SpectreCheck: An Approach to Detecting Speculative Execution Side Channels in Data Cache

Haifeng Gu; Mingsong Chen; Yanzhao Wang; Fei Xie

doi:10.1109/ICESS49830.2020.9301601

SpectreCheck: An Approach to Detecting Speculative Execution Side Channels in Data Cache

Haifeng Gu
, Mingsong Chen
, Yanzhao Wang
, Fei Xie

East China Normal University
Portland State University

科研成果: 书/报告/会议事项章节 › 会议稿件 › 同行评审

2 引用（Scopus）

摘要

Speculative execution has been widely used in modern CPU designs. This technique improves the CPU performance significantly. However, it may introduce the speculative execution side channels which can be exploited by attackers maliciously, such as the well-known Spectre attack. Although Spectre can expose the speculative execution side channels in data cache, it relies heavily on the training of branch predictors and timing analysis of the target physical processor. Thereby, it is difficult to predict if Spectre attack on processors that are under design in the early stage can succeed or not. For future white-box processors under design, how to identify the speculative execution side channels in data cache in the early stage is an important issue. To address this problem, we propose an approach to generating branch directions (including mis-predictions) of conditional branch instructions based on Instruction Set Architecture simulation. The predictions of the branch predictor in the processor under design will be guided by these branch directions to trigger the speculative execution side channels in data cache for detection. In our experiments, the RISC-V BOOM processor is used as a case study where the speculative execution side channel in data cache can be detected by our approach.

源语言	英语
主期刊名	2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020
出版商	Institute of Electrical and Electronics Engineers Inc.
ISBN（电子版）	9781728164663
DOI	https://doi.org/10.1109/ICESS49830.2020.9301601
出版状态	已出版 - 10 12月 2020
已对外发布	是
活动	2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020 - Shanghai, 中国期限: 10 12月 2020 → 11 12月 2020

出版系列

姓名	2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020

会议

会议	2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020
国家/地区	中国
市	Shanghai
时期	10/12/20 → 11/12/20

访问文件

10.1109/ICESS49830.2020.9301601

其它文件与链接

链接到 Scopus 的出版物

引用此

Gu, H., Chen, M., Wang, Y., & Xie, F. (2020). SpectreCheck: An Approach to Detecting Speculative Execution Side Channels in Data Cache. 在 2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020 文章 9301601 (2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICESS49830.2020.9301601

@inproceedings{2af8cbb8910c47508a8bda962fc0c1b2,

title = "SpectreCheck: An Approach to Detecting Speculative Execution Side Channels in Data Cache",

abstract = "Speculative execution has been widely used in modern CPU designs. This technique improves the CPU performance significantly. However, it may introduce the speculative execution side channels which can be exploited by attackers maliciously, such as the well-known Spectre attack. Although Spectre can expose the speculative execution side channels in data cache, it relies heavily on the training of branch predictors and timing analysis of the target physical processor. Thereby, it is difficult to predict if Spectre attack on processors that are under design in the early stage can succeed or not. For future white-box processors under design, how to identify the speculative execution side channels in data cache in the early stage is an important issue. To address this problem, we propose an approach to generating branch directions (including mis-predictions) of conditional branch instructions based on Instruction Set Architecture simulation. The predictions of the branch predictor in the processor under design will be guided by these branch directions to trigger the speculative execution side channels in data cache for detection. In our experiments, the RISC-V BOOM processor is used as a case study where the speculative execution side channel in data cache can be detected by our approach.",

keywords = "Branch Prediction, Out-of-Order Execution, RISC-V, Side Channel, Speculative Execution",

author = "Haifeng Gu and Mingsong Chen and Yanzhao Wang and Fei Xie",

note = "Publisher Copyright: {\textcopyright} 2020 IEEE.; 2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020 ; Conference date: 10-12-2020 Through 11-12-2020",

year = "2020",

month = dec,

day = "10",

doi = "10.1109/ICESS49830.2020.9301601",

language = "英语",

series = "2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020",

address = "美国",

}

Gu, H, Chen, M, Wang, Y & Xie, F 2020, SpectreCheck: An Approach to Detecting Speculative Execution Side Channels in Data Cache. 在 2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020., 9301601, 2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020, Institute of Electrical and Electronics Engineers Inc., 2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020, Shanghai, 中国, 10/12/20. https://doi.org/10.1109/ICESS49830.2020.9301601

