Speculative Taint Tracking (STT TT): A Comprehensive Protection for - - PowerPoint PPT Presentation

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data

JIYONG YU, , MENGJIA YAN, ARTEM KHYZHA*, ADAM MORRISON*, JOSEP TORRELLAS, CHRISTOPHER W. FLETCHER

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN ∗TEL AVIV UNIVERSITY

1

Processors are Insecure

Introduction Speculative Taint Tracking Evaluation Conclusion

2

Processors are Insecure

2

Introduction Speculative Taint Tracking Evaluation Conclusion

Speculative Execution Attacks

// Spectre Variant 1 if (addr < N) { // speculation // access instruction spec_val = load [addr]; // covert channel load [spec_val]; }

Speculation starts

3

Introduction Speculative Taint Tracking Evaluation Conclusion

Speculative Execution Attacks

// Spectre Variant 1 if (addr < N) { // speculation // access instruction spec_val = load [addr]; // covert channel load [spec_val]; }

3

*: Kiriansky, Vladimir, et al. "DAWG: A defense against cache timing attacks in speculative execution processors." MICRO-51, 2018.

Speculation starts Speculative access instruction* accesses secret

Introduction Speculative Taint Tracking Evaluation Conclusion

Speculative Execution Attacks

// Spectre Variant 1 if (addr < N) { // speculation // access instruction spec_val = load [addr]; // covert channel load [spec_val]; }

3

*: Kiriansky, Vladimir, et al. "DAWG: A defense against cache timing attacks in speculative execution processors." MICRO-51, 2018.

Speculation starts Creates a covert channel to leak secret

Introduction Speculative Taint Tracking Evaluation Conclusion

Speculative access instruction* accesses secret

Speculative Execution Attacks

// Spectre Variant 1 if (addr < N) { // speculation // access instruction spec_val = load [addr]; // covert channel load [spec_val]; }

addr = N+1

3

*: Kiriansky, Vladimir, et al. "DAWG: A defense against cache timing attacks in speculative execution processors." MICRO-51, 2018.

Speculation starts Speculation ends - misspeculation! Creates a covert channel to leak secret

Introduction Speculative Taint Tracking Evaluation Conclusion

Speculative access instruction* accesses secret

Speculative Execution Attacks

// Spectre Variant 1 if (addr < N) { // speculation // access instruction spec_val = load [addr]; // covert channel load [spec_val]; }

Speculation starts Speculation ends - misspeculation! Creates a covert channel to leak secret

3

*: Kiriansky, Vladimir, et al. "DAWG: A defense against cache timing attacks in speculative execution processors." MICRO-51, 2018.

Introduction Speculative Taint Tracking Evaluation Conclusion

Speculative access instruction* accesses secret

Main Insight of STT

4

Introduction Speculative Taint Tracking Evaluation Conclusion

Main Insight of STT

“Sufficient for security: prevent secrets from reaching covert channels”

4

Introduction Speculative Taint Tracking Evaluation Conclusion

Main Insight of STT

“Sufficient for security: prevent secrets from reaching covert channels”

if (addr < N) { // access instruction spec_val = load [addr]; // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } ……

4

Creates a covert channel? Input

• perand is

a secret? Requires protection? Introduction Speculative Taint Tracking Evaluation Conclusion

Main Insight of STT

“Sufficient for security: prevent secrets from reaching covert channels”

if (addr < N) { // access instruction spec_val = load [addr]; // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } ……

prediction

Speculation starts

4

Creates a covert channel? Input

• perand is

a secret? Requires protection? Introduction Speculative Taint Tracking Evaluation Conclusion

Main Insight of STT

“Sufficient for security: prevent secrets from reaching covert channels”

if (addr < N) { // access instruction spec_val = load [addr]; // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } ……

Speculation starts

4

Creates a covert channel? Input

• perand is

a secret? Requires protection? Yes No No Introduction Speculative Taint Tracking Evaluation Conclusion

Main Insight of STT

“Sufficient for security: prevent secrets from reaching covert channels”

if (addr < N) { // access instruction spec_val = load [addr]; // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } ……

Speculation starts

4

Creates a covert channel? Input

• perand is

a secret? Requires protection? Yes No No No Yes No Introduction Speculative Taint Tracking Evaluation Conclusion

Main Insight of STT

“Sufficient for security: prevent secrets from reaching covert channels”

if (addr < N) { // access instruction spec_val = load [addr]; // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } ……

