and Effi ficient Speculative Execution JIYONG YU, NAMRATA MANTRI, - - PowerPoint PPT Presentation

Speculative Data-Oblivious Execution: Mobilizing Safe Prediction For Safe and Effi ficient Speculative Execution

JIYONG YU, NAMRATA MANTRI, JOSEP TORRELLAS, ADAM MORRISON*, CHRISTOPHER W. FLETCHER

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN ∗TEL AVIV UNIVERSITY

1

ISCA’20 Section 5B

Speculative Execution Attacks

▪ Attacker exploits speculative execution to leak data through hardware usage

2

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Speculative Execution Attacks

▪ Attacker exploits speculative execution to leak data through hardware usage

3

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

if (addr < N) { // speculation // access instruction secret = load [addr]; // transmit instruction transmit secret; }

time

Speculation starts

▪ Attacker exploits speculative execution to leak data through hardware usage

Speculative Execution Attacks

4

if (addr < N) { // speculation // access instruction secret = load [addr]; // transmit instruction transmit secret; }

time Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Speculative secret is accessed

▪ Attacker exploits speculative execution to leak data through hardware usage

Speculative Execution Attacks

5

if (addr < N) { // speculation // access instruction secret = load [addr]; // transmit instruction transmit secret; }

time Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Speculative secret is transmitted via hardware usage

▪ Attacker exploits speculative execution to leak data through hardware usage

Speculative Execution Attacks

6

if (addr < N) { // speculation // access instruction secret = load [addr]; // transmit instruction transmit secret; }

time Shared hardware Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Speculative secret is transmitted via hardware usage

▪ Attacker exploits speculative execution to leak data through hardware usage

Speculative Execution Attacks

7

if (addr < N) { // speculation // access instruction secret = load [addr]; // transmit instruction transmit secret; }

time Shared hardware Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

addr < N

Speculative Execution Attacks

8

if (addr < N) { // speculation // access instruction secret = load [addr]; // transmit instruction transmit secret; }

time Shared hardware Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

addr > N

▪ Attacker exploits speculative execution to leak data through hardware usage

▪ Attacker exploits speculative execution to leak data through hardware usage

Speculative Execution Attacks

9

if (addr < N) { // speculation // access instruction secret = load [addr]; // transmit instruction transmit secret; }

time Shared hardware

Attacker infers secret via hardware state

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

addr > N

Existing Mitigations

▪ How to deal with ?

10

transmit secret Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Existing Mitigations

▪ How to deal with ? ▪ Solution: Delayed Execution

▪ Prior works: SpecShield [PACT’19], NDA [MICRO’19], STT [MICRO’19]

11

transmit secret Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion Transmit instruction Hardware vulnerability load Cache side channel Floating point

• perations

Subnormal floating point …… ……

Existing Mitigations

▪ How to deal with ? ▪ Solution: Delayed Execution

▪ Prior works: SpecShield [PACT’19], NDA [MICRO’19], STT [MICRO’19]

12

transmit secret Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

if (addr < N) { // speculation // access instruction secret = load [addr]; // transmit instruction transmit secret; }

Delaying execution Transmit instruction Hardware vulnerability load Cache side channel Floating point

• perations

Subnormal floating point …… ……

Existing Mitigations

▪ How to deal with ? ▪ Solution: Delayed Execution

▪ Prior works: SpecShield [PACT’19], NDA [MICRO’19], STT [MICRO’19]

▪ Strong security guarantee ▪ High performance overhead

13

transmit secret Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion Transmit instruction Hardware vulnerability load Cache side channel Floating point

• perations

Subnormal floating point …… ……

Existing Mitigations

▪ How to deal with ? ▪ Solution: Delayed Execution

▪ Prior works: SpecShield [PACT’19], NDA [MICRO’19], STT [MICRO’19]

▪ Problem: High performance overhead

14

transmit secret

transmit Register File … secret … Execute Unit

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion instruction instruction instruction instruction

Improve the performance of Delayed Execution and Maintain its security guarantee

Speculative Data Oblivious (SDO): Executive Summary

15

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Speculative Data Oblivious (SDO): Executive Summary

Idea 1. Execute eliminating operand-dependent hardware usage

16

transmit secret Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion High performance

Speculative Data Oblivious (SDO): Executive Summary

Idea 1. Execute eliminating operand-dependent hardware usage

17

transmit secret Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion High performance High security, low performance

by eliminating operand-dependent hardware usage (being data oblivious)

Speculative Data Oblivious (SDO): Executive Summary

Idea 1. Execute Idea 2. Predict how the execution should be performed eliminating operand-dependent hardware usage

18

transmit secret Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion High performance High security, low performance

by eliminating operand-dependent hardware usage (being data oblivious)