SpectreCheck: An Approach to Detecting Speculative Execution Side Channels in Data Cache. / Gu, Haifeng; Chen, Mingsong; Wang, Yanzhao 等.
2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020. Institute of Electrical and Electronics Engineers Inc., 2020. 9301601 (2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020).

科研成果: 书/报告/会议事项章节 › 会议稿件 › 同行评审

TY - GEN

T1 - SpectreCheck

T2 - 2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020

AU - Gu, Haifeng

AU - Chen, Mingsong

AU - Wang, Yanzhao

AU - Xie, Fei

PY - 2020/12/10

Y1 - 2020/12/10

N2 - Speculative execution has been widely used in modern CPU designs. This technique improves the CPU performance significantly. However, it may introduce the speculative execution side channels which can be exploited by attackers maliciously, such as the well-known Spectre attack. Although Spectre can expose the speculative execution side channels in data cache, it relies heavily on the training of branch predictors and timing analysis of the target physical processor. Thereby, it is difficult to predict if Spectre attack on processors that are under design in the early stage can succeed or not. For future white-box processors under design, how to identify the speculative execution side channels in data cache in the early stage is an important issue. To address this problem, we propose an approach to generating branch directions (including mis-predictions) of conditional branch instructions based on Instruction Set Architecture simulation. The predictions of the branch predictor in the processor under design will be guided by these branch directions to trigger the speculative execution side channels in data cache for detection. In our experiments, the RISC-V BOOM processor is used as a case study where the speculative execution side channel in data cache can be detected by our approach.

AB - Speculative execution has been widely used in modern CPU designs. This technique improves the CPU performance significantly. However, it may introduce the speculative execution side channels which can be exploited by attackers maliciously, such as the well-known Spectre attack. Although Spectre can expose the speculative execution side channels in data cache, it relies heavily on the training of branch predictors and timing analysis of the target physical processor. Thereby, it is difficult to predict if Spectre attack on processors that are under design in the early stage can succeed or not. For future white-box processors under design, how to identify the speculative execution side channels in data cache in the early stage is an important issue. To address this problem, we propose an approach to generating branch directions (including mis-predictions) of conditional branch instructions based on Instruction Set Architecture simulation. The predictions of the branch predictor in the processor under design will be guided by these branch directions to trigger the speculative execution side channels in data cache for detection. In our experiments, the RISC-V BOOM processor is used as a case study where the speculative execution side channel in data cache can be detected by our approach.

KW - Branch Prediction

KW - Out-of-Order Execution

KW - RISC-V

KW - Side Channel

KW - Speculative Execution

UR - https://www.scopus.com/pages/publications/85099456521

U2 - 10.1109/ICESS49830.2020.9301601

DO - 10.1109/ICESS49830.2020.9301601

M3 - 会议稿件

AN - SCOPUS:85099456521

T3 - 2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020

BT - 2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 10 December 2020 through 11 December 2020

ER -

Gu H, Chen M, Wang Y, Xie F. SpectreCheck: An Approach to Detecting Speculative Execution Side Channels in Data Cache. 在 2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020. Institute of Electrical and Electronics Engineers Inc. 2020. 9301601. (2020 IEEE International Conference on Embedded Software and Systems, ICESS 2020). doi: 10.1109/ICESS49830.2020.9301601

SpectreCheck: An Approach to Detecting Speculative Execution Side Channels in Data Cache

摘要

出版系列

会议

访问文件

其它文件与链接

指纹

引用此