Specu Sp culative T Taint T Track cking ( (ST STT): A Comp - - PowerPoint PPT Presentation

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Sp Specu culative T Taint T Track cking ( (ST STT): A Comp Comprehensive Prot

• tection
• n for
• r Transiently

Ac Accessed Secrets

Jiyong Yu, Mengjia Yan, Artem Khyzha,* Adam Morrison,* Josep Torrellas, Christopher W. Fletcher University of Illinois at Urbana-Champaign ∗Tel Aviv University

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Sc Scope pe: Protecting ng Trans nsient Se Secrets over any Covert Ch Chan annel

if (addr < N) { // start speculation secret = A[addr]; // access secret d = transmit(secret); // covert channel }

Start speculative execution Transient Instruction accesses secret “Access instruction” Covert channel transmits secret e.g., Spectre Variant 1:

2

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Ad Adver ersary

• Powerful attacker
• Observes HW resource contention at FF/cycle granularity
• I.e., monitors every uarch covert channel transmit(secret)

○

From within same thread

○

Adjacent SMT context

○

Another core

○

Etc.

3

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Ma Main I Insight of

• f ST

STT

It is safe to execute and forward the results of transient access instructions Up until those results reach a covert channel

if (addr < N) { secret = A[addr]; secret’ = secret - 1; d = transmit(secret’); }

Start speculation

If squash: unreachable If no squash: Execute after delay

Access instruction Covert channel

Safe to execute Delayed/Unreachable Safe to execute Execute access + dependent instructions

4

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

Issue more work early à Lower performance overhead

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

5

Secu Security definition

Non-interference with respect to transiently read data Arbitrary speculative execution can

• nly leak retired register file state

(not arbitrary program memory)

=

Blocks The Universal Read Gadget == many Spectre variants (1, 3, 4, ..), MDS attacks, Meltdown, etc.

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

ST STT, Informally

Performance: Walk through (not around) rock == Forward data aggressively Security: Do not fall off rock == Leak zero bits over uarch side/covert channels

6

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Re Rest of talk

1.) What can form a covert channel? 2.) How to protect secrets from covert channels

Start speculative execution Access instruction Covert channel

7

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

if (addr < N) { secret = A[addr]; d = transmit(secret); }

???

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

1. 1.) ) What can an for

• rm a

a covert chan annel?

à New abstraction for covert channels on spec. machines

8

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

Find new (classes of) covert channels in the process

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Co Cover ert t Ch Channel els are e Ex Explicit or

• r Im

Implicit

Explicit channel:

Secret passed to instruction w/ input-dependent resource contention

Examples: loads, floating point arithmetic

Implicit channel:

Secret influences the sequence of instructions executed/indirectly influences how those instructions execute

Examples: branches, memory dependence speculation

9

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Prediction time:

When predictor state becomes a function of secret

Resolution time:

When predictor is not a function of secret

if (secret) { y++ } z = *(non-secret) secret != prediction à squash à load executes twice!

10

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

Imp Implici cit Ch Channel els can lea eak k at Pr Prediction an and Re Resolution ti time

Example:

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Explicit Branch: control flow instruction (branch, jump, etc.). Implicit Branch: HW branch, “which direction” is observable

*secret = foo; bar = *(non-secret);

Example: store-to-load forwarding

Whether load goes to cache depends on secret! Re-write load as: if (secret==non-secret) { forward from LSQ } else cache_read(non-secret)

The implicit branch

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

Imp Implici cit Ch Channel els ma may y fea eature e Ex Explicit or

• r Im

Implicit br branc nche hes

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Pu Putting it all to together

12

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

2. 2.) Ho ) How t to pr protec ect sec secrets fr s from c m cover ert c cha hannel nnels

àNovel HW dynamic taint tracking scheme w/ “Fast Untaint”

13

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Mi Microarchi hitectur ture spe pecifies…

1.) Access instructions … access secrets 2.) Transmit instructions … form explicit channels E.g., access instructions = transmit instructions = loads 3.) Implicit channel branch predicates E.g., storeàload forwarding “if load addr == addr of older in-flight store” 4.) Visibility Point (VP): point, after which, speculation is ‘unsafe’ E.g., oldest unresolved branch

14

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

if (addr < N) { secret = A[addr]; // access instruction secret’ = secret - 1; d = transmit(secret’); }

Ta Taint propagation in hardware

○ Hardware taints instruction output registers of

1.) Access instructions before Visibility Point (VP) 2.) Instructions with tainted inputs

■ Taint not propagated to memory on stores ■ Tainted values are protected

15

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

Taint shown in red

“Visibility Point” (VP)

