Specfuscator: Evaluating Branch Removal as a Spectre Mitigation

Martin Schwarzl; Claudio Alberto Canella; Daniel Gruss; Michael Schwarz

doi:10.1007/978-3-662-64322-8_14

Specfuscator: Evaluating Branch Removal as a Spectre Mitigation

Martin Schwarzl, Claudio Alberto Canella, Daniel Gruss, Michael Schwarz

Institut für Angewandte Informationsverarbeitung und Kommunikationstechnologie (7050)

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Abstract

Attacks exploiting speculative execution, known as Spectre
attacks, have gained substantial attention in the scientific community
and in industry with a broad range of defense techniques proposed. In
particular, in-software defenses for commodity systems attempt to leave
the program structure as is, but defuse every potential Spectre gadget
by, e.g., stopping the speculation, or limiting value ranges. While these
mitigations disrupt the program flow on every conditional branch, they
still contain every single conditional branch instruction.
In this paper, we show that one dimension of Spectre mitigations has
been overlooked entirely. We explore a novel principled Spectre mitiga-
tion that sits at the other end of the scale: the absence of conditional and
indirect branches. Our mitigation is based on automatically linearizing
the program flow through a special compiler pass, eliminating all condi-
tional and indirect branches. We show that our Spectre mitigation has
very clear security guarantees. We explore the feasibility of this unortho-
dox approach and evaluate its performance in comparison to the more
conservative approaches presented so far. We observe that the perfor-
mance overhead can be low, e.g., 5 %, for certain use cases, being on-par
with state-of-the-art mitigations, but very high for other use cases, e.g.,
and overhead factor of 1000. Our results demonstrate the feasibility of
Spectre defenses that eliminate branches and indicate good performance-
security trade-offs for Spectre defenses can be achieved by sticking to
neither of the extremes.

Originalsprache	englisch
Titel	Financial Cryptography and Data Security - 25th International Conference, FC 2021, Revised Selected Papers
Redakteure/-innen	Nikita Borisov, Claudia Diaz
Seiten	293-310
Seitenumfang	18
ISBN (elektronisch)	978-3-662-64322-8
DOIs	https://doi.org/10.1007/978-3-662-64322-8_14
Publikationsstatus	Veröffentlicht - 2021
Veranstaltung	25th International Conference on Financial Cryptography and Data Security: FC 2021 - Virtual conference, Virtual Dauer: 1 März 2021 → 5 März 2021 https://fc21.ifca.ai/

Publikationsreihe

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Band	12674 LNCS
ISSN (Print)	0302-9743
ISSN (elektronisch)	1611-3349

Konferenz

Konferenz	25th International Conference on Financial Cryptography and Data Security
Ort	Virtual
Zeitraum	1/03/21 → 5/03/21
Internetadresse	https://fc21.ifca.ai/

ASJC Scopus subject areas

Theoretische Informatik
Allgemeine Computerwissenschaft

Zugriff auf Dokument

10.1007/978-3-662-64322-8_14

specfuscatorAkzeptiertes Autorenmanuskript, 263 KB

Andere Dateien und Links

http://www.scopus.com/inward/record.url?scp=85118921415&partnerID=8YFLogxK

EU - SOPHIA - Absicherung von Software gegen Physische Angriffe
Mangard, S.
1/09/16 → 31/08/21
Projekt: Forschungsprojekt

Dieses zitieren

Schwarzl, M., Canella, C. A., Gruss, D., & Schwarz, M. (2021). Specfuscator: Evaluating Branch Removal as a Spectre Mitigation. in N. Borisov, & C. Diaz (Hrsg.), Financial Cryptography and Data Security - 25th International Conference, FC 2021, Revised Selected Papers (S. 293-310). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Band 12674 LNCS). https://doi.org/10.1007/978-3-662-64322-8_14

Specfuscator: Evaluating Branch Removal as a Spectre Mitigation. / Schwarzl, Martin; Canella, Claudio Alberto; Gruss, Daniel et al.
Financial Cryptography and Data Security - 25th International Conference, FC 2021, Revised Selected Papers. Hrsg. / Nikita Borisov; Claudia Diaz. 2021. S. 293-310 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Band 12674 LNCS).

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Schwarzl, M, Canella, CA, Gruss, D & Schwarz, M 2021, Specfuscator: Evaluating Branch Removal as a Spectre Mitigation. in N Borisov & C Diaz (Hrsg.), Financial Cryptography and Data Security - 25th International Conference, FC 2021, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Bd. 12674 LNCS, S. 293-310, 25th International Conference on Financial Cryptography and Data Security, Virtual, 1/03/21. https://doi.org/10.1007/978-3-662-64322-8_14

Schwarzl M, Canella CA, Gruss D, Schwarz M. Specfuscator: Evaluating Branch Removal as a Spectre Mitigation. in Borisov N, Diaz C, Hrsg., Financial Cryptography and Data Security - 25th International Conference, FC 2021, Revised Selected Papers. 2021. S. 293-310. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-662-64322-8_14

