Logo: to the web site of Uppsala University

Speculative execution optimizes processor performance by predicting the correct path of execution and executing instructions before it is legal to do so, introducing potential vulnerabilities when the prediction falls short and the program follows the wrong path of execution. While the processor recovers the architectural state, the microarchitectural state remains and can be exploited. In these vulnerabilities, that leverage the speculative side-channel (known as Spectre attacks), a secret is improperly accessed speculatively and then leaked by passing it to a transmitter instruction that leaves irreversible changes in the microarchitecture. Several proposed defenses try to close this security hole by prohibiting the propagation of speculatively loaded values, or by delaying the transmitter instructions (e.g., loads) from executing under speculation. Each of these proposed solutions leads to considerable performance degradation and, in certain instances, fails to entirely mitigate the security vulnerability.

This thesis tries to address the challenges of performance and security by proposing three works on optimizing the performance of existing speculative side-channel defenses, namely Janus, ReCon, and Doppelganger Loads, and two works on addressing security vulnerabilities by demonstrating attack scenarios, namely DOIN!, and Reorder Buffer Contention.

Regarding enhancing the performance of existing speculative mechanisms, Janus applies two of the simplest defense ideas in the same processor design and uses reinforcement learning to select the optimal performance-wise underlying defense mechanism on the fly, ReCon leverages non-speculative information leakage in an efficient manner to enable the execution of speculative load instructions that access non-secret values, and Doppelganger Loads employs an address predictor to unlock more speculative memory-level parallelism by predicting speculative load addresses in a secret-independent way. All the aforementioned techniques are able to recover a significant part of the lost performance introduced by speculative side-channel defenses.

On the other hand, to expose security vulnerabilities, DOIN! attack exploits inclusive caches and the co-existence of instructions and data in last-level caches to create observable timing differences in the data cache, surpassing speculative defenses, and Reorder Buffer Contention adds secret-dependent contention to the reorder buffer pushing in or out, on demand, a transmitter instruction able to leak the value of the speculatively loaded secret.

Speculative execution and the emergence of Spectre attacks have forced architects to rethink how microprocessors are designed. Several approaches aim to close this security vulnerability while trying to minimize performance degradation, often involving complex and sophisticated mechanisms. These strategies typically entail substantial modifications to the processor core and memory hierarchy, which ultimately inhibit their adoption in real designs.In this work, we leverage two of the simplest speculative defense ideas, NDA and DoM, that can co-exist in the same core, and we apply a simple form of Reinforcement Learning (RL) to select the most effective mechanism, as the underlying processor defense, for a window of execution. NDA forbids the propagation of a potential secret to subsequent instructions while DoM prohibits the creation of observable timing differences in the cache. We observe that their impact on different applications can vary significantly, but, often, they can complement each other within the same application. However, our investigation also reveals vulnerabilities in previous proposals that try to combine these secure speculation schemes into one. We demonstrate an attack scenario that violates the security of the combined scheme and we present the conditions that must hold to safely combine them. Lastly, while the cost and complexity of reinforcement learning may seem inordinately high for microarchitectural implementations, we build on recent research that demonstrates remarkably lightweight solutions, provided that the action space is small.We present JANUS, a lightweight architecture leveraging an RL agent based on a two-armed bandit algorithm. JANUS selects the optimal, performance-wise, defense mechanism that protects the processor within a specific time window. We evaluate JANUS on SPEC2017 benchmark suite and find that it outperforms NDA by +4.9%, STT (a more sophisticated and complex scheme that uses taint tracking) by +1%, and DoM by +2.6%. Further, when a state-of-the-art address-prediction optimization (Doppelganger Loads) is employed on top of the baseline defenses, NDA and DoM, JANUS still outperforms the former by +2.3%, and the latter by +0.3%. When evaluated with the older SPEC2006 benchmark suite, JANUS outperforms all schemes by +4.7% on average, with a maximum of +8.2% over DoM. JANUS achieves these results with a meager storage overhead of just 16 bytes and a complexity-effective design.

Speculative side-channel attacks have forced computer architects to rethink speculative execution. Effectively preventing microarchitectural state from leaking sensitive information will be a key requirement in future processor design.

An important limitation of many secure speculation schemes is a reduction in the available memory parallelism, as unsafe loads (depending on the particular scheme) are blocked, as they might potentially leak information. Our contribution is to show that it is possible to recover some of this lost memory parallelism, by safely predicting the addresses of these loads in a threat-model transparent way, i.e., without worsening the security guarantees of the underlying secure scheme. To demonstrate the generality of the approach, we apply it to three different secure speculation schemes: Non-speculative Data Access (NDA), Speculative Taint Tracking (STT), and Delay-on-Miss (DoM).