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

if (addr < N) { secret = A[addr]; secret -= 1; d = transmit(secret); }

Ne New “ “UnT UnTain aint” ” pr propa pagati tion n in n ha hardw dware

○ Hardware untaints instruction output registers of

1.) Access instructions reached VP 2.) Instructions with all inputs untainted

■ Protection disabled when instr operands become untainted

16

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

Branch resolves if (addr < N) { secret = A[addr]; secret -= 1; d = transmit(secret); }

Non-trivial! Taint is dynamic over instruction lifetime

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Wh Who is s aware of taint

Only processor core (e.g., rename table) tracks taint

• Processor memory system does not track taint
• Taint is transparent to SW/Users

17

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Us Using taint to block co covert channels

Block Explicit Channels: Delay execution of transmit instructions until operands untainted Block Prediction-time Implicit Channels: Delay predictor updates for explicit/implicit branches until untainted Block Resolution-time Implicit Channels: Delay explicit/implicit branch resolution until predicate (operands) untainted

Recall:

18

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Wh What sp specu culative work can we sa safely do?

Safe to execute all instructions w/ untainted operands Safe to execute non-transmit instructions w/ tainted operands Safe to predict on implicit/explicit branches w/ tainted predicates Note: predictors have high accuracy.

for (i = 0; i < secret; i++) { … } Safe to predict multiple iterations before first one resolves!

19

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Ar Architec ectu ture e for “Fast t Un Untaint”

Instructions stored in program order in Reorder Buffer (ROB) Observation: Each instruction with tainted arguments, has a “Youngest Root of Taint” (YRoT) in ROB Fast Untaint (high level): 1.) Track YRoT per instruction 2.) Broadcast changes to VP 3.) Untaint = VP > YRoT (ROB head = position 0)

ROB:

Tail/Youngest Head/Oldest

20

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

if (addr < N) secret = A[addr] secret -= 1 transmit(secret)

YRoT VP

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

21

ROB:

Tail/Youngest Head/Oldest

if (addr < N) secret = A[addr] secret -= 1 transmit(secret)

YRoT VP

ROB:

if (addr < N) secret = A[addr] secret -= 1 transmit(secret)

YRoT VP

Branch resolves

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

0.8 0.9 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 Conventional insecure baseline DelayAccess STT DelayAccess STT

Average Execution Time for SPEC and PARSEC (Normalized)

VP = oldest unresolved branch VP = ROB head

22

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

Ev Evaluation

1.45x 1.11x 2.92x 1.16x

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Su Summary

STT blocks leakage of transient secrets over any uarch covert channel Speculation can only leak retired register values

• No software changes
• No partitioning
• No flushing
• User does not indicate what is sensitive
• No memory system changes

23

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Ba Backup sl slides

24

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

St Strawma man D Defense

Delay executing access instructions until they reach the Visibility Point

if (addr < N) { secret = A[addr]; d = transmit(secret); }

Start speculative execution Delay until branch resolves Delay Delayed/Unreachable Set access instruction = all loads Instruction accesses secret “Access instruction” Covert channel transmits secret If squash: unreachable If no squash: Execute after delay

25

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Wh Why Focu cus s on Protect cting Transi sient Acce ccess ss Instruct ctions? s?

Covers a broad class of attacks related to memory isolation/safety. Examples:

• Many Spectre variants (1, 3, 4, ..)
• MDS attacks
• Meltdown
• The Universal Read Gadget

Others as well: e.g., privileged register read, FP state As we will see, also facilitates making the scheme lightweight & SW-transparent.

Secrets accessed through transient loads

26

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

if (addr < N) { secret = A[addr]; secret -= 1; d = transmit(secret); }

Ta Taint and Un Untain aint

○

Hardware taints instruction output registers of

■

Access instructions before VP

■

Instructions with tainted inputs

○

Hardware untaints instruction output registers of

■

Access instructions reached VP

■

Instructions with all inputs untainted

■

Taint not propagated to memory on stores

if (addr < N) secret = A[addr] secret -= 1 transmit(secret)

• - Branch resolves--

27

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

secret = A[addr] secret -= 1

transmit(secret)

The Blavatnik School

• f Computer Science

The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Wh When to un untaint

Earlier issue for known-safe instructions à Better performance Can safely issue transmit(secret’) as soon as branch resolves (Do not need to wait for transmit(secret’) to reach head of ROB)

28

Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets

if (addr < N) secret = A[addr] secret -= 1 transmit(secret)

if (addr < N) { secret = A[addr]; secret -= 1; d = transmit(secret); }

• - Branch resolves--

28

secret = A[addr] secret -= 1

transmit(secret)