SpecTerminator: Blocking Speculative Side Channels Based on Instruction Classes on RISC-V

Abstract

In modern processors, speculative execution has significantly improved the performance of processors, but it has also introduced speculative execution vulnerabilities. Recent defenses are based on the delayed execution to block various speculative side channels, but we show that several of the current state-of-the-art defenses fail to block some of the available speculative side channels, and the current most secure defense introduces a performance overhead of up to 24.5%. We propose SpecTerminator, the first defense framework based on instruction classes that can comprehensively and precisely block all existing speculative side channels. In SpecTerminator, a novel speculative side channel classification scheme based on the features of secret transmission is proposed, and the sensitive instructions in the speculative window are classified and identified using optimized hardware taint tracking and instruction masking techniques to accurately determine the scope of leakage. Then, according to the execution characteristics of these instructions, dedicated delayed execution strategies, such as TLB request ignoring, selective issue, and extended delay-on-miss, are designed for each type of sensitive instruction to precisely control that these instructions are delayed only in pipeline stages that are at risk of leakage. In contrast to previous defenses based on the Gem5 simulator, we have innovatively implemented defenses against Spectre attacks based on the open-source instruction set RISC-V on an FPGA-accelerated simulation platform that is more similar to real hardware. To evaluate the security of SpecTerminator, we have replicated various existing x86-based Spectre variants on RISC-V. On SPEC 2006, SpecTerminator defends against Spectre attacks based on memory hierarchy side channels with a performance overhead of 2.6% and against all existing Spectre attacks with a performance overhead of 6.0%.