Schwarzl, Martin ; Canella, Claudio Alberto ; Gruss, Daniel et al. / Specfuscator: Evaluating Branch Removal as a Spectre Mitigation. Financial Cryptography and Data Security - 25th International Conference, FC 2021, Revised Selected Papers. Hrsg. / Nikita Borisov ; Claudia Diaz. 2021. S. 293-310 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{8b64a3466fca45cd9c43ab28a782835d,

title = "Specfuscator: Evaluating Branch Removal as a Spectre Mitigation",

abstract = "Attacks exploiting speculative execution, known as Spectreattacks, have gained substantial attention in the scientific communityand in industry with a broad range of defense techniques proposed. Inparticular, in-software defenses for commodity systems attempt to leavethe program structure as is, but defuse every potential Spectre gadgetby, e.g., stopping the speculation, or limiting value ranges. While thesemitigations disrupt the program flow on every conditional branch, theystill contain every single conditional branch instruction.In this paper, we show that one dimension of Spectre mitigations hasbeen overlooked entirely. We explore a novel principled Spectre mitiga-tion that sits at the other end of the scale: the absence of conditional andindirect branches. Our mitigation is based on automatically linearizingthe program flow through a special compiler pass, eliminating all condi-tional and indirect branches. We show that our Spectre mitigation hasvery clear security guarantees. We explore the feasibility of this unortho-dox approach and evaluate its performance in comparison to the moreconservative approaches presented so far. We observe that the perfor-mance overhead can be low, e.g., 5 %, for certain use cases, being on-parwith state-of-the-art mitigations, but very high for other use cases, e.g.,and overhead factor of 1000. Our results demonstrate the feasibility ofSpectre defenses that eliminate branches and indicate good performance-security trade-offs for Spectre defenses can be achieved by sticking toneither of the extremes.",

author = "Martin Schwarzl and Canella, {Claudio Alberto} and Daniel Gruss and Michael Schwarz",

year = "2021",

doi = "10.1007/978-3-662-64322-8_14",

language = "English",

isbn = "978-3-662-64321-1",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "293--310",

editor = "Nikita Borisov and Claudia Diaz",

booktitle = "Financial Cryptography and Data Security - 25th International Conference, FC 2021, Revised Selected Papers",

note = "25th International Conference on Financial Cryptography and Data Security : FC 2021 ; Conference date: 01-03-2021 Through 05-03-2021",

url = "https://fc21.ifca.ai/",

}

TY - GEN

T1 - Specfuscator: Evaluating Branch Removal as a Spectre Mitigation

AU - Schwarzl, Martin

AU - Canella, Claudio Alberto

AU - Gruss, Daniel

AU - Schwarz, Michael

PY - 2021

Y1 - 2021

N2 - Attacks exploiting speculative execution, known as Spectreattacks, have gained substantial attention in the scientific communityand in industry with a broad range of defense techniques proposed. Inparticular, in-software defenses for commodity systems attempt to leavethe program structure as is, but defuse every potential Spectre gadgetby, e.g., stopping the speculation, or limiting value ranges. While thesemitigations disrupt the program flow on every conditional branch, theystill contain every single conditional branch instruction.In this paper, we show that one dimension of Spectre mitigations hasbeen overlooked entirely. We explore a novel principled Spectre mitiga-tion that sits at the other end of the scale: the absence of conditional andindirect branches. Our mitigation is based on automatically linearizingthe program flow through a special compiler pass, eliminating all condi-tional and indirect branches. We show that our Spectre mitigation hasvery clear security guarantees. We explore the feasibility of this unortho-dox approach and evaluate its performance in comparison to the moreconservative approaches presented so far. We observe that the perfor-mance overhead can be low, e.g., 5 %, for certain use cases, being on-parwith state-of-the-art mitigations, but very high for other use cases, e.g.,and overhead factor of 1000. Our results demonstrate the feasibility ofSpectre defenses that eliminate branches and indicate good performance-security trade-offs for Spectre defenses can be achieved by sticking toneither of the extremes.

AB - Attacks exploiting speculative execution, known as Spectreattacks, have gained substantial attention in the scientific communityand in industry with a broad range of defense techniques proposed. Inparticular, in-software defenses for commodity systems attempt to leavethe program structure as is, but defuse every potential Spectre gadgetby, e.g., stopping the speculation, or limiting value ranges. While thesemitigations disrupt the program flow on every conditional branch, theystill contain every single conditional branch instruction.In this paper, we show that one dimension of Spectre mitigations hasbeen overlooked entirely. We explore a novel principled Spectre mitiga-tion that sits at the other end of the scale: the absence of conditional andindirect branches. Our mitigation is based on automatically linearizingthe program flow through a special compiler pass, eliminating all condi-tional and indirect branches. We show that our Spectre mitigation hasvery clear security guarantees. We explore the feasibility of this unortho-dox approach and evaluate its performance in comparison to the moreconservative approaches presented so far. We observe that the perfor-mance overhead can be low, e.g., 5 %, for certain use cases, being on-parwith state-of-the-art mitigations, but very high for other use cases, e.g.,and overhead factor of 1000. Our results demonstrate the feasibility ofSpectre defenses that eliminate branches and indicate good performance-security trade-offs for Spectre defenses can be achieved by sticking toneither of the extremes.

UR - http://www.scopus.com/inward/record.url?scp=85118921415&partnerID=8YFLogxK

U2 - 10.1007/978-3-662-64322-8_14

DO - 10.1007/978-3-662-64322-8_14

M3 - Conference paper

SN - 978-3-662-64321-1

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 293

EP - 310

BT - Financial Cryptography and Data Security - 25th International Conference, FC 2021, Revised Selected Papers

A2 - Borisov, Nikita

A2 - Diaz, Claudia

T2 - 25th International Conference on Financial Cryptography and Data Security

Y2 - 1 March 2021 through 5 March 2021

ER -

Specfuscator: Evaluating Branch Removal as a Spectre Mitigation

Abstract

Publikationsreihe

Konferenz

ASJC Scopus subject areas

Zugriff auf Dokument

Andere Dateien und Links

Fingerprint

Projekte

EU - SOPHIA - Absicherung von Software gegen Physische Angriffe

Dieses zitieren