Abstract
In the last two decades, the evolving cyber-threat landscape has brought to center stage the contentious trade-offs between security and performance of modern microprocessors. The guarantees provided by the hardware to ensure no violation of process boundaries have been shown to be breached in several real-world scenarios. While modern CPU features such as superscalar, out-of-order, simultaneous multi-threading, and speculative execution play a critical role in boosting system performance, they are central for a potent class of security attacks termed transient micro-architectural attacks. These attacks leverage shared hardware resources in the CPU that are used during speculative and out-of-order execution to steal sensitive information. Researchers have used these attacks to read data from the operating systems (OS) and trusted execution environments (TEE) and to even break hardware-enforced isolation.
Over the years, several variants of transient micro-architectural attacks have been developed. While each variant differs in the shared hardware resource used, the underlying attack follows a similar strategy. This chapter presents a panoramic view of security concerns in modern CPUs, focusing on the mechanisms of these attacks and providing a classification of the variants. Further, the authors discuss state-of-the-art defense mechanisms towards mitigating these attacks.
This is a preview of subscription content, log in via an institution to check access.
References
Ainsworth S, Jones TM (2020) Muontrap: preventing cross-domain spectre-like attacks by capturing speculative state. In: 47th ACM/IEEE annual international symposium on computer architecture, ISCA 2020, Valencia, 30 May–3 June 2020. IEEE, pp 132–144
Alam M, Bhattacharya S, Mukhopadhyay D (2021) Victims can be saviors: a machine learning–based detection for micro-architectural side-channel attacks. J Emerg Technol Comput Syst 17(2):1–31
Barber K, Bacha A, Zhou L, Zhang Y, Teodorescu R (2019) Specshield: shielding speculative data from microarchitectural covert channels. In: 28th international conference on parallel architectures and compilation techniques, PACT 2019, Seattle, 23–26 Sept 2019. IEEE, pp. 151–164
Barresi A, Razavi K, Payer M, Gross TR (2015) CAIN: silently breaking ASLR in the cloud. In: 9th USENIX workshop on offensive technologies, WOOT’15, Washington, DC, 10–11 Aug 2015
Bernstein DJ (2005) Cache-timing Attacks on AES
Bhatkar S, DuVarney DC, Sekar R (2003) Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX security symposium, Washington, DC, 4–8 Aug 2003. USENIX Association
Bhattacharyya A, Sandulescu A, Neugschwandtner M, Sorniotti A, Falsafi B, Payer M, Kurmus A (2019) Smotherspectre: exploiting speculative execution through port contention. In: Cavallaro L, Kinder J, Wang XF, Katz J (eds) Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, CCS 2019, London, 11–15 Nov 2019. ACM, pp 785–800
Bodduna R, Ganesan V, SLPSK P, Veezhinathan K, Rebeiro C (2020) Brutus: refuting the security claims of the cache timing randomization countermeasure proposed in ceaser. IEEE Comput Archit Lett 19(1):9–12
Bourgeat T, Lebedev I, Wright A, Zhang S, Arvind, Devadas S (2019) Mi6: secure enclaves in a speculative out-of-order processor. In: Proceedings of the 52nd annual IEEE/ACM international symposium on microarchitecture, MICRO’52, New York. Association for Computing Machinery, pp 42–56
Briongos S, Irazoqui G, Malagón P, Eisenbarth T (2018) Cacheshield: detecting cache attacks through self-observation. In: Zhao Z, Ahn G-J, Krishnan R, Ghinita G (eds) Proceedings of the eighth ACM conference on data and application security and privacy, CODASPY 2018, Tempe, 19–21 Mar 2018. ACM, pp 224–235