Speculation starts

4

Creates a covert channel? Input

• perand is

a secret? Requires protection? Yes No No No Yes No Yes Yes Yes Introduction Speculative Taint Tracking Evaluation Conclusion

Main Insight of STT

“Sufficient for security: prevent secrets from reaching covert channels”

if (addr < N) { // access instruction spec_val = load [addr]; // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } ……

Speculation starts

Non-speculative

4

Correct Prediction! Creates a covert channel? Input

• perand is

a secret? Requires protection? Yes No No No No No Yes No No Introduction Speculative Taint Tracking Evaluation Conclusion

Main Insight of STT

“Sufficient for security: prevent secrets from reaching covert channels”

if (addr < N) { // access instruction spec_val = load [addr]; // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } ……

Speculation starts

Non-speculative

Correct Prediction!

4

Creates a covert channel? Input

• perand is

a secret? Requires protection? Yes No No No No No Yes No No Introduction Speculative Taint Tracking Evaluation Conclusion

Main Insight of STT

“Sufficient for security: prevent secrets from reaching covert channels”

if (addr < N) { // access instruction spec_val = load [addr]; // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } ……

Speculation starts

Squashed!

4

Incorrect Prediction! Creates a covert channel? Input

• perand is

a secret? Requires protection? Yes No No No Yes No Yes Yes Yes Introduction Speculative Taint Tracking Evaluation Conclusion

Speculative Taint Tracking

5

Secret

(speculatively accessed data)

Covert channels

Introduction Speculative Taint Tracking Evaluation Conclusion

Speculative Taint Tracking

5

Secret

(speculatively accessed data)

Covert channels

Introduction Speculative Taint Tracking Evaluation Conclusion

Speculative Taint Tracking

5

Secret

(speculatively accessed data)

Covert channels

What are the covert channels?

Introduction Speculative Taint Tracking Evaluation Conclusion

Speculative Taint Tracking

5

Secret

(speculatively accessed data)

Covert channels

What are the covert channels? A new classification to understand covert channels in speculative machines

Introduction Speculative Taint Tracking Evaluation Conclusion

Speculative Taint Tracking

5

Secret

(speculatively accessed data)

Covert channels

What are the covert channels? How to identify all the secrets? A new classification to understand covert channels in speculative machines

Introduction Speculative Taint Tracking Evaluation Conclusion

Speculative Taint Tracking

What are the covert channels? How to identify all the secrets? A new classification to understand covert channels in speculative machines A new taint/untaint mechanism to track secrets in hardware

5

Secret

(speculatively accessed data)

Covert channels

Introduction Speculative Taint Tracking Evaluation Conclusion

A Classification of Covert Channels in HW

6

Introduction Speculative Taint Tracking Evaluation Conclusion

Classification of Covert Channels

Covert channels Explicit channels Implicit channels

7

Introduction Speculative Taint Tracking Evaluation Conclusion

Explicit branches Implicit branches Leak on prediction Leak on resolution Leak on prediction Leak on resolution

Classification of Covert Channels

Covert channels Explicit channels Implicit channels Explicit branches Implicit branches Leak on prediction Leak on resolution

New!

Leak on prediction Leak on resolution

7

Introduction Speculative Taint Tracking Evaluation Conclusion

Classification of Covert Channels

Covert channels Explicit channels:

Secret inputs are directly leaked by operand-dependent hardware resource usage

load [secret];

8

Introduction Speculative Taint Tracking Evaluation Conclusion

Classification of Covert Channels

Covert channels Explicit channels:

Secret inputs are directly leaked by operand-dependent hardware resource usage Examples: memory loads data-dependent arithmetic

8

Introduction Speculative Taint Tracking Evaluation Conclusion

Classification of Covert Channels

Covert channels Explicit channels:

Secret inputs are directly leaked by operand-dependent hardware resource usage Examples: memory loads data-dependent arithmetic

Implicit channels:

Secret inputs are indirectly leaked by how (or that) one or several instructions execute

secret = load [addr]; if (secret == 1) load [0x00];

8

Introduction Speculative Taint Tracking Evaluation Conclusion

Classification of Covert Channels

Covert channels Explicit channels:

Secret inputs are directly leaked by operand-dependent hardware resource usage Examples: memory loads data-dependent arithmetic

Implicit channels:

Secret inputs are indirectly leaked by how (or that) one or several instructions execute Examples: branch/jump instructions

8

Introduction Speculative Taint Tracking Evaluation Conclusion

Classification of Covert Channels

Covert channels Explicit channels:

Secret inputs are directly leaked by operand-dependent hardware resource usage Examples: memory loads data-dependent arithmetic

Implicit channels:

Secret inputs are indirectly leaked by how (or that) one or several instructions execute

8

Explicit branches

Examples: Branch/jump instructions

New!

