## UC San Diego

#### JACOBS SCHOOL OF ENGINEERING

**Computer Science and Engineering** 

# **CONTEXT-SENSITIVE FENCING:** Securing speculative execution via microcode customization

Mohammadkazem Taram, Ashish Venkat, Dean Tullsen University of California San Diego, University of Virginia





## PERFORMANCE V.S. SECURITY



## PERFORMANCE V.S. SECURITY



## PERFORMANCE V.S. SECURITY









- ► Leak secrets via side-channels + speculative execution
- Any modern processor with a Branch Predictor is vulnerable







### int Kernel\_api\_( int x ) {

y = array2[array1[x] \* 64];







## int Kernel\_api\_( int x ) { if ( x < array1\_size) //bounds check</pre> y = array2[array1[x] \* 64];







## int Kernel api\_( int x ) { Mispredicted if ( x < array1\_size) //bounds check y = array2[array1[x] \* 64]; //not taken/fallthrough code









## int Kernel api ( int x ) { Mispredicted if ( x < array1\_size) //bounds check y = array2[array1[x] \* 64]; //not taken/fallthrough code

Too late to recover — data is exposed via side-channels









## Restricting Speculation Using Fences and Barriers:





## Restricting Speculation Using Fences and Barriers:

if ( x < array1\_size)</pre>



y = array2[array1[x] \* 64];



## Restricting Speculation Using Fences and Barriers:

- if ( x < array1 size)</pre>
  - speculative fence;



y = array2[array1[x] \* 64];



## Restricting Speculation Using Fences and Barriers:



## y = array2[array1[x] \* 64];Up to 10x Performance Overhead!

O. Oleksenko, B. Trach, T. Reiher, M. Silberstein, and C.Fetzer. 2018. You Shall Not Bypass



Surgically injects fence micro-ops



## Surgically injects fence micro-ops



#### Only When Necessary

• • • •



## Surgically injects fence micro-ops



#### Right Type of Fence Only When Necessary





## Surgically injects fence micro-ops



#### Only When Necessary













"Context-Sensitive Decoding: On-Demand Microcode Customization for Security and Energy Management" ISCA 2018, IEEE Micro Top Picks 2019



"Context-Sensitive Decoding: On-Demand Microcode Customization for Security and Energy Management" ISCA 2018, IEEE Micro Top Picks 2019



• • • •



• • • •



• • • •



• • • •







## **CONTEXT SENSITIVE FENCING**

## Surgically injects fence micro-ops



#### Right Type of Fence No Recompilation

#### Only When Necessary







# **BUT WHAT FENCE SHOULD WE USE?**

### Existing Intel Fences

| Type of Fence                           | Instruction Opcode | Description                              |
|-----------------------------------------|--------------------|------------------------------------------|
| Privileged Serializing Instructions     | INVD               | Invalidate Internal Caches               |
|                                         | INVEPT             | Invalidate Translations from EPT         |
|                                         | INVLPG             | Invalidate TLB Entries                   |
|                                         | INVVPID            | Invalidate Translations Based on VPID    |
|                                         | LIDT               | Load Interrupt Descriptor Table Register |
|                                         | LGDT               | Load Global Descriptor Table Register    |
|                                         | LLDT               | Load Local Descriptor Table Register     |
|                                         | LTR                | Load Task Register                       |
|                                         | MOV                | Move to Control Register                 |
|                                         | MOV                | Move to Debug Register                   |
|                                         | WBINVD             | Write Back and Invalidate Cache          |
|                                         | WRMSR              | Write to Model Specific Register         |
| Non-Privileged Serializing Instructions | CPUID              | CPU Identification                       |
|                                         | IRET               | Interrupt Return                         |
|                                         | RSM                | Resume from System Management Mode       |
| Memory Ordering Instructions            | SFENCE             | Store Fence                              |
|                                         | LFENCE             | Load Fence                               |
|                                         | MFENCE             | Memory Fence                             |

