ConTExT: A Generic Approach for Mitigating Spectre

Michael Schwarz, Moritz Lipp, Claudio Alberto Canella, Robert Schilling, Florian Kargl, Daniel Gruß

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review

Abstract

Out-of-order execution and speculative execution are among the biggest contributors to performance and efficiency of modern processors. However, they are inconsiderate, leaking secret data during the transient execution of instructions. Many solutions and hardware fixes have been proposed for mitigating transient-execution attacks. However, they either do not eliminate the leakage entirely or introduce unacceptable performance penalties.

In this paper, we propose ConTExT, a Considerate Transient Execution Technique. ConTExT is a minimal and fully backward compatible architecture change. The basic idea of ConTExT is that secrets can enter registers but not transiently leave them. ConTExT transforms Spectre from a problem that cannot be solved purely in software, to a problem that is not easy to solve, but solvable in software. For this, ConTExT requires minimal, fully backward-compatible modifications of applications, compilers, operating systems, and the hardware. ConTExT offers full protection for secrets in memory and secrets in registers. With ConTExT-light, we propose a software-only solution of ConTExT for existing commodity CPUs protecting secrets in memory. We evaluate the security and performance of ConTExT. Even when over-approximating with ConTExT-light, we observe no performance overhead for unprotected code and data, and an overhead between 0% and 338% for security-critical applications while protecting against all Spectre variants.
Original languageEnglish
Title of host publicationNetwork and Distributed System Security Symposium 2020
Number of pages18
DOIs
Publication statusPublished - Feb 2020
EventNetwork and Distributed System Security Symposium 2020 - San Diego, United States
Duration: 23 Feb 202026 Feb 2020

Conference

ConferenceNetwork and Distributed System Security Symposium 2020
Abbreviated titleNDSS
Country/TerritoryUnited States
CitySan Diego
Period23/02/2026/02/20

ASJC Scopus subject areas

  • Computer Science(all)

Fingerprint

Dive into the research topics of 'ConTExT: A Generic Approach for Mitigating Spectre'. Together they form a unique fingerprint.

Cite this