Introduction Speculative Taint Tracking Evaluation Conclusion

Classification of Covert Channels

Covert channels Explicit channels:

Secret inputs are directly leaked by operand-dependent hardware resource usage Examples: memory loads data-dependent arithmetic

Implicit channels:

Secret inputs are indirectly leaked by how (or that) one or several instructions execute

8

Explicit branches

Examples: Branch/jump instructions

Leak on prediction Leak on resolution

New!

Introduction Speculative Taint Tracking Evaluation Conclusion

Explicit Branches @ Prediction

Cause: The predictor state becomes a function of secret

// Visibility point … … … … if ( secret ) … … … … if ( public ) load [0x00]; else load [0x10];

9

Introduction Speculative Taint Tracking Evaluation Conclusion

Explicit Branches @ Prediction

Cause: The predictor state becomes a function of secret

Resolve and update branch predictor // Visibility point … … … … if ( secret ) … … … … if ( public ) load [0x00]; else load [0x10]; idx | taken Branch Predictor Unit (BPU)

9

Introduction Speculative Taint Tracking Evaluation Conclusion

Explicit Branches @ Prediction

Cause: The predictor state becomes a function of secret

idx | taken Branch Predictor Unit (BPU) // Visibility point … … … … if ( secret ) … … … … if ( public ) load [0x00]; else load [0x10];

9

Introduction Speculative Taint Tracking Evaluation Conclusion

Classification of Covert Channels

Covert channels Explicit channels:

Secret inputs are directly leaked by operand-dependent hardware resource usage Examples: memory loads data-dependent arithmetic

Implicit channels:

Secret inputs are indirectly leaked by how (or that) one or several instructions execute

10

Explicit branches

Examples: Branch/jump instructions

Leak on prediction Leak on resolution

New!

Introduction Speculative Taint Tracking Evaluation Conclusion

Explicit Branches @ Resolution

Cause: The resolution of a mis-speculation triggers a pipeline squash and alternation of control flow

if (secret) { y++; } z = load [0x00]

11

Introduction Speculative Taint Tracking Evaluation Conclusion

Explicit Branches @ Resolution

Cause: The resolution of a mis-speculation triggers a pipeline squash and alternation of control flow

if (secret) { y++; } z = load [0x00]

secret != prediction → squash → load executes twice!

11

Introduction Speculative Taint Tracking Evaluation Conclusion

Classification of Covert Channels

Covert channels Explicit channels:

Secret inputs are directly leaked by operand-dependent hardware resource usage Examples: memory loads data-dependent arithmetic

Implicit channels:

Secret inputs are indirectly leaked by how (or that) one or several instructions execute

12

Explicit branches

Examples: Branch/jump instructions

Implicit branches

Example: Store-load pairs

Leak on prediction Leak on resolution

New!

Introduction Speculative Taint Tracking Evaluation Conclusion

Classification of Covert Channels

Covert channels Explicit channels:

Secret inputs are directly leaked by operand-dependent hardware resource usage Examples: memory loads data-dependent arithmetic

Implicit channels:

Secret inputs are indirectly leaked by how (or that) one or several instructions execute

Explicit branches

Examples: Branch/jump instructions

Implicit branches

Example: Store-load pairs

Leak on prediction Leak on resolution Leak on prediction Leak on resolution

12

New!

Introduction Speculative Taint Tracking Evaluation Conclusion

Implicit Branches

store [secret] = foo; bar = load [0x00];

13

Introduction Speculative Taint Tracking Evaluation Conclusion

Cause: Non-control flow instructions create branch-like behaviors.

