Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data JIYONG YU, , MENGJIA YAN, ARTEM KHYZHA*, ADAM MORRISON*, JOSEP TORRELLAS, CHRISTOPHER W. FLETCHER UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN ∗ TEL AVIV UNIVERSITY 1
Introduction Speculative Taint Tracking Evaluation Conclusion Processors are Insecure 2
Introduction Speculative Taint Tracking Evaluation Conclusion Processors are Insecure 2
Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Execution Attacks Speculation starts // Spectre Variant 1 if (addr < N) { // speculation // access instruction spec_val = load [addr]; // covert channel load [spec_val]; } 3
Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Execution Attacks Speculation starts // Spectre Variant 1 if (addr < N) { // speculation Speculative access instruction* accesses secret // access instruction spec_val = load [addr]; // covert channel load [spec_val]; } *: Kiriansky, Vladimir, et al. "DAWG: A defense against cache timing attacks in speculative execution processors." MICRO-51 , 2018. 3
Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Execution Attacks Speculation starts // Spectre Variant 1 if (addr < N) { // speculation Speculative access instruction* accesses secret // access instruction spec_val = load [addr]; Creates a covert channel // covert channel to leak secret load [spec_val]; } *: Kiriansky, Vladimir, et al. "DAWG: A defense against cache timing attacks in speculative execution processors." MICRO-51 , 2018. 3
Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Execution Attacks Speculation starts // Spectre Variant 1 if (addr < N) { // speculation Speculative access instruction* addr = accesses secret // access instruction N+1 spec_val = load [addr]; Creates a covert channel // covert channel to leak secret load [spec_val]; } Speculation ends - misspeculation! *: Kiriansky, Vladimir, et al. "DAWG: A defense against cache timing attacks in speculative execution processors." MICRO-51 , 2018. 3
Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Execution Attacks Speculation starts // Spectre Variant 1 if (addr < N) { // speculation Speculative access instruction* accesses secret // access instruction spec_val = load [addr]; Creates a covert channel // covert channel to leak secret load [spec_val]; } Speculation ends - misspeculation! *: Kiriansky, Vladimir, et al. "DAWG: A defense against cache timing attacks in speculative execution processors." MICRO-51 , 2018. 3
Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT 4
Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” 4
Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires covert operand is if (addr < N) { protection? channel? a secret? // access instruction spec_val = load [addr]; // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } …… 4
Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires covert operand is prediction if (addr < N) { protection? channel? a secret? Speculation // access instruction starts spec_val = load [addr]; // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } …… 4
Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires covert operand is if (addr < N) { protection? channel? a secret? Speculation // access instruction starts spec_val = load [addr]; Yes No No // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } …… 4
Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires covert operand is if (addr < N) { protection? channel? a secret? Speculation // access instruction starts spec_val = load [addr]; Yes No No // simple arithmetic No Yes No spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } …… 4
Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires covert operand is if (addr < N) { protection? channel? a secret? Speculation // access instruction starts spec_val = load [addr]; Yes No No // simple arithmetic No Yes No spec_val = spec_val + 4; // cache/mem covert channel Yes Yes Yes load [spec_val]; } …… 4
Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires Correct covert operand is if (addr < N) { protection? Prediction! channel? a secret? // access instruction spec_val = load [addr]; Yes No No // simple arithmetic No No No Non-speculative spec_val = spec_val + 4; // cache/mem covert channel Yes No No load [spec_val]; } Speculation …… starts 4
Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires Correct covert operand is if (addr < N) { protection? Prediction! channel? a secret? // access instruction spec_val = load [addr]; Yes No No // simple arithmetic No No No Non-speculative spec_val = spec_val + 4; // cache/mem covert channel Yes No No load [spec_val]; } Speculation …… starts 4
Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires Incorrect covert operand is if (addr < N) { protection? Prediction! channel? a secret? // access instruction spec_val = load [addr]; Yes No No // simple arithmetic No Yes No Squashed! spec_val = spec_val + 4; // cache/mem covert channel Yes Yes Yes load [spec_val]; } Speculation …… starts 4
Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Taint Tracking Secret Covert channels (speculatively accessed data) 5
Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Taint Tracking Secret Covert channels (speculatively accessed data) 5
Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Taint Tracking Secret Covert channels (speculatively accessed data) What are the covert channels? 5
Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Taint Tracking Secret Covert channels (speculatively accessed data) A new classification to understand What are the covert channels? covert channels in speculative machines 5
Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Taint Tracking Secret Covert channels (speculatively accessed data) A new classification to understand What are the covert channels? covert channels in speculative machines How to identify all the secrets? 5
Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Taint Tracking Secret Covert channels (speculatively accessed data) A new classification to understand What are the covert channels? covert channels in speculative machines A new taint/untaint mechanism to How to identify all the secrets? track secrets in hardware 5
Introduction Speculative Taint Tracking Evaluation Conclusion A Classification of Covert Channels in HW 6
Introduction Speculative Taint Tracking Evaluation Conclusion Classification of Covert Channels Covert channels Implicit channels Explicit channels Explicit branches Implicit branches Leak on Leak on Leak on Leak on prediction resolution prediction resolution 7
Introduction Speculative Taint Tracking Evaluation Conclusion Classification of Covert Channels Covert channels Implicit channels Explicit channels New! Explicit branches Implicit branches Leak on Leak on Leak on Leak on prediction resolution prediction resolution 7
Introduction Speculative Taint Tracking Evaluation Conclusion Classification of Covert Channels Covert channels Explicit channels: Secret inputs are directly leaked by operand-dependent hardware resource usage load [secret]; 8
Introduction Speculative Taint Tracking Evaluation Conclusion Classification of Covert Channels Covert channels Explicit channels: Secret inputs are directly leaked by operand-dependent hardware resource usage Examples: memory loads data-dependent arithmetic 8
Recommend
More recommend