• • • • •

# **BUT WHAT FENCE SHOULD WE USE?**

### Existing Intel Fences

|                                        | 0                  |                                                                                                    |  |  |
|----------------------------------------|--------------------|----------------------------------------------------------------------------------------------------|--|--|
| Type of Fence                          | Instruction Opcode | Description                                                                                        |  |  |
| Privileged Serializing Instructions    | INVD               | Invalidate Internal Caches                                                                         |  |  |
|                                        | INVEPT             | Invalidate Translations from EPT                                                                   |  |  |
|                                        | INVLPG             | Invalidate TLB Entries<br>Accessitations Based on VPID<br>Load Interrupt Descriptor Table Register |  |  |
| $0 \rightarrow \pi Regime Pr$          | ivi eged           | ACCESSIations Based on VPID                                                                        |  |  |
|                                        |                    | Load Interrupt Descriptor Table Register                                                           |  |  |
|                                        | LGDT               | Load Global Descriptor Table Register                                                              |  |  |
|                                        | LLDT               | Load Local Descriptor Table Register                                                               |  |  |
|                                        |                    | Lold TD Registrate and                                                                             |  |  |
| <b>Clobber Architectural Registers</b> |                    |                                                                                                    |  |  |
|                                        | MOV                | Move to Debug Register                                                                             |  |  |
|                                        | WBINVD             | Write Back and Invalidate Cache                                                                    |  |  |
|                                        | WRMSR              | Write to Model Specific Register                                                                   |  |  |
| Enforced E                             | arvint             | he Pine ine                                                                                        |  |  |
|                                        | RET C              | Interrupt Return                                                                                   |  |  |
|                                        | RSM                | Resume from System Management Mode                                                                 |  |  |
| Memory Ordering Instructions           | SFENCE             | Store Fence                                                                                        |  |  |
|                                        | LFENCE             | Load Fence                                                                                         |  |  |
|                                        | MFENCE             | Memory Fence                                                                                       |  |  |
|                                        | MFENCE             | Memory Fence                                                                                       |  |  |

• • • • •

# EXISTING FENCES: SERIALIZING INSTRUCTIONS (SI)



- Enforced early in the pipeline
- ► Examples:
  - All Serializing Instructions
  - ► Intel's MFENCE
  - ► Intel's SFENCE



## **EXISTING FENCES: INTEL LFENCE**



- ► Enforced early in the pipeline
- ► Example:
  - ► Intel's LFENCE

## LATE ENFORCEMENT FENCES

Macro-op Stream

- Shifts fence enforcement towards the leaking structure
- ► Reduces the impact on other instructions



## LATE ENFORCEMENT FENCES

Macro-op Stream

- Shifts fence enforcement towards the leaking structure
- ► Reduces the impact on other instructions



## LATE ENFORCEMENT FENCES

Macro-op Stream

- Shifts fence enforcement towards the leaking structure
- ► Reduces the impact on other instructions



# **NEWLY PROPOSED FENCES**

- Load-Store Queue LFENCE (LSQ-LFENCE)
- Load-Store Queue MFENCE (LSQ-MFENCE)
- ► Reservation Station Fence (RSFENCE)
- ► Cache Fence (CFENCE)



# CACHE FENCE (CFENCE)

- ► Allows all the load and stores to pass
- CFENCE labels any subsequent load as a non-modifying load
- allows non-modifying loads to pass through the CFENCE
- ► Non-modifying loads are restricted from modifying the cache state.



a *non-modifying load* ogh the *CFENCE* om modifying the cache state

Non-Modifying Non-Modifying . . . .

## CACHE FENCE (CFENCE)

#### Cache Controller



#### Normal Load

. . . .

## CACHE FENCE (CFENCE)

. . .

### Cache Controller



#### Non-Modifying Load

. . . .

## **RESULTS — FENCE ENFORCEMENT POLICIES**

## Our CFENCE reduces the incurred performance overhead by 2.3X, bringing down the execution time overhead from 48% to 21%.