Implicit Branches

Cause: Non-control flow instructions create branch-like behaviors.

if (secret == 0x00) { forward from store queue } else { cache_load [0x00] }

Can be thought as:

store [secret] = foo; bar = load [0x00];

13

Introduction Speculative Taint Tracking Evaluation Conclusion

Identifying Secrets using Tainting/Untainting

14

Introduction Speculative Taint Tracking Evaluation Conclusion

Identifying Secrets using Tainting/Untainting

Basic idea: taint all the secrets

• Speculatively accessed data (secrets by definition)
• And their dependents

15

Introduction Speculative Taint Tracking Evaluation Conclusion

Identifying Secrets using Tainting/Untainting

Basic idea: taint all the secrets

• Speculatively accessed data (secrets by definition)
• And their dependents

if (addr < N) { // access instruction a = load [addr]; // simple arithmetic b = a + 4; // cache/mem covert channel load [b]; } …… …… ……

speculative

15

Introduction Speculative Taint Tracking Evaluation Conclusion

Identifying Secrets using Tainting/Untainting

Basic idea: taint all the secrets

• Speculatively accessed data (secrets by definition)
• And their dependents

STT taints:

1) Output of speculative access instructions (a)

if (addr < N) { // access instruction a = load [addr]; // simple arithmetic b = a + 4; // cache/mem covert channel load [b]; } …… …… ……

speculative

15

Introduction Speculative Taint Tracking Evaluation Conclusion

Identifying Secrets using Tainting/Untainting

Basic idea: taint all the secrets

• Speculatively accessed data (secrets by definition)
• And their dependents

STT taints:

1) Output of speculative access instructions (a) 2) Output of instructions with tainted inputs (b)

if (addr < N) { // access instruction a = load [addr]; // simple arithmetic b = a + 4; // cache/mem covert channel load [b]; } …… …… ……

speculative

15

Introduction Speculative Taint Tracking Evaluation Conclusion

Identifying Secrets using Tainting/Untainting

Basic idea: taint all the secrets

• Speculatively accessed data (secrets by definition)
• And their dependents

STT taints:

1) Output of speculative access instructions (a) 2) Output of instructions with tainted inputs (b)

if (addr < N) { // access instruction a = load [addr]; // simple arithmetic b = a + 4; // cache/mem covert channel load [b]; } …… …… ……

Resolved! speculative

15

Introduction Speculative Taint Tracking Evaluation Conclusion

Identifying Secrets using Tainting/Untainting

Basic idea: taint all the secrets

• Speculatively accessed data (secrets by definition)
• And their dependents

STT taints:

1) Output of speculative access instructions (a) 2) Output of instructions with tainted inputs (b)

STT untaints when:

1) A speculative access instruction becomes non- speculative (a)

if (addr < N) { // access instruction a = load [addr]; // simple arithmetic b = a + 4; // cache/mem covert channel load [b]; } …… …… ……

Resolved! speculative

15

Introduction Speculative Taint Tracking Evaluation Conclusion

Identifying Secrets using Tainting/Untainting

Basic idea: taint all the secrets

• Speculatively accessed data (secrets by definition)
• And their dependents

STT taints:

1) Output of speculative access instructions (a) 2) Output of instructions with tainted inputs (b)

STT untaints when:

1) A speculative access instruction becomes non- speculative (a) 2) An instruction has all its input untainted (b)

if (addr < N) { // access instruction a = load [addr]; // simple arithmetic b = a + 4; // cache/mem covert channel load [b]; } …… …… ……

Resolved! speculative

15

Introduction Speculative Taint Tracking Evaluation Conclusion

Microarchitect Identifies …

Instructions forming explicit channels

• E.g. load, data-dependent arithmetic

Instructions forming implicit channels

• E.g. control-flow instructions, store-load pairs

16

Introduction Speculative Taint Tracking Evaluation Conclusion

Blocking Covert Channels

Explicit channels:

• Delay execution until operands untainted (e.g., load address)

17

Introduction Speculative Taint Tracking Evaluation Conclusion

Covert channels Explicit channels Implicit channels Leak on prediction Leak on resolution

Blocking Covert Channels

Explicit channels:

• Delay execution until operands untainted (e.g., load address)

Implicit channels:

• Delay predictor update until branch predicate untainted

17

Introduction Speculative Taint Tracking Evaluation Conclusion

Covert channels Explicit channels Implicit channels Leak on prediction Leak on resolution

Blocking Covert Channels

Explicit channels:

• Delay execution until operands untainted (e.g., load address)

Implicit channels:

• Delay predictor update until branch predicate untainted
• Delay resolution until branch predicate untainted