An address predictor is trained on non-speculative data, and can afterwards predict the addresses of unsafe slow-to-issue loads, preloading the target registers with speculative values, that can be released faster on correct predictions than starting the entire load process. This new perspective on speculative execution encompasses all loads, and gives speedups, separately from prefetching.

We call the address-predicted counterparts of loads Doppelganger Loads. They give notable performance improvements for the three secure speculation schemes we evaluate, NDA, STT, and DoM. The Doppelganger Loads reduce the geometric mean slowdown by 42%, 48%, and 30% respectively, as compared to an unsafe baseline, for a wide variety of SPEC2006 and SPEC2017 benchmarks. Furthermore, Doppelganger Loads can be efficiently implemented with only minor core modifications, reusing existing resources such as a stride prefetcher, and most importantly, requiring no changes to the memory hierarchy outside the core.

This work uses Dynamic Information Flow Tracking (DIFT) to characterize how memory addresses are made by studying the transformation of data values into memory addresses. We show that in SPEC CPU 2017 benchmarks, a high proportion of values in memory are transformed into memory addresses. The majority of the transformations are done directly without explicit arithmetic instructions. Most of the addresses are made from one or more loaded values.

In a speculative side-channel attack, a secret is improperly accessed and then leaked by passing it to a transmitter instruction. Several proposed defenses effectively close this security hole by either delaying the secret from being loaded or propagated, or by delaying dependent transmitters (e.g., loads) from executing when fed with tainted input derived from an earlier speculative load. This results in a loss of memory-level parallelism and performance. A security definition proposed recently, in which data already leaked in non-speculative execution need not be considered secret during speculative execution, can provide a solution to the loss of performance. However, detecting and tracking non-speculative leakage carries its own cost, increasing complexity. The key insight of our work that enables us to exploit non-speculative leakage as an optimization to other secure speculation schemes is that the majority of non-speculative leakage is simply due to pointer dereferencing (or base-address indexing) - essentially what many secure speculation schemes prevent from taking place speculatively. We present ReCon that: i) efficiently detects non-speculative leakage by limiting detection to pairs of directly-dependent loads that dereference pointers (or index a base-address); and ii) piggybacks non-speculative leakage information on the coherence protocol. In ReCon, the coherence protocol remembers and propagates the knowledge of what has leaked and therefore what is safe to dereference under speculation. To demonstrate the effectiveness of ReCon, we show how two state-of-the-art secure speculation schemes, Non-speculative Data Access (NDA) and speculative Taint Tracking (STT), leverage this information to enable more memorylevel parallelism both in a single core scenario and in a multicore scenario: NDA with ReCon reduces the performance loss by 28.7% for SPEC2017, 31.5% for SPEC2006, and 46.7% for PARSEC; STT with ReCon reduces the loss by 45.1%, 39%, and 78.6%, respectively.

Clueless is a binary instrumentation tool that characterises explicit cache side channel vulnerabilities of programs. It detects the transformation of data values into addresses by tracking dynamic instruction dependencies. Clueless tags data values in memory if it discovers that they are used in address calculations to further access other data. Clueless can report on the amount of data that are used as addresses at each point during execution. It can also be specifically instructed to track certain data in memory (e.g., a password) to see if they are turned into addresses at any point during execution. It returns a trace on how the tracked data are turned into addresses, if they do. We demonstrate Clueless on SPEC 2006 and characterise, for the first time, the amount of data values that are turned into addresses in these programs. We further demonstrate Clueless on a micro benchmark and on a case study. The case study is the different implementations of AES in OpenSSL: T-table, Vector Permutation AES (VPAES), and Intel Advanced Encryption Standard New Instructions (AES-NI). Clueless shows how the encryption key is transformed into addresses in the T-table implementation, while explicit cache side channel vulnerabilities are note detected in the other implementations.

Speculative side-channel attacks access sensitive data and use transmitters to leak the data during wrong-path execution. Various defenses have been proposed to prevent such information leakage. However, not all speculatively executed instructions are unsafe: Recent work demonstrates that speculation invariantinstructions are independent of speculative control-flow paths and are guaranteed to eventually commit, regardless of the speculation outcome. Compile-time information coupled with run-time mechanisms can then selectively lift defenses for speculation invariant instructions, reclaiming some of the lost performance. Unfortunately, speculation invariant instructions can easily be manipulated by a form of speculative interference to leak information via a new side-channel that we introduce in this paper. We show that forward speculative interference where older speculative instructions interfere with younger speculation invariant instructions effectively turns them into transmitters for secret data accessed during speculation. We demonstrate forward speculative interference on actual hardware, by selectively filling the reorder buffer (ROB) with instructions, pushing speculative invariant instructions in-or-out of the ROB on demand, based on a speculatively accessed secret. This reveals the speculatively accessed secret, as the occupancy of the ROB itself becomes a new speculative side-channel.