Ghostbusting: mitigating spectre with intraprocess memory isolation

Proceedings of the 7th Symposium on Hot Topics in the Science of Security Pub Date : 2020-08-25 DOI:10.1145/3384217.3385627

Ira JenkinsPrashant, AnantharamanRebecca ShapiroJ, Peter BradySergey, BratusSean Smith, Prashant Anantharaman, I. Jenkins, Rebecca Shapiro

{"title":"Ghostbusting: mitigating spectre with intraprocess memory isolation","authors":"Ira JenkinsPrashant, AnantharamanRebecca ShapiroJ, Peter BradySergey, BratusSean Smith, Prashant Anantharaman, I. Jenkins, Rebecca Shapiro","doi":"10.1145/3384217.3385627","DOIUrl":null,"url":null,"abstract":"Spectre attacks have drawn much attention since their announcement. Speculative execution creates so-called transient instructions, those whose results are ephemeral and not committed architecturally. However, various side-channels exist to extract these transient results from the microarchitecture, e.g., caches. Spectre Variant 1, the so-called Bounds Check Bypass, was the first such attack to be demonstrated. Leveraging transient read instructions and cache-timing effects, the adversary can read secret data. In this work, we explore the ability of intraprocess memory isolation to mitigate Spectre Variant 1 attacks. We demonstrate this using Executable and Linkable Format-based access control (ELFbac) which is a technique for achieving intraprocess memory isolation at the application binary interface (ABI) level. Additionally, we consider Memory Protection Keys (MPKs), a recent extension to Intel processors, that partition virtual pages into security domains. Using the original Spectre proof-of-concept (POC) code, we show how ELFbac and MPKs can be used to thwart Spectre Variant 1 by constructing explicit policies to allow and disallow the exploit. We compare our techniques against the commonly suggested mitigation using serialized instructions, e.g., lfence. Additionally, we consider other Spectre variants based on transient execution that intraprocess memory isolation would naturally mitigate.","PeriodicalId":205173,"journal":{"name":"Proceedings of the 7th Symposium on Hot Topics in the Science of Security","volume":"17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-08-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 7th Symposium on Hot Topics in the Science of Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3384217.3385627","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 10

Abstract

Spectre attacks have drawn much attention since their announcement. Speculative execution creates so-called transient instructions, those whose results are ephemeral and not committed architecturally. However, various side-channels exist to extract these transient results from the microarchitecture, e.g., caches. Spectre Variant 1, the so-called Bounds Check Bypass, was the first such attack to be demonstrated. Leveraging transient read instructions and cache-timing effects, the adversary can read secret data. In this work, we explore the ability of intraprocess memory isolation to mitigate Spectre Variant 1 attacks. We demonstrate this using Executable and Linkable Format-based access control (ELFbac) which is a technique for achieving intraprocess memory isolation at the application binary interface (ABI) level. Additionally, we consider Memory Protection Keys (MPKs), a recent extension to Intel processors, that partition virtual pages into security domains. Using the original Spectre proof-of-concept (POC) code, we show how ELFbac and MPKs can be used to thwart Spectre Variant 1 by constructing explicit policies to allow and disallow the exploit. We compare our techniques against the commonly suggested mitigation using serialized instructions, e.g., lfence. Additionally, we consider other Spectre variants based on transient execution that intraprocess memory isolation would naturally mitigate.

查看原文本刊更多论文

Ghostbusting:通过进程内内存隔离来缓解幽灵

自从幽灵攻击被宣布以来，就引起了广泛的关注。推测执行创建了所谓的瞬态指令，这些指令的结果是短暂的，并且没有在体系结构上提交。然而，存在各种各样的侧通道来从微架构中提取这些瞬态结果，例如缓存。幽灵变体1，所谓的边界检查旁路，是第一个被证明的这种攻击。利用瞬态读取指令和缓存计时效果，攻击者可以读取机密数据。在这项工作中，我们探讨了进程内内存隔离减轻Spectre Variant 1攻击的能力。我们使用基于可执行和可链接格式的访问控制(ELFbac)来演示这一点，ELFbac是一种在应用程序二进制接口(ABI)级别实现进程内内存隔离的技术。此外，我们考虑内存保护密钥(mpk)，这是英特尔处理器的最新扩展，它将虚拟页面划分到安全域。使用原始的Spectre概念验证(POC)代码，我们展示了如何使用ELFbac和mpk通过构建明确的策略来允许和禁止利用来阻止Spectre Variant 1。我们将我们的技术与通常建议的使用序列化指令(例如lfence)的缓解方法进行比较。此外，我们还考虑了基于瞬态执行的其他Spectre变体，进程内内存隔离自然会缓解这种情况。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 7th Symposium on Hot Topics in the Science of Security

自引率

0.00%

发文量