Bulck JV, Minkin M, Weisse O, Genkin D, Kasikci B, Piessens F, Silberstein M, Wenisch TF, Yarom Y, Strackx R (2018) Foreshadow: extracting the keys to the intel SGX kingdom with transient out-of-order execution. In: Enck W, Felt AP (eds) 27th USENIX security symposium, USENIX security 2018, Baltimore, 15–17 Aug 2018. USENIX Association, pp 991–1008
Bulck JV, Moghimi D, Schwarz M, Lipp M, Minkin M, Genkin D, Yarom Y, Sunar B, Gruss D, Piessens F (2020) LVI: hijacking transient execution through microarchitectural load value injection. In: 2020 IEEE symposium on security and privacy, SP 2020, San Francisco, 18–21 May 2020. IEEE, pp 54–72
Canella C, Genkin D, Giner L, Gruss D, Lipp M, Minkin M, Moghimi D, Piessens F, Schwarz M, Sunar B, Bulck JV, Yarom Y (2019) Fallout: leaking data on meltdown-resistant cpus. In: Cavallaro L, Kinder J, Wang XF, Katz J (eds) Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, CCS 2019, London, 11–15 Nov 2019. ACM, pp 769–784
Chen G, Chen S, Xiao Y, Zhang Y, Lin Z, Lai T-H (2020) Sgxpectre: stealing intel secrets from SGX enclaves via speculative execution. IEEE Secur Priv 18(3):28–37
Chiappetta M, Savas E, Yilmaz C (2016) Real time detection of cache-based side-channel attacks using hardware performance counters. Appl Softw Comput 49(C):1162–1174
Delshadtehrani L, Canakci S, Zhou B, Eldridge S, Joshi A, Egele M (2020) Phmon: a programmable hardware monitor and its security use cases. In: Capkun S, Roesner F (eds) 29th USENIX security symposium, USENIX security 2020, 12–14 Aug 2020. USENIX Association, pp 807–824
Demme J, Maycock M, Schmitz J, Tang A, Waksman A, Sethumadhavan S, Stolfo S (2013) On the feasibility of online malware detection with performance counters. In: Proceedings of the 40th annual international symposium on computer architecture, ISCA’13, New York. Association for Computing Machinery, pp 559–570
Dhavlle A, Mehta R, Rafatirad S, Homayoun H, Dinakarrao SMP (2020) Entropy-shield: side-channel entropy maximization for timing-based side-channel attacks. In: 21st international symposium on quality electronic design, ISQED 2020, Santa Clara, 25–26 Mar 2020. IEEE, pp 161–166
Domnitser L, Jaleel A, Loew J, Abu-Ghazaleh NB, Ponomarev D (2012) Non-monopolizable caches: low-complexity mitigation of cache side-channel attacks. TACO 8(4):35
Fustos J, Farshchi F, Yun H (2019) Spectreguard: an efficient data-centric defense mechanism against spectre attacks. In: Proceedings of the 56th annual design automation conference 2019, DAC 2019, Las Vegas, 02–06 June 2019. ACM, p 61
Gonzålez Abraham EY, Korpan B, Zhao J (2018) Spectrum: classifying , replicating and mitigating spectre attacks on a speculating risc-v microarchitecture. https://people.eecs.berkeley.edu/~kubitron/courses/cs262a-F18/projects/reports/project4_report.pdf. Accessed: 4 Apr 2021
Gras B, Razavi K, Bosman E, Bos H, Giuffrida C (2017) ASLR on the line: practical cache attacks on the MMU. In: 24th annual network and distributed system security symposium, NDSS 2017, San Diego, 26 Feb–1 Mar 2017
Harris A, Wei S, Sahu P, Kumar P, Austin TM, Tiwari M (2019) Cyclone: detecting contention-based cache information leaks through cyclic interference. In: Proceedings of the 52nd annual IEEE/ACM international symposium on microarchitecture, MICRO 2019, Columbus, 12–16 Oct 2019. ACM, pp 57–72
