We gratefully acknowledge support from
the Simons Foundation and member institutions.
Full-text links:

Download:

Current browse context:

cs.CR

Change to browse by:

References & Citations

DBLP - CS Bibliography

Bookmark

(what is this?)
CiteULike logo BibSonomy logo Mendeley logo del.icio.us logo Digg logo Reddit logo ScienceWISE logo

Computer Science > Cryptography and Security

Title: "It's a Trap!"-How Speculation Invariance Can Be Abused with Forward Speculative Interference

Abstract: Speculative side-channel attacks access sensitive data and use transmitters to leak the data during wrong-path execution. Various defenses have been proposed to prevent such information leakage. However, not all speculatively executed instructions are unsafe: Recent work demonstrates that speculation invariant instructions are independent of speculative control-flow paths and are guaranteed to eventually commit, regardless of the speculation outcome. Compile-time information coupled with run-time mechanisms can then selectively lift defenses for speculation invariant instructions, reclaiming some of the lost performance.
Unfortunately, speculation invariant instructions can easily be manipulated by a form of speculative interference to leak information via a new side-channel that we introduce in this paper. We show that forward speculative interference whereolder speculative instructions interfere with younger speculation invariant instructions effectively turns them into transmitters for secret data accessed during speculation. We demonstrate forward speculative interference on actual hardware, by selectively filling the reorder buffer (ROB) with instructions, pushing speculative invariant instructions in-or-out of the ROB on demand, based on a speculatively accessed secret. This reveals the speculatively accessed secret, as the occupancy of the ROB itself becomes a new speculative side-channel.
Comments: Presented at IEEE International Symposium On Secure And Private Execution Enviroment Design (SEED) 2021
Subjects: Cryptography and Security (cs.CR); Hardware Architecture (cs.AR)
Cite as: arXiv:2109.10774 [cs.CR]
  (or arXiv:2109.10774v1 [cs.CR] for this version)

Submission history

From: Pavlos Aimoniotis [view email]
[v1] Wed, 22 Sep 2021 14:58:31 GMT (458kb,D)

Link back to: arXiv, form interface, contact.