Speculative Data Oblivious (SDO): Executive Summary

Idea 1. Execute Idea 2. Predict how the execution should be performed Problem: combining idea 1 & 2 creates security problems Solution: build on top of Speculative Taint Tracking (STT)

19

transmit secret Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion High performance High security, low performance

by eliminating operand-dependent hardware usage (being data oblivious)

Example: Subnormal Floating-point Operation

▪ Double-precision floating point

▪ Normal input: (2.23e−308, 1.79e308), processed by Floating-Point Unit (FPU) ▪ Subnormal input: (4.9e−324, 2.23e−308), requiring microcode assist

20

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

a = fpop a, b

Fast path (FPU only) Slow path (with microcode assist)

Latency = X Latency = Y > X (a is normal) && (b is normal) (a is subnormal) || (b is subnormal)

Problem: Leaking Whether Input is Normal/Subnormal

21

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion Fast path (FPU only) Slow path (with microcode assist)

Latency = Y > X // owned by attacker c = fpmult c, d // owned by victim a = fpmult a, b Latency = X

22

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Problem: Leaking Whether Input is Normal/Subnormal

Fast path (FPU only) Slow path (with microcode assist)

Latency = Y > X // owned by attacker c = fpmult c, d

timeline

Both a and b are normal a = fpmult a, b

Using fast path

c = fpmult c, d

X

// owned by victim a = fpmult a, b Latency = X

23

Fast path (FPU only) Slow path (with microcode assist) Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Latency = X Latency = Y > X // owned by attacker c = fpmult c, d

timeline

Both a and b are normal a = fpmult a, b

Using fast path

c = fpmult c, d

timeline

a or b is subnormal a = fpmult a, b

Using slow path

c = fpmult c, d

X Y

// owned by victim a = fpmult a, b

Problem: Leaking Whether Input is Normal/Subnormal

Idea 1: Being Data Oblivious

24

a = fpmult a, b Fast path (FPU only) Slow path (with microcode assist) Select the correct answer result (fast) result (slow) Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Latency = X Latency = Y > X

Idea 1: Being Data Oblivious

25

a = fpmult a, b Fast path (FPU only) Slow path (with microcode assist) Select the correct answer result (fast) result (slow) Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Latency = X Latency = Y > X a = fpmult a, b c = fpmult c, d

Using fast and slow path Y X timeline

26

a = fpmult a, b Fast path (FPU only) Slow path (with microcode assist) Select the correct answer result (fast) result (slow) Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Latency = X Latency = Y > X a = fpmult a, b c = fpmult c, d

Y X Using fast and slow path timeline

Paying performance for security

Idea 1: Being Data Oblivious

Idea 2: “Predicting” Execution to Perform

27

a = fpmult a, b Fast path (FPU only) Slow path (with microcode assist) Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Latency = X Latency = Y > X a = fpmult a, b c = fpmult c, d

X Predicting fast path timeline Predictor

28

a = fpmult a, b Fast path (FPU only) Slow path (with microcode assist) result (fast) Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Latency = X Latency = Y > X a = fpmult a, b c = fpmult c, d

X Predicting fast path Dependent instructions timeline

Idea 2: “Predicting” Execution to Perform

May be invalid

Predictor

29

a = fpmult a, b Fast path (FPU only) Slow path (with microcode assist) result (fast) Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Latency = X Latency = Y > X

timeline

a = fpmult a, b c = fpmult c, d

X Predicting fast path Dependent instructions

a = fpmult a, b

P P+Y Resolving to slow path

Idea 2: “Predicting” Execution to Perform

Predictor

30

a = fpmult a, b Fast path (FPU only) Slow path (with microcode assist) result (fast) Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Latency = X Latency = Y > X

Dependent instructions

Potential new leakage

Idea 2: “Predicting” Execution to Perform

Predictor

31

a = fpmult a, b Fast path (FPU only) Slow path (with microcode assist) result (fast) Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Latency = X Latency = Y > X

Dependent instructions

Applying STT for Security

Speculative Taint Tracking

Predictor

32

a = fpmult a, b Fast path (FPU only) Slow path (with microcode assist) result (fast) Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Latency = X Latency = Y > X

Dependent instructions

Applying STT for Security

Speculative Taint Tracking

Prevent leakage via Prediction/Resolution

Predictor

33

a = fpmult a, b Fast path (FPU only) Slow path (with microcode assist) result (fast) Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Latency = X Latency = Y > X

Dependent instructions

Applying STT for Security

Speculative Taint Tracking

Prevent leakage via Prediction/Resolution “Taint” and hide sensitive results

Predictor

34

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Applying STT for Security

How STT “prevents leakage via prediction/resolution”:

• Never update predictors with any secret information
• Delay resolution until safe

How STT “taints and hides sensitive results”:

• Sensitive data is marked tainted
• Taint propagates through program dataflow
• Transmitters with tainted arguments are handled safely

35

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Applying STT for Security

How STT “prevents leakage via prediction/resolution”:

• Never update predictors with any secret information
• Delay resolution until safe

How STT “taints and hides sensitive results”:

• Sensitive data is marked tainted
• Taint propagates through program dataflow
• Transmitters with tainted arguments are handled safely

36

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Applying STT for Security

How STT prevents leakage via prediction/resolution

• Never update predictors with any secret information
• Delaying resolution until safe

How STT taints and hides sensitive results:

• Sensitive data is marked tainted
• Taint propagates through program dataflow
• Transmitters with tainted arguments are handled safely

STT Makes Prediction Great (SAFE) Again! We build predictors to reduce defense overhead

Speculative Data Oblivious Execution (SDO)

37

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Idea 1. Safely execute transmitters in a data-oblivious (DO) manner Idea 2. Predict how the execution should be performed

SDO

Net result: execute unsafe transmitters early and safely Data Oblivious variants + Predicting which variant + Safe Prediction with STT =

Speculative Data Oblivious Execution (SDO)

38

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

What’s Next:

• Generic SDO Framework
• Implementing SDO for load instructions
• Evaluation
• Conclusion

▪ Step 1: Define data-oblivious (DO) variants for unsafe transmitters

SDO Framework

39

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

SDO Framework: Step 1: Define Data-oblivious (DO) Variants

40

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Transmit instruction dest <- op args DO variants DO-op1 … DO-opN Execution of DO variants (dest1, success1) <- DO-op1 args … (destN, successN) <- DO-opN args

SDO Framework: Step 1: Define Data-oblivious (DO) Variants

41

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion dest = fpmult args Fast path (FPU only) Slow path (with microcode assist)

destfast, successfast <- fast_path args (successfast = TRUE if args is normal) destslow, successslow <- slow_path args (successslow = TRUE if args is subnormal) Transmit instruction dest <- op args DO variants DO-op1 … DO-opN Execution of DO variants (dest1, success1) <- DO-op1 args … (destN, successN) <- DO-opN args

SDO Framework: Step 1: Define Data-oblivious (DO) Variants

42

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion dest = fpmult args Fast path (FPU only) Slow path (with microcode assist)

destfast, successfast <- fast_path args (successfast = TRUE if args is normal) destslow, successslow <- slow_path args (successslow = TRUE if args is subnormal) Transmit instruction dest <- op args DO variants DO-op1 … DO-opN Execution of DO variants (dest1, success1) <- DO-op1 args … (destN, successN) <- DO-opN args

SDO Framework: Step 2: Predict Which DO Variant to Use

43

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Transmit instruction dest <- op args DO variants DO-op1 … DO-opN Predictor Pred Predicting DO variant i <- Pred.predict (public_input) (desti, successi) <- DO-opi args

SDO Framework: Step 2: Predict Which DO Variant to Use

44

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion dest = fpmult args Fast path (FPU only) Slow path (with microcode assist)

destfast, successfast <- fast_path args (successfast = TRUE if args is normal successfast = FALSE if args is subnormal)

Static Predictor: always predicting “Fast path” destfast Dependent instructions

Transmit instruction dest <- op args DO variants DO-op1 … DO-opN Predictor Pred Predicting DO variant i <- Pred.predict (public_input) (desti, successi) <- DO-opi args

SDO Framework: Step 3: Resolve Prediction when safe

45

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion dest = fpmult args Fast path (FPU only) Slow path (with microcode assist) destfast Dependent instructions

Transmit instruction dest <- op args DO variants DO-op1 … DO-opN Predictor Pred Predicting DO variant i <- Pred.predict (public_input) (desti, successi) <- DO-opi args Resolving when safe Pred.update(…) if (!successi) squash from “dest <- op args”

SDO Framework: Step 3: Resolve Prediction when safe

46

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Transmit instruction dest <- op args DO variants DO-op1 … DO-opN Predictor Pred Predicting DO variant i <- Pred.predict (public_input) (desti, successi) <- DO-opi args Resolving when safe Pred.update(…) if (!successi) squash from “dest <- op args”

dest = fpmult args Fast path (FPU only) Slow path (with microcode assist) destfast Dependent instructions successfast == FALSE

Designing SDO for Loads

▪ Load is the vital motivation and challenge for SDO

▪ The execution of loads is complicated, susceptible to various attacks ▪ Most performance overhead comes from loads

47

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Step 1: Define DO Variants for Loads

▪ DO variants

▪ DO-ldL1 : only accessing L1 ▪ DO-ldL2 : only accessing L1 and L2 sequentially ▪ DO-ldL3 : only accessing L1, L2 and L3 sequentially ▪ DO-ldMem : accessing L1, L2, L3 and DRAM sequentially