Hund R, Willems C, Holz T (2013) Practical timing side channel attacks against kernel space ASLR. In: Proceedings of the 2013 IEEE symposium on security and privacy, SP’13. IEEE Computer Society, pp 191–205
Institute of Applied Information Processing and Communications (IAIK). Meltdown Proof-of-Concept. https://github.com/IAIK/meltdown. Accessed: 2 Mar 2021
Institute of Applied Information Processing and Communications (IAIK). ZombieLoad PoC. https://github.com/IAIK/ZombieLoad, Accessed: 2 Mar 2021
Intel. Intel C++ Compiler Classic Developer Guide and Reference. https://software.intel.com/content/dam/develop/external/documents/cpp_compiler_classic.pdf. Accessed: 3 Feb 2021
Intel Corporation (2021) 11th Generation Intel Core Processor Desktop Datasheet, Volume 1, Revision 003. https://cdrdv2.intel.com/v1/dl/getContent/634648. Accessed: 2 June 2022
Intel Corporation (2022) 12th Generation Intel Core Processor Desktop Datasheet, Volume 1, Revision 004. https://cdrdv2.intel.com/v1/dl/getContent/655258. Accessed: 2 June 2022
Khasawneh KN, Koruyeh EM, Song C, Evtyushkin D, Ponomarev D, Abu-Ghazaleh N (2019) Safespec: banishing the spectre of a meltdown with leakage-free speculation. In: Proceedings of the 56th annual design automation conference 2019, DAC’19, New York. Association for Computing Machinery
Kiriansky V, Lebedev IA, Amarasinghe SP, Devadas S, Emer JS (2018) DAWG: a defense against cache timing attacks in speculative execution processors. In: 51st annual IEEE/ACM international symposium on microarchitecture, MICRO 2018, Fukuoka, 20–24 Oct 2018. IEEE Computer Society, pp 974–987
Kocher P, Horn J, Fogh A, Genkin D, Gruss D, Haas W, Hamburg M, Lipp M, Mangard S, Prescher T, Schwarz M, Yarom Y (2019) Spectre attacks: exploiting speculative execution. In: 2019 IEEE symposium on security and privacy, SP 2019, San Francisco, 19–23 May 2019. IEEE, pp 1–19
Koruyeh EM, Khasawneh KN, Song C, Abu-Ghazaleh NB (2018) Spectre returns! speculation attacks using the return stack buffer. In: Rossow C, Younan Y (eds) 12th USENIX workshop on offensive technologies, WOOT 2018, Baltimore, 13–14 Aug 2018. USENIX Association
Koruyeh EM, Shirazi SHA, Khasawneh KN, Song C, Abu-Ghazaleh NB (2020) Speccfi: mitigating spectre attacks using CFI informed speculation. In: 2020 IEEE symposium on security and privacy, SP 2020, San Francisco, 18–21 May 2020. IEEE, pp 39–53
Li C, Gaudiot J-L (2019) Detecting malicious attacks exploiting hardware vulnerabilities using performance counters. In: Getov V, Gaudiot J-L, Yamai N, Cimato S, Chang JM, Teranishi Y, Yang J-J, Leong HV, Shahriar H, Takemoto M, Towey D, Takakura H, Elçi A, Takeuchi S, Puri S (eds) 43rd IEEE annual computer software and applications conference, COMPSAC 2019, Milwaukee, 15–19 July 2019, vol 1. IEEE, pp 588–597
Lipp M, Schwarz M, Gruss D, Prescher T, Haas W, Fogh A, Horn J, Mangard S, Kocher P, Genkin D, Yarom Y, Hamburg M (2018) Meltdown: reading kernel memory from user space. In: Enck W, Felt AP (eds) 27th USENIX security symposium, USENIX security 2018, Baltimore, 15–17 Aug 2018. USENIX Association, pp 973–990
Liu F, Lee RB (2014) Random fill cache architecture. In: 47th annual IEEE/ACM international symposium on microarchitecture, MICRO 2014, Cambridge, 13–17 Dec 2014. IEEE Computer Society, pp 203–215
Liu F, Wu H, Mai K, Lee RB (2016) Newcache: secure cache architecture thwarting cache side-channel attacks. IEEE Micro 36(5):8–16
Maisuradze G, Rossow C (2018) ret2spec: speculative execution using return stack buffers. In: Lie D, Mannan M, Backes M, Wang XF (eds) Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, CCS 2018, Toronto, 15–19 Oct 2018. ACM, pp 2109–2122
