Journal of Computer Science and Technology


Secure Speculation via Speculative Secret Flow Tracking

Hong-Wei Cui (崔宏伟), student Member, CCF, Chun Yang (杨 春), and Xu Cheng (程 旭), Member, CCF   

  1. Department of Computer Science and Technology, Engineering Research Center of Microprocessor and System, Peking University, Beijing 100871, China

Speculative execution attacks can leak arbitrary program data under malicious speculation, presenting a severe security threat. Based on two key observations, this paper presents a software-transparent defense mechanism called speculative secret flow tracking (SSFT), which is capable of defending against all cache-based speculative execution attacks with a low performance overhead. First, we observe that the attacker must use array or pointer variables in the victim code to access arbitrary memory data. Therefore, we propose a strict definition of secret data to reduce the amount of data to be protected. Second, if the load is not data-dependent or control-dependent on secrets, its speculative execution will not leak any secrets. Thus, this paper introduces the concept of speculative secret flow to analyze how secret data are obtained and propagated during speculative execution. By tracking speculative secret flow in hardware, SSFT can identify all unsafe speculative loads (USLs) that are dependent on secrets. Moreover, SSFT exploits three different methods to constrain USLs' speculative execution and prevent them from leaking secrets into the cache and translation lookaside buffer (TLB) states. This paper evaluates the performance of SSFT on the SPEC CPU 2006 workloads, and the results show that SSFT is effective and its performance overhead is very low. To defend against all speculative execution attack variants, SSFT only incurs an average slowdown of 4.5% (Delay USL-L1Miss) or 3.8% (Invisible USLs) compared to a non-secure processor. Our analysis also shows that SSFT maintains a low hardware overhead.


4、结果(Result & Findings):为了抵御所有基于缓存侧信道的推测执行攻击,相对于以前的防御策略,SSFT能够减少平均64.3%的需要阻塞的推测状态的加载指令。为了阻止不安全的加载指令修改缓存状态,SSFT采用了两种不同复杂程度的策略,并且实验结果表明这两种设计的平均性能开销分别仅为4.5%和3.8%。

Key words: cache side channel attacks, hardware, speculative execution attacks, security


No related articles found!
Full text



[1] Zhou Di;. A Recovery Technique for Distributed Communicating Process Systems[J]. , 1986, 1(2): 34 -43 .
[2] Chen Shihua;. On the Structure of Finite Automata of Which M Is an(Weak)Inverse with Delay τ[J]. , 1986, 1(2): 54 -59 .
[3] Feng Yulin;. Recursive Implementation of VLSI Circuits[J]. , 1986, 1(2): 72 -82 .
[4] Wang Xuan; Lü Zhimin; Tang Yuhai; Xiang Yang;. A High Resolution Chinese Character Generator[J]. , 1986, 1(2): 1 -14 .
[5] Sun Zhongxiu; Shang Lujun;. DMODULA:A Distributed Programming Language[J]. , 1986, 1(2): 25 -31 .
[6] Gao Qingshi; Zhang Xiang; Yang Shufan; Chen Shuqing;. Vector Computer 757[J]. , 1986, 1(3): 1 -14 .
[7] Jin Lan; Yang Yuanyuan;. A Modified Version of Chordal Ring[J]. , 1986, 1(3): 15 -32 .
[8] Pan Qijing;. A Routing Algorithm with Candidate Shortest Path[J]. , 1986, 1(3): 33 -52 .
[9] Chen Zhaoxiong; Gao Qingshi;. A Substitution Based Model for the Implementation of PROLOG——The Design and Implementation of LPROLOG[J]. , 1986, 1(4): 17 -26 .
[10] Min Yinghua; Han Zhide;. A Built-in Test Pattern Generator[J]. , 1986, 1(4): 62 -74 .

ISSN 1000-9000(Print)

CN 11-2296/TP

Editorial Board
Author Guidelines
Journal of Computer Science and Technology
Institute of Computing Technology, Chinese Academy of Sciences
P.O. Box 2704, Beijing 100190 P.R. China
  Copyright ©2015 JCST, All Rights Reserved