17

Introduction Speculative Taint Tracking Evaluation Conclusion

Covert channels Explicit channels Implicit channels Leak on prediction Leak on resolution

Blocking Covert Channels

Explicit channels:

• Delay execution until operands untainted (e.g., load address)

Implicit channels:

• Delay predictor update until branch predicate untainted
• Delay resolution until branch predicate untainted

17

Introduction Speculative Taint Tracking Evaluation Conclusion

Covert channels Explicit channels Implicit channels Leak on prediction Leak on resolution

Hardware Implementation of STT

18

Introduction Speculative Taint Tracking Evaluation Conclusion

Efficient Implementation of Tainting/Untainting Logic

1) branch 2) a = load [0x00] 3) branch 4) b = load [0x04] 5) branch 6) c = a + b 7) load [c] program order

speculative

19

Introduction Speculative Taint Tracking Evaluation Conclusion Delay execution!

Efficient Implementation of Tainting/Untainting Logic

1) branch 2) a = load [0x00] 3) branch 4) b = load [0x04] 5) branch 6) c = a + b 7) load [c] program order

speculative

19

Introduction Speculative Taint Tracking Evaluation Conclusion Delay execution!

Efficient Implementation of Tainting/Untainting Logic

Observation: All instructions turn non- speculative in-order

1) branch 2) a = load [0x00] 3) branch 4) b = load [0x04] 5) branch 6) c = a + b 7) load [c] program order

speculative

19

Introduction Speculative Taint Tracking Evaluation Conclusion Delay execution!

Efficient Implementation of Tainting/Untainting Logic

Observation: All instructions turn non- speculative in-order

1) branch 2) a = load [0x00] 3) branch 4) b = load [0x04] 5) branch 6) c = a + b 7) load [c] program order

speculative

19

→ resolved!

Introduction Speculative Taint Tracking Evaluation Conclusion Delay execution!

Efficient Implementation of Tainting/Untainting Logic

Observation: All instructions turn non- speculative in-order

1) branch 2) a = load [0x00] 3) branch 4) b = load [0x04] 5) branch 6) c = a + b 7) load [c] program order

speculative

19

→ resolved!

Introduction Speculative Taint Tracking Evaluation Conclusion Execute!

Efficient Implementation of Tainting/Untainting Logic

Observation: All instructions turn non- speculative in-order Each instruction tracks the “youngest access instruction” it depends on -- “Youngest Root

• f Taint” (YRoT)

YRoT of 7 is 4

19

Introduction Speculative Taint Tracking Evaluation Conclusion

1) branch 2) a = load [0x00] 3) branch 4) b = load [0x04] 5) branch 6) c = a + b 7) load [c] program order

speculative Execute!

Efficient Implementation of Tainting/Untainting Logic

20

Introduction Speculative Taint Tracking Evaluation Conclusion

No change to the memory subsystem!

Security Evaluation

Security definition:

Arbitrary speculative execution can only leak retired register file state (not arbitrary program memory)

To prove it: STT enforces a non-interference property w.r.t speculatively accessed data The link to the detailed formal analysis and security proof is in the paper

21

Introduction Speculative Taint Tracking Evaluation Conclusion

Performance Evaluation on SPEC2006

Consider control-flow speculation Consider all types of speculation

22

Introduction Speculative Taint Tracking Evaluation Conclusion

40.2% 8.5% 182.0% 14.5%

0.0% 20.0% 40.0% 60.0% 80.0% 100.0% 120.0% 140.0% 160.0% 180.0% 200.0%

DelayExecute STT DelayExecute STT

Perf Overhead over Insecure Baseline

Conclusion

STT Blocks leakage of speculatively accessed data over any uarch covert channels with: 1) High performance 2) Provable security protection 3) No software change; No memory subsystem change

23

Introduction Speculative Taint Tracking Evaluation Conclusion

Conclusion

STT Blocks leakage of speculatively accessed data over any uarch covert channels with: 1) High performance 2) Provable security protection 3) No software change; No memory subsystem change

23

Introduction Speculative Taint Tracking Evaluation Conclusion

Questions?

