通过Runahead的嵌套推测执行攻击

IF 2.7 3区计算机科学 Q2 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems Pub Date : 2025-01-06 DOI:10.1109/TCAD.2025.3526544

Chaoqun Shen;Gang Qu;Jiliang Zhang

{"title":"通过Runahead的嵌套推测执行攻击","authors":"Chaoqun Shen;Gang Qu;Jiliang Zhang","doi":"10.1109/TCAD.2025.3526544","DOIUrl":null,"url":null,"abstract":"Runahead execution is an effective microarchitectural level performance boosting technique. It removes the blocking load instruction with long latency and speculatively executes the subsequent instructions with little pipeline modifications. However, the nature of prefetching data and instructions creates potential security risks similar to Spectre and Meltdown. In this work, we present the first comprehensive analysis of the security implications of runahead execution and report a novel attack, named SPECRUN. SPECRUN exploits the unresolved branch predictions within nested speculative execution during runahead execution. It can manipulate the speculative execution window and hence eliminates the major limitation of Spectre-type attacks: the number of executable transient instructions is limited by the small reorder buffer size. Therefore, SPECRUN can improve the exploitability of transient attacks significantly. To demonstrate this, we implement a proof-of-concept attack that can successfully extract secrets from a victim process. We analyze existing defense techniques and propose new ones against SPECRUN. The effectiveness and overhead of these mitigation mechanisms are carefully discussed to shed light on the security vulnerabilities and defense before the adoption of runahead execution on current and future processors.","PeriodicalId":13251,"journal":{"name":"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems","volume":"44 7","pages":"2475-2487"},"PeriodicalIF":2.7000,"publicationDate":"2025-01-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Nested Speculative Execution Attacks via Runahead\",\"authors\":\"Chaoqun Shen;Gang Qu;Jiliang Zhang\",\"doi\":\"10.1109/TCAD.2025.3526544\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Runahead execution is an effective microarchitectural level performance boosting technique. It removes the blocking load instruction with long latency and speculatively executes the subsequent instructions with little pipeline modifications. However, the nature of prefetching data and instructions creates potential security risks similar to Spectre and Meltdown. In this work, we present the first comprehensive analysis of the security implications of runahead execution and report a novel attack, named SPECRUN. SPECRUN exploits the unresolved branch predictions within nested speculative execution during runahead execution. It can manipulate the speculative execution window and hence eliminates the major limitation of Spectre-type attacks: the number of executable transient instructions is limited by the small reorder buffer size. Therefore, SPECRUN can improve the exploitability of transient attacks significantly. To demonstrate this, we implement a proof-of-concept attack that can successfully extract secrets from a victim process. We analyze existing defense techniques and propose new ones against SPECRUN. The effectiveness and overhead of these mitigation mechanisms are carefully discussed to shed light on the security vulnerabilities and defense before the adoption of runahead execution on current and future processors.\",\"PeriodicalId\":13251,\"journal\":{\"name\":\"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems\",\"volume\":\"44 7\",\"pages\":\"2475-2487\"},\"PeriodicalIF\":2.7000,\"publicationDate\":\"2025-01-06\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/10829581/\",\"RegionNum\":3,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10829581/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

摘要

超前执行是一种有效的微架构级性能提升技术。它删除了具有长延迟的阻塞负载指令，并推测地执行后续指令，几乎没有管道修改。然而，预取数据和指令的本质产生了类似于Spectre和Meltdown的潜在安全风险。在这项工作中，我们首次全面分析了提前执行的安全影响，并报告了一种名为SPECRUN的新型攻击。SPECRUN在运行前执行期间利用嵌套推测执行中未解决的分支预测。它可以操纵推测的执行窗口，从而消除了幽灵型攻击的主要限制：可执行的瞬态指令的数量受到小的重排序缓冲区大小的限制。因此，SPECRUN可以显著提高瞬态攻击的可利用性。为了演示这一点，我们实现了一个概念验证攻击，它可以成功地从受害进程中提取秘密。我们分析了现有的防御技术，并提出了针对SPECRUN的新技术。本文仔细讨论了这些缓解机制的有效性和开销，以便在当前和未来的处理器上采用超前执行之前阐明安全漏洞和防御。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Nested Speculative Execution Attacks via Runahead

Runahead execution is an effective microarchitectural level performance boosting technique. It removes the blocking load instruction with long latency and speculatively executes the subsequent instructions with little pipeline modifications. However, the nature of prefetching data and instructions creates potential security risks similar to Spectre and Meltdown. In this work, we present the first comprehensive analysis of the security implications of runahead execution and report a novel attack, named SPECRUN. SPECRUN exploits the unresolved branch predictions within nested speculative execution during runahead execution. It can manipulate the speculative execution window and hence eliminates the major limitation of Spectre-type attacks: the number of executable transient instructions is limited by the small reorder buffer size. Therefore, SPECRUN can improve the exploitability of transient attacks significantly. To demonstrate this, we implement a proof-of-concept attack that can successfully extract secrets from a victim process. We analyze existing defense techniques and propose new ones against SPECRUN. The effectiveness and overhead of these mitigation mechanisms are carefully discussed to shed light on the security vulnerabilities and defense before the adoption of runahead execution on current and future processors.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 工程技术-工程：电子与电气

CiteScore

5.60

自引率

13.80%

发文量

500

审稿时长

7 months

期刊介绍： The purpose of this Transactions is to publish papers of interest to individuals in the area of computer-aided design of integrated circuits and systems composed of analog, digital, mixed-signal, optical, or microwave components. The aids include methods, models, algorithms, and man-machine interfaces for system-level, physical and logical design including: planning, synthesis, partitioning, modeling, simulation, layout, verification, testing, hardware-software co-design and documentation of integrated circuit and system designs of all complexities. Design tools and techniques for evaluating and designing integrated circuits and systems for metrics such as performance, power, reliability, testability, and security are a focus.