Reorder Buffer Contention: A Forward Speculative Interference Attack for Speculation Invariant Instructions
IEEE Computer Architecture Letters(2021)
摘要
Speculative side-channel attacks access sensitive data and use transmitters to leak the data during wrong-path execution. Various defenses have been proposed to prevent such information leakage. However, not all speculatively executed instructions are unsafe: Recent work demonstrates that
speculation invariant
instructions are independent of speculative control-flow paths and are guaranteed to eventually commit, regardless of the speculation outcome. Compile-time information coupled with run-time mechanisms can then selectively lift defenses for speculation invariant instructions, reclaiming some of the lost performance. Unfortunately, speculation invariant instructions can easily be manipulated by a form of
speculative interference
to leak information via a new side-channel that we introduce in this paper. We show that
forward
speculative interference where
older
speculative instructions interfere with
younger speculation invariant instructions
effectively turns them into transmitters for secret data accessed during speculation. We demonstrate
forward speculative interference
on actual hardware, by selectively filling the reorder buffer (ROB) with instructions, pushing speculative invariant instructions in-or-out of the ROB
on demand
, based on a speculatively accessed secret. This reveals the speculatively accessed secret, as the occupancy of the ROB itself becomes a new speculative side-channel.
更多查看译文
关键词
Speculative side-channel attacks,security,spectre,speculative interference
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要