningerand Patrick Traynor (Eds.). USENIX Association, 675–692. https://www.usenix.org/conference/usenixsecurity19/presentation/werner
[59]
Nils Wistoff, Moritz Schneider, Frank K. Gürkaynak, Luca Benini, and Gernot Heiser. 2020. Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core. arXiv preprint arXiv:2005.02193(2020).
[60]
Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher Fletcher, and Josep Torrellas. 2018. Invisispec: Making speculative execution invisible in the cache hierarchy. In 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). IEEE, 428–441.
[61]
Jiyong Yu, Lucas Hsiung, Mohamad El Hajj, and Christopher W Fletcher. 2019. Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing. In NDSS.
[62]
Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, and Christopher W. Fletcher. 2019. Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data. In Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture(MICRO ’52). Association for Computing Machinery, New York, NY, USA, 954–968. https://doi.org/10.1145/3352460.3358274
[63]
Drew Zagieboylo, G Edward Suh, and Andrew C Myers. 2019. Using information flow to design an isa that controls timing channels. In 2019 IEEE 32nd Computer Security Foundations Symposium (CSF). IEEE, 272–27215.
[64]
Yinqian Zhang and Michael K Reiter. 2013. Düppel: Retrofitting commodity operating systems to mitigate cache side channels in the cloud. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 827–838.
[65]
Lutan Zhao, Peinan Li, Rui Hou, Jiazhen Li, Michael C Huang, Lixin Zhang, Xuehai Qian, and Dan Meng. 2020. A Lightweight Isolation Mechanism for Secure Branch Predictors. arXiv preprint arXiv:2005.08183(2020).

Cited By

View all

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences
RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses
October 2021
468 pages
ISBN:9781450390583
DOI:10.1145/3471621
This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 October 2021

Check for updates

Author Tags

  1. Hardware
  2. RISC-V
  3. Spectre

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

Conference

RAID '21

Acceptance Rates

Overall Acceptance Rate 43 of 173 submissions, 25%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 958
    Total Downloads
  • Downloads (Last 12 months)373
  • Downloads (Last 6 weeks)44
Reflects downloads up to 25 Nov 2024

Other Metrics

Citations

Cited By

View all

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Login options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media