Backup slides

69

Threat Model

A powerful attacker who:

• Monitors covert channels
• Cache, SIMD units, or any shared hardware resources
• From everywhere
• Within same thread
• Adjacent SMT context
• Cross core
• At cycle granularity

Introduction Threat model Speculative Taint Tracking Evaluation Conclusion

70

TODO: compare with NDA and SpecShield

71

TODO: STT threat model vs. STT+ threat model

72

Outline

Introduction Threat Model Speculative Taint Tracking Evaluation Conclusion

Introduction Threat model Speculative Taint Tracking Evaluation Conclusion

73

Implementation of STT

A new classification of covert channels in HW ➔ Specify instructions with explicit or implicit channels

74

Putting it together

Executes all instructions w/ untainted inputs Executes non-transmit instructions w/ tainted inputs Predicts explicit/implicit branches w/ tainted predicates

Introduction Speculative Taint Tracking Security Definition Evaluation Conclusion

81

Putting it together

Executes all instructions w/ untainted inputs Executes non-transmit instructions w/ tainted inputs Predicts explicit/implicit branches w/ tainted predicates Delay executing transmit instructions w/ tainted inputs Delay resolution/predictor updates of explicit/implicit branches w/ tainted predicates

Block explicit channel Introduction Speculative Taint Tracking Security Definition Evaluation Conclusion

82

Putting it together

Executes all instructions w/ untainted inputs Executes non-transmit instructions w/ tainted inputs Predicts explicit/implicit branches w/ tainted predicates Delay executing transmit instructions w/ tainted inputs Delay resolution/predictor updates of explicit/implicit branches w/ tainted predicates

Block explicit channel Block implicit channel TODO: spend a little bit more time on this slide? TODO: what is transmit instruction? Introduction Speculative Taint Tracking Security Definition Evaluation Conclusion

83

Microarchitecture Design of STT

• Each instruction has its “Youngest Root of Taint”

(YRoT)

For each (transmit) instruction: Input is secret  YRoT is still speculative  Visibility point is ahead of YRoT

1) branch 2) a = load [0x00] // YRoT = -1 3) branch_1 4) b = load [0x04] // YRoT = -1 5) branch 6) c = a + b // YRoT = max(2, 4) = 4 > 1 7) d = load [c] // YRoT = 4 > 1

program order

89

Microarchitecture Design of STT

• Each instruction has its “Youngest Root of Taint”

(YRoT)

For each (transmit) instruction: Input is secret  YRoT is still speculative  Visibility point is ahead of YRoT

1) branch_0 2) a = load [0x00] // YRoT = -1 3) branch_1 4) b = load [0x04] // YRoT = -1 5) branch_2 6) c = a + b // YRoT = max(2, 4) = 4 > 3 7) d = load [c] // YRoT = 4 > 3

program order

90

Microarchitecture Design of STT

• Each instruction has its “Youngest Root of Taint”

(YRoT)

For each (transmit) instruction: Input is secret  YRoT is still speculative  Visibility point is ahead of YRoT

1) branch_0 2) a = load [0x00] // YRoT = -1 3) branch_1 4) b = load [0x04] // YRoT = -1 5) branch_2 6) c = a + b // YRoT = max(2, 4) = 4 < 5 7) d = load [c] // YRoT = 4 < 5

program order

VP

91

Efficient Implementation of Tainting/Untainting Logic

Observation: All instructions turn non-speculative in-order Each instruction tracks the “youngest access instruction” it depends on -- “Youngest Root of Taint” (YRoT) For each instruction: Input is tainted  Input depends on some speculative access instruction  YRoT is still speculative  Visibility point is ahead of YRoT

19

Introduction Speculative Taint Tracking Evaluation Conclusion YRoT of 7 is 4

1) branch 2) a = load [0x00] 3) branch 4) b = load [0x04] 5) branch 6) c = a + b 7) load [c] program order

speculative Visibility point (VP) Execute! TODO: remove this

Security Evaluation

Arbitrary speculative execution can

• nly leak retired register file state

(not arbitrary program memory)

93

Security Evaluation

Arbitrary speculative execution can

• nly leak retired register file state

(not arbitrary program memory)

The Universal Read Gadget == many Spectre variants (1, 3, 4, ..), MDS attacks, Meltdown, etc.

94

Security Evaluation

STT enforces a non-interference property w.r.t speculatively accessed data:

time Retired Will eventually retire Will eventually squash time = t Processor state @ t

95

Security Evaluation

STT enforces a non-interference property w.r.t speculatively accessed data:

time Retired Will eventually retire time = t Processor state @ t Will eventually squash

96