Martin R, Demme J, Sethumadhavan S (2012) Timewarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In: 39th international symposium on computer architecture (ISCA 2012), Portland, 9–13 June 2012. IEEE Computer Society, pp 118–129
Mushtaq M, Akram A, Bhatti MK, Chaudhry M, Lapotre V, Gogniat G (2018) Nights-watch: a cache-based side-channel intrusion detector using hardware performance counters. In Szefer J, Shi W, Lee RB (eds) Proceedings of the 7th international workshop on hardware and architectural support for security and privacy, HASP@ISCA 2018, Los Angeles, 02 June 2018. ACM, pp 1:1–1:8
Mushtaq M, Bricq J, Bhatti MK, Akram A, Lapotre V, Gogniat G, Benoit P (2020) WHISPER: a tool for run-time detection of side-channel attacks. IEEE Access 8:83871–83900
Page D (2005) Partitioned cache architecture as a side-channel defence mechanism. IACR Cryptology ePrint Archive 2005:280
PaX. ASLR Documentation. https://pax.grsecurity.net/docs/aslr.txt. Accessed: 2 Mar 2021
Percival C (2005) Cache missing for fun and profit. In: Proceedings of BSDCan
Qureshi MK (2018) CEASER: mitigating conflict-based cache attacks via encrypted-address and remapping. In: 51st annual IEEE/ACM international symposium on microarchitecture, MICRO 2018, Fukuoka, 20–24 Oct 2018. IEEE Computer Society, pp 775–787
Qureshi MK (2019) New attacks and defense for encrypted-address cache. In: Manne SB, Hunter HC, Altman ER (eds) Proceedings of the 46th international symposium on computer architecture, ISCA 2019, Phoenix, 22–26 June 2019. ACM, pp 360–371
Ragab H, Milburn A, Razavi K, Bos H, Giuffrida C (2021) CrossTalk: speculative data leaks across cores are real. In: S&P. Intel Bounty Reward
Ristenpart T, Tromer E, Shacham H, Savage S (2009) Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 2009 ACM conference on computer and communications security, CCS 2009, Chicago, 9–13 Nov 2009, pp 199–212
Sakalis C, Kaxiras S, Ros A, Jimborean A, Själander M (2019) Efficient invisible speculative execution through selective delay and value prediction. In: Proceedings of the 46th international symposium on computer architecture, ISCA’19, New York. Association for Computing Machinery, pp 723–735
Sánchez D, Kozyrakis C (2011) Vantage: scalable and efficient fine-grain cache partitioning. In: Iyer R, Yang Q, González A (eds) 38th international symposium on computer architecture (ISCA 2011), San Jose, 4–8 June 2011. ACM, pp 57–68
Schunter M (2016) Intel software guard extensions: Introduction and open research challenges. In: Proceedings of the 2016 ACM workshop on Software PROtection, SPRO’16, New York. Association for Computing Machinery, p 1
Schwarz M, Lipp M, Moghimi D, Bulck JV, Stecklina J, Prescher T, Gruss D (2019a) Zombieload: cross-privilege-boundary data sampling. In: Cavallaro L, Kinder J, Wang X, Katz J (eds) Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, CCS 2019, London, 11–15 Nov 2019. ACM, pp 753–768
Schwarz M, Schwarzl M, Lipp M, Masters J, Gruss D (2019b) Netspectre: read arbitrary memory over network. In: Sako K, Schneider SA, Ryan PYA (eds) Computer security – ESORICS 2019 – 24th European symposium on research in computer security, Luxembourg, 23–27 Sept 2019, Proceedings, Part I. Lecture notes in computer science, vol 11735. Springer, pp 279–299
Schwarz M, Lipp M, Canella C, Schilling R, Kargl F, Gruss D (2020) Context: a generic approach for mitigating spectre. In: NDSS
Shusterman A, Kang L, Haskal Y, Meltser Y, Mittal P, Oren Y, Yarom Y (2019) Robust website fingerprinting through the cache occupancy channel. In: 28th USENIX security symposium, USENIX security 2019, Santa Clara, 14–16 Aug 2019, pp 639–656
