Reorder Buffer Contention: A Forward Speculative Interference Attack for Speculation Invariant Instructions
- 27 October 2021
- journal article
- research article
- Published by Institute of Electrical and Electronics Engineers (IEEE) in IEEE Computer Architecture Letters
- Vol. 20 (2), 162-165
- https://doi.org/10.1109/lca.2021.3123408
Abstract
Speculative side-channel attacks access sensitive data and use transmitters to leak the data during wrong-path execution. Various defenses have been proposed to prevent such information leakage. However, not all speculatively executed instructions are unsafe: Recent work demonstrates that speculation invariant instructions are independent of speculative control-flow paths and are guaranteed to eventually commit, regardless of the speculation outcome. Compile-time information coupled with run-time mechanisms can then selectively lift defenses for speculation invariant instructions, reclaiming some of the lost performance. Unfortunately, speculation invariant instructions can easily be manipulated by a form of speculative interference to leak information via a new side-channel that we introduce in this paper. We show that forward speculative interference where older speculative instructions interfere with younger speculation invariant instructions effectively turns them into transmitters for secret data accessed during speculation. We demonstrate forward speculative interference on actual hardware, by selectively filling the reorder buffer (ROB) with instructions, pushing speculative invariant instructions in-or-out of the ROB on demand, based on a speculatively accessed secret. This reveals the speculatively accessed secret, as the occupancy of the ROB itself becomes a new speculative side-channel.Keywords
Funding Information
- Microsoft Research (2021-020)
- Vetenskapsrådet (2015-05159, 2018-05254)
This publication has 13 references indexed in Scilit:
- MuonTrap: Preventing Cross-Domain Spectre-Like Attacks by Capturing Speculative StatePublished by Institute of Electrical and Electronics Engineers (IEEE) ,2020
- Speculative Taint Tracking (STT)Published by Association for Computing Machinery (ACM) ,2019
- CleanupSpecPublished by Association for Computing Machinery (ACM) ,2019
- SpecShield: Shielding Speculative Data from Microarchitectural Covert ChannelsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2019
- Efficient invisible speculative execution through selective delay and value predictionPublished by Association for Computing Machinery (ACM) ,2019
- SafeSpecPublished by Association for Computing Machinery (ACM) ,2019
- Spectre Attacks: Exploiting Speculative ExecutionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2019
- Ghost loadsPublished by Association for Computing Machinery (ACM) ,2019
- Context-Sensitive FencingPublished by Association for Computing Machinery (ACM) ,2019
- InvisiSpec: Making Speculative Execution Invisible in the Cache HierarchyPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2018