Systematic Prevention of On-Core Timing Channels by Full Temporal Partitioning

TL;DR

This paper introduces a hardware-supported temporal fence instruction for RISC-V to systematically prevent microarchitectural timing channels, demonstrating effective implementation with minimal performance impact.

Contribution

It proposes the fence.t instruction for RISC-V, enabling systematic erasure of microarchitectural state to prevent timing channels, with practical implementations on seL4 and CVA6.

Findings

Complete erasure of microarchitectural state is most effective.

Implementation overhead is less than 1%.

Hardware costs are negligible.

Abstract

Microarchitectural timing channels enable unwanted information flow across security boundaries, violating fundamental security assumptions. They leverage timing variations of several state-holding microarchitectural components and have been demonstrated across instruction set architectures and hardware implementations. Analogously to memory protection, Ge et al. have proposed time protection for preventing information leakage via timing channels. They also showed that time protection calls for hardware support. This work leverages the open and extensible RISC-V instruction set architecture (ISA) to introduce the temporal fence instruction fence.t, which provides the required mechanisms by clearing vulnerable microarchitectural state and guaranteeing a history-independent context-switch latency. We propose and discuss three different implementations of fence.t and implement them on an experimental version of the seL4 microkernel and CVA6, an open-source, in-order, application class, 64-bit RISC-V core. We find that a complete, systematic, ISA-supported erasure of all non-architectural core components is the most effective implementation while featuring a low implementation effort, a minimal performance overhead of less than 1%, and negligible hardware costs.