Speculative Taint Tracking (STT)

Yu, Jun; Yan, Mengjia; Khyzha, Artem; Morrison, Adam; Torrellas, Josep; Fletcher, Christopher W.

doi:10.1145/3352460.3358274

Cited by 75 publications

(4 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Though existing processors provide only coarse grained control over speculation through memory fence instructions, this might change in the future. For example, recently proposed microprocessor designs [Taram et al 2019;Yu et al 2019] provide new hardware mechanisms to control speculation, in particular to restrict targeted types of speculation while allowing other speculation to proceed: this suggests that protect could be implemented efficiently in hardware in the future.…”

Section: Eliminating Speculative Leaksmentioning

confidence: 99%

“…InvisiSpec [Yan et al 2018] features a special speculative buffer to prevent speculative loads from polluting the cache. STT [Yu et al 2019] tracks speculative taints dynamically inside the processor micro-architecture and stalls instructions to prevent speculative leaks. propose ConTExT, a whole architecture change (applications, compilers, operating systems, and hardware) to eliminate all Spectre attacks.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Automatically eliminating speculative leaks from cryptographic code with blade

Vassena

Disselkoen

Gleissenthall

et al. 2021

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets ( sources ) to those that leak them through the cache ( sinks ), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient , i.e., possibly containing speculative secrets or as being stable , and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect , to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protect s to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically , without user intervention, and efficiently even when using fences to implement protect .

show abstract

Section: Eliminating Speculative Leaksmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Automatically eliminating speculative leaks from cryptographic code with blade

Vassena

Disselkoen

Gleissenthall

et al. 2021

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…Our current work, delay-on-miss [12], delays all speculative loads until they are certain to be retired (Section 5). Conditional Speculation [18], NDA [19], Speculative Taint Tracking (STT) [20], SpectreGuard [21], and Context [22] keep track of the flow of information during execution and prevent any speculatively loaded data from being used by any "unsafe" instruction. The advantage of such solutions is that the changes required are mostly isolated in the core, instead of being pervasive in the whole memory hierarchy and the coherence protocol.…”

Section: The State-of-the-artmentioning

confidence: 99%

“…Delay-on-miss differs from mechanisms such as NDA [19] or STT [20], as both NDA and STT allow for speculative loads to be executed but delay all dependent instructions. This is based on the insight that for a secret to be leaked, it has to be loaded first.…”

Section: Delay-on-missmentioning

confidence: 99%

Understanding Selective Delay as a Method for Efficient Secure Speculative Execution

Sakalis

Ros

Jimborean

et al. 2020

IEEE Trans. Comput.

View full text Add to dashboard Cite

Since the introduction of Meltdown and Spectre, the research community has been tirelessly working on speculative side-channel attacks and on how to shield computer systems from them. To ensure that a system is protected not only from all the currently known attacks but also from future, yet to be discovered, attacks, the solutions developed need to be general in nature, covering a wide array of system components, while at the same time keeping the performance, energy, area, and implementation complexity costs at a minimum. One such solution is our own delay-on-miss, which efficiently protects the memory hierarchy by i) selectively delaying speculative load instructions and ii) utilizing value prediction as an invisible form of speculation. In this work we dive deeper into delay-on-miss, offering insights into why and how it affects the performance of the system. We also reevaluate value prediction as an invisible form of speculation. Specifically, we focus on the implications that delaying memory loads has in the memory level parallelism of the system and how this affects the value predictor and the overall performance of the system. We present new, updated results but more importantly, we also offer deeper insight into why delay-on-miss works so well and what this means for the future of secure speculative execution.

show abstract

Specularizer : Detecting Speculative Execution Attacks via Performance Tracing

Wang

Chen

Cheng³

et al. 2021

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

This paper presents Specularizer, a framework for uncovering speculative execution attacks using performance tracing features available in commodity processors. It is motivated by the practical difficulty of eradicating such vulnerabilities in the design of CPU hardware and operating systems and the principle of defense-in-depth. The key idea of Specularizer is the use of Hardware Performance Counters and Processor Trace to perform lightweight monitoring of production applications and the use of machine learning techniques for identifying the occurrence of the attacks during offline forensics analysis. Different from prior works that use performance counters to detect side-channel attacks, Specularizer monitors triggers of the critical paths of the speculative execution attacks, thus making the detection mechanisms robust to different choices of side channels used in the attacks. To evaluate Specularizer, we model all known types of exception-based and misprediction-based speculative execution attacks and automatically generate thousands of attack variants. Experimental results show that Specularizer yields superior detection accuracy and the online tracing of Specularizer incur reasonable overhead.

show abstract

Speculative Taint Tracking (STT)

Cited by 75 publications

References 31 publications

Automatically eliminating speculative leaks from cryptographic code with blade

Automatically eliminating speculative leaks from cryptographic code with blade

Understanding Selective Delay as a Method for Efficient Secure Speculative Execution

Specularizer : Detecting Speculative Execution Attacks via Performance Tracing

Contact Info

Product

Resources

About