2.001.95 1.901.851.801.75≝ 1.70 ⊢ 1.65 1.65Execution 1.601.551.50Normalized 1.451.401.351.301.251.201.151.10 -1.051.00



## **CONTEXT SENSITIVE FENCING**

## Surgically injects fence micro-ops



## **Right Type of Fence** No Recompilation

## Only When Necessary









- Liberal Injection
  - Injects fences before all the loads of a program
  - completely stops speculation

jeq **1**d add **ld 1d** 

- Liberal Injection
  - Injects fences before all the loads of a program
  - completely stops speculation

jeq Fence **ld** add Fence **ld** Fence **1d** 

- Basic Block-Level Fence Insertion\*
  - Speculation begins with a branch prediction
  - ► A fence between branch and subsequent loads

\* Targeted Optimization — Only protects against variant 1

ediction uent loads jeq Fence **ld** add Fence **ld** Fence **1d** 

. . . .

- ► Basic Block-Level Fence Insertion
  - Speculation begins with a branch prediction
  - ► We want a fence between each branch and subsequent loads

\* Targeted Optimization — Only protects against variant 1

jeq Fence **ld** add **1d ld** 



- ► Taint-Based Fence Insertion
  - Even one fence per basic block is too conservative
  - > Attacker performs operations based on untrusted data (e.g., attacker controlled out of bound index)

  - Insert fences for only vulnerable loads that operate on untrusted data Dynamic Information Flow Tracker (DIFT)

## **DLIFT- AN INFORMATION FLOW TRACKER FOR SPECTRE ERA**

- ► Classic Information Flow Trackers
  - Maintain and Evaluate Taints at Late Stages of the Pipeline
  - Not so useful for Spectre!





## **DLIFT- AN INFORMATION FLOW TRACKER FOR SPECTRE ERA**

- Classic Information Flow Trackers
  - Maintain and Evaluate Taints at Late Stages of the Pipeline
  - ► Not so useful for Spectre!



# **DLIFT- AN INFORMATION FLOW TRACKER FOR SPECTRE ERA**

- Classic Information Flow Trackers
  - Maintain and Evaluate Taints at Late Stages of the Pipeline
  - ► Not so useful for Specific Ct

The Threat before

# It's too late.





| Register        | Tainted  |
|-----------------|----------|
| rax             | No       |
| rbx             | No       |
| Spoculativo Tai | a + Mata |

Speculative Taint Map

Reg. File

## Execute



## Commit

Commit Logic

| Register | Tai |
|----------|-----|
| rax      | ľ   |
| rbx      | Y   |







| Register         | Tainted |
|------------------|---------|
| rax              | No      |
| rbx              | No      |
| Speculative Tair | t Man   |

Speculative Taint Map

Reg. File

## Execute



## Commit

Commit Logic

| Register | Tai |
|----------|-----|
| rax      | ľ   |
| rbx      | Y   |







## Commit

Commit Logic

| Register | Tai |
|----------|-----|
| rax      | ľ   |
| rbx      | Y   |







## Commit

Commit Logic

| Register | Tai |
|----------|-----|
| rax      | ľ   |
| rbx      | Y   |











Commit

Commit Logic

| Register | Tai |
|----------|-----|
| rax      | 1   |
| rbx      | Y   |









Execute ld t1, (%rbx) add t1, %rax, %rax **Taint Evaluator** Taint **Taint** TLB

Commit

Commit

Logic

**Under-Tainted?** 

| Register | Tai |
|----------|-----|
| rax      | N   |
| rbx      | Y   |









Under-

Commit

Commit

Logic

| -Tainted? |  |
|-----------|--|
|           |  |

| Register | Taiı |
|----------|------|
| rax      | N    |
| rbx      | Y    |























## **RESULTS — FENCE FREQUENCY OPTIMIZATION**

## ► Taint-Based CFENCE injection reduces the performance overhead to just 7.7%







## **CONTEXT-SENSITIVE FENCING**



## Low Performance Overhead

## **CONTEXT-SENSITIVE FENCING**



## Low Performance Overhead



No Recompilation

## **CONTEXT-SENSITIVE FENCING**



## Low Performance Overhead

## No Recompilation

## Minimal Changes to Processor

# THANKS! QUESTIONS?