van Schaik S, Milburn A, Österlund S, Frigo P, Maisuradze G, Razavi K, Bos H, Giuffrida C (2019) RIDL: rogue in-flight data load. In: 2019 IEEE symposium on security and privacy, SP 2019, San Francisco, 19–23 May 2019. IEEE, pp 88–105
Wang Z, Lee RB (2007) New cache designs for thwarting software cache-based side channel attacks. In: Tullsen DM, Calder B (eds) ISCA. ACM, pp 494–505
Wang G, Chattopadhyay S, Gotovchits I, Mitra T, Roychoudhury A (2018) oo7: low-overhead defense against spectre attacks via binary analysis. ArXiv, abs/1807.05843
Wang Y, Ferraiuolo A, Zhang D, Myers AC, Edward Suh G (2016) SecDCP: secure dynamic cache partitioning for efficient timing channel protection. In: Proceedings of the 53rd annual design automation conference, DAC 2016, Austin, 5–9 June 2016. ACM, pp 74:1–74:6
Weisse O, Van Bulck J, Minkin M, Genkin D, Kasikci B, Piessens F, Silberstein M, Strackx R, Wenisch TF, Yarom Y (2018) Foreshadow-NG: breaking the virtual memory abstraction with transient out-of-order execution. Technical report
Weisse O, Neal I, Loughlin K, Wenisch TF, Kasikci B (2019) NDA: preventing speculative execution attacks at their source. In: Proceedings of the 52nd annual IEEE/ACM international symposium on microarchitecture, MICRO’52, New York. Association for Computing Machinery, pp 572–586
Werner M, Unterluggauer T, Giner L, Schwarz M, Gruss D, Mangard S (2019) Scattercache: thwarting cache attacks via cache set randomization. In: Heninger N, Traynor P (eds) 28th USENIX security symposium, USENIX security 2019, Santa Clara, 14–16 Aug 2019. USENIX Association, pp 675–692
Wu Y, Qian X (2020) Reversispec: reversible coherence protocol for defending transient attacks. CoRR, abs/2006.16535
Xu J, Kalbarczyk Z, Iyer RK (2003) Transparent runtime randomization for security. In: 22nd symposium on reliable distributed systems (SRDS 2003), Florence, 6–8 Oct 2003. IEEE Computer Society, p 260
Yan M, Choi J, Skarlatos D, Morrison A, Fletcher CW, Torrellas J (2019) Invisispec: making speculative execution invisible in the cache hierarchy (corrigendum). In: Proceedings of the 52nd annual IEEE/ACM international symposium on microarchitecture, MICRO 2019, Columbus, 12–16 Oct 2019. ACM, p 1076
Zhang T, Zhang Y, Lee RB (2016) Cloudradar: a real-time side-channel attack detection system in clouds. In: Monrose F, Dacier M, Blanc G, GarcÃa-Alfaro J (eds) Research in attacks, intrusions, and defenses – 19th international symposium, RAID 2016, Paris, 19–21 Sept 2016, Proceedings. Lecture notes in computer science, vol 9854. Springer, pp 118–140
Zhao ZN, Ji H, Yan M, Yu J, Fletcher CW, Morrison A, Marinov D, Torrellas J (2020) Speculation invariance (invarspec): faster safe execution through program analysis. In: 53rd annual IEEE/ACM international symposium on microarchitecture, MICRO 2020, Athens, 17–21 Oct 2020. IEEE, pp 1138–1152
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Section Editor information
Rights and permissions
Copyright information
© 2022 Springer Nature Singapore Pte Ltd.
About this entry
Cite this entry
Singh, N., Ganesan, V., Rebeiro, C. (2022). Secure Processor Architectures. In: Chattopadhyay, A. (eds) Handbook of Computer Architecture. Springer, Singapore. https://doi.org/10.1007/978-981-15-6401-7_10-1
Download citation
DOI: https://doi.org/10.1007/978-981-15-6401-7_10-1
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-6401-7
Online ISBN: 978-981-15-6401-7
eBook Packages: Springer Reference EngineeringReference Module Computer Science and Engineering