Secure Speculation via Speculative Secret Flow Tracking

Speculative execution attacks can leak arbitrary program data under malicious speculation, presenting a severe security threat. Based on two key observations, this paper presents a software-transparent defense mechanism called speculative secret flow tracking (SSFT), which is capable of defending against all cache-based speculative execution attacks with a low performance overhead. First, we observe that the attacker must use array or pointer variables in the victim code to access arbitrary memory data. Therefore, we propose a strict definition of secret data to reduce the amount of data to be protected. Second, if the load is not data-dependent and control-dependent on secrets, its speculative execution will not leak any secrets. Thus, this paper introduces the concept of speculative secret flow to analyze how secret data are obtained and propagated during speculative execution. By tracking speculative secret flow in hardware, SSFT can identify all unsafe speculative loads (USLs) that are dependent on secrets. Moreover, SSFT exploits three different methods to constrain USLs’ speculative execution and prevent them from leaking secrets into the cache and translation lookaside buffer (TLB) states. This paper evaluates the performance of SSFT on the SPEC CPU 2006 workloads, and the results show that SSFT is effective and its performance overhead is very low. To defend against all speculative execution attack variants, SSFT only incurs an average slowdown of 4.5% (Delay USL-L1Miss) or 3.8% (Invisible USLs) compared to a non-secure processor. Our analysis also shows that SSFT maintains a low hardware overhead.