▪ (destXX, successXX) <- DO-ldXX addr // destXX = ⊥ if successXX == FALSE

48

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Step 1: Define DO Variants for Loads

▪ DO variants

▪ DO-ldL1 : only accessing L1 ▪ DO-ldL2 : only accessing L1 and L2 sequentially ▪ DO-ldL3 : only accessing L1, L2 and L3 sequentially ▪ DO-ldMem : accessing L1, L2, L3 and DRAM sequentially

▪ (destXX, successXX) <- DO-ldXX addr // destXX = ⊥ if successXX == FALSE ▪ DO variants (DO-ldLi) must be free of adversary-observable hardware resource usage

▪ Cannot modify cache state (tag, data, LRU bits, etc.) ▪ Cannot incur address-dependent latency (e.g., free of bank conflict, port contention) ▪ ……

49

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Step 1: Define DO Variants for Loads

▪ DO variants

▪ DO-ldL1 : only accessing L1 ▪ DO-ldL2 : only accessing L1 and L2 sequentially ▪ DO-ldL3 : only accessing L1, L2 and L3 sequentially ▪ DO-ldMem : accessing L1, L2, L3 and DRAM sequentially

▪ (destXX, successXX) <- DO-ldXX addr // destXX = ⊥ if successXX == FALSE ▪ DO variants (DO-ldLi) must be free of adversary-observable hardware resource usage

▪ Cannot modify cache state (tag, data, LRU bits, etc.) ▪ Cannot incur address-dependent latency (e.g., free of bank conflict, port contention) ▪ ……

▪ For more details (e.g., load re-ordering, performance optimizations) about DO variants, please see the paper

50

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Step 2: Predict Which DO Variant to Use

▪ Goal: accurate and precise cache level prediction

▪ Suppose a load requires data from cache level i and the predictor predicts level j ▪ “accurate and precise”: i == j ▪ “accurate but imprecise”: i < j -> redundant cache access -> unnecessary load latency ▪ “inaccurate”: i > j

• > cache miss -> writeback ⊥ to dependents -> squash

51

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Predicted level DO Variant 1(L1) DO-ldL1 2(L2) DO-ldL2 3(L3) DO-ldL3 4(Memory) DO-ldMem

Step 2: Predict Which DO Variant to Use

▪ Goal: accurate and precise cache level prediction

▪ Suppose a load requires data from cache level i and the predictor predicts level j ▪ “accurate and precise”: i == j ▪ “accurate but imprecise”: i < j -> redundant cache access -> unnecessary load latency ▪ “inaccurate”: i > j

• > cache miss -> writeback ⊥ to dependents -> squash

▪ Hybrid predictor:

▪ “Greedy” (for loads with irregular access pattern): Maintain a history, and pick the lowest level among history ▪ “Loop” (for loads with regular access pattern) Learn the recurring pattern, and predict based on the pattern

52

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Predicted level DO Variant 1(L1) DO-ldL1 2(L2) DO-ldL2 3(L3) DO-ldL3 4(Memory) DO-ldMem

Step 3: Resolve When Load is Safe

▪ Update the predictor ▪ Squash if success == FALSE ▪ In a multi-processor:

DO-ldLX cannot modify cache state → Data fetched by DO-ldLX may not be cached in L1 → May missing cache invalidation

▪ Solution: send a second load request to validate if a cache invalidation was missed

▪ We adopt the validation infrastructure proposed in InvisiSpec [MICRO’18]

53

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Performance Evaluation on SPEC2017

54

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Perf Overhead over Insecure Baseline

“Spectre” attack model Consider control-flow speculation “Futuristic” attack model Consider all types of speculation

Static L1: always predicting DO-ldL1 Static L2: always predicting DO-ldL2 Static L3: always predicting DO-ldL3 Hybrid: using the hybrid predictor Perfect: prediction is accurate and precise Transmitters:

• Load
• Floating-point multiplication
• Floating-point division

Conclusion

▪ SDO serves as a new speculative execution attack mitigation with high- performance and high-security ▪ The proposed SDO framework augments STT with significant speedup without compromising security Data Oblivious variants + Predicting which variant + Safe Prediction with STT = Safe, early execution of transmitters

55

Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

56

57

a = fpmult a, b Fast path (FPU only) Slow path (with microcode assist) result (fast) Introduction Speculative Data-Oblivious SDO Framework SDO for Loads Evaluation Conclusion

Latency = X Latency = Y > X

Dependent instructions

Applying STT for Security

Speculative Taint Tracking

Prevent leakage via Prediction/Resolution

Predictor

STT: prediction and resolution never depend on sensitive data We can build new predictors to get more performance

“Taint” and hide sensitive results