# CONTEXT-SENSITIVE FENCING: SECURING SPECULATIVE EXECUTION VIA MICROCODE CUSTOMIZATION Mohammadkazem Taram, Ashish Venkat, Dean Tullsen University of California San Diego, University of Virginia # PERFORMANCE V.S. SECURITY ...... # PERFORMANCE V.S. SECURITY ...... # PERFORMANCE V.S. SECURITY # SPECTRE ATTACKS! 25 - ➤ Leak secrets via side-channels + speculative execution - ➤ Any modern processor with a Branch Predictor is vulnerable ``` int Kernel_api_( int x ) { y = array2[array1[x] * 64]; } ``` ``` int Kernel_api_( int x ){ if ( x < array1_size) //bounds check y = array2[array1[x] * 64]; }</pre> ``` Too late to recover — data is exposed via side-channels ``` if ( x < array1_size) y = array2[array1[x] * 64];</pre> ``` ``` if ( x < array1_size) speculative_fence; y = array2[array1[x] * 64];</pre> ``` Only When Necessary Only When Necessary Right Type of Fence Only When Necessary Right Type of Fence No Recompilation # MICRO-OP STREAM CUSTOMIZATION BY CONTEXT-SENSITIVE DECODING "Context-Sensitive Decoding: On-Demand Microcode Customization for Security and Energy Management" ISCA 2018, IEEE Micro Top Picks 2019 # MICRO-OP STREAM CUSTOMIZATION BY CONTEXT-SENSITIVE DECODING "Context-Sensitive Decoding: On-Demand Microcode Customization for Security and Energy Management" ISCA 2018, IEEE Micro Top Picks 2019 #### CONTEXT SENSITIVE FENCING # BUT WHAT FENCE SHOULD WE USE? Existing Intel Fences | Type of Fence | Instruction Opcode | Description | |-----------------------------------------|--------------------|------------------------------------------| | Privileged Serializing Instructions | INVD | Invalidate Internal Caches | | | INVEPT | Invalidate Translations from EPT | | | INVLPG | Invalidate TLB Entries | | | INVVPID | Invalidate Translations Based on VPID | | | LIDT | Load Interrupt Descriptor Table Register | | | LGDT | Load Global Descriptor Table Register | | | LLDT | Load Local Descriptor Table Register | | | LTR | Load Task Register | | | MOV | Move to Control Register | | | MOV | Move to Debug Register | | | WBINVD | Write Back and Invalidate Cache | | | WRMSR | Write to Model Specific Register | | Non-Privileged Serializing Instructions | CPUID | CPU Identification | | | IRET | Interrupt Return | | | RSM | Resume from System Management Mode | | Memory Ordering Instructions | SFENCE | Store Fence | | | LFENCE | Load Fence | | | MFENCE | Memory Fence | # BUT WHAT FENCE SHOULD WE USE? #### Existing Intel Fences | Type of Fence | Instruction Opcode | Description | |-------------------------------------|--------------------|------------------------------------------| | Privileged Serializing Instructions | INVD | Invalidate Internal Caches | | | INVEPT | Invalidate Translations from EPT | | | INVLPG | Invalidate TLB Entries | | Ott Regulire Pri | WILDORG | Arace Stations Based on VPID | | 0-Require Pri | iviicaca. | Load Interrupt Descriptor Table Register | | | LGDT | Load Global Descriptor Table Register | | | LLDT | Load Local Descriptor Table Register | | | | | | Clobber Ar | chitectu | ral Registers | | | MOV | Move to Debug Register | | | 11101 | | | | WBINVD | Write Back and Invalidate Cache | | T. Comments | WKMSK | Write to Model Specific Register | | Enforced E | arry in ti | ne Pipeline | | | IRET | Interrupt Return | | | RSM | Resume from System Management Mode | | Memory Ordering Instructions | SFENCE | Store Fence | | | LFENCE | Load Fence | | | MFENCE | Memory Fence | # EXISTING FENCES: SERIALIZING INSTRUCTIONS (SI) - ➤ Enforced early in the pipeline - ➤ Examples: - ➤ All Serializing Instructions - ➤ Intel's MFENCE - ➤ Intel's SFENCE # EXISTING FENCES: INTEL LFENCE # LATE ENFORCEMENT FENCES ➤ Shifts fence enforcement towards the leaking structure ➤ Reduces the impact on other instructions # LATE ENFORCEMENT FENCES ➤ Shifts fence enforcement towards the leaking structure ➤ Reduces the impact on other instructions # LATE ENFORCEMENT FENCES ➤ Shifts fence enforcement towards the leaking structure ➤ Reduces the impact on other instructions #### NEWLY PROPOSED FENCES - ➤ Load-Store Queue LFENCE (LSQ-LFENCE) - ➤ Load-Store Queue MFENCE (LSQ-MFENCE) - ➤ Reservation Station Fence (RSFENCE) - ➤ Cache Fence (CFENCE) # **CACHE FENCE (CFENCE)** - ➤ Allows all the load and stores to pass - > CFENCE labels any subsequent load as a non-modifying load - > allows non-modifying loads to pass through the CFENCE - ➤ Non-modifying loads are restricted from modifying the cache state. # CACHE FENCE (CFENCE) Normal Load Cache Controller Hit Miss Hit? Fetch Cache Block Update Metadata (LRU bits) from memory **Update Cache** Serve the request # CACHE FENCE (CFENCE) Non-Modifying Load Cache Controller ### RESULTS — FENCE ENFORCEMENT POLICIES ➤ Our CFENCE reduces the incurred performance overhead by 2.3X, bringing down the execution time overhead from 48% to 21%. ### CONTEXT SENSITIVE FENCING > Surgically injects fence micro-ops ➤ Liberal Injection | | Injects fences | before all th | e loads of a program | jeg | |--|----------------|---------------|----------------------|-----| |--|----------------|---------------|----------------------|-----| completely stops speculation add ld ld ➤ Liberal Injection ➤ Injects fences before all the loads of a program > completely stops speculation jeq Fence ld add Fence ld Fence ld ➤ Basic Block-Level Fence Insertion\* ➤ Speculation begins with a branch prediction ➤ A fence between branch and subsequent loads Fence ld add jeq Fence ld Fence ld <sup>\*</sup> Targeted Optimization — Only protects against variant 1 ➤ Basic Block-Level Fence Insertion > Speculation begins with a branch prediction ➤ We want a fence between each branch and subsequent loads jeq Fence ld add **1**d 1d <sup>\*</sup> Targeted Optimization — Only protects against variant 1 - ➤ Taint-Based Fence Insertion - ➤ Even one fence per basic block is too conservative - ➤ Attacker performs operations based on untrusted data (e.g., attacker controlled out of bound index) - ➤ Insert fences for only vulnerable loads that operate on untrusted data - ➤ Dynamic Information Flow Tracker (DIFT) ### DLIFT- AN INFORMATION FLOW TRACKER FOR SPECTRE ERA - ➤ Classic Information Flow Trackers - ➤ Maintain and Evaluate Taints at Late Stages of the Pipeline - ➤ Not so useful for Spectre! ### DLIFT- AN INFORMATION FLOW TRACKER FOR SPECTRE ERA - ➤ Classic Information Flow Trackers - ➤ Maintain and Evaluate Taints at Late Stages of the Pipeline - ➤ Not so useful for Spectre! ### DLIFT- AN INFORMATION FLOW TRACKER FOR SPECTRE ERA - ➤ Classic Information Flow Trackers - ➤ Maintain and Evaluate Taints at Late Stages of the Pipeline Commit Commit Logic | Register | Tainted | |----------|---------| | rax | No | | rbx | Yes | Commit Commit Logic | Register | Tainted | |----------|---------| | rax | No | | rbx | Yes | Commit Commit Logic | Register | Tainted | |----------|---------| | rax | No | | rbx | Yes | Commit Commit Logic | Register | Tainted | |----------|---------| | rax | No | | rbx | Yes | Commit Commit Logic | Register | Tainted | |----------|---------| | rax | No | | rbx | Yes | No Yes Commit **Commit** Logic | Register | Tainted | |----------|---------| | rax | No | | rbx | Yes | No Yes **Tainted** No Yes **Commit** Logic | Register | Tainted | |----------|---------| | rax | No | | rbx | Yes | ### RESULTS — FENCE FREQUENCY OPTIMIZATION ➤ Taint-Based CFENCE injection reduces the performance overhead to just 7.7% ## CONTEXT-SENSITIVE FENCING # Low Performance Overhead ## CONTEXT-SENSITIVE FENCING Low Performance Overhead No Recompilation ### CONTEXT-SENSITIVE FENCING # THANKS! QUESTIONS?