Mitigating Speculation-based Attacks through Configurable Hardware/Software Co-design

TL;DR

This paper introduces SpecControl, a hardware/software co-design that enhances security against speculation-based attacks while significantly reducing performance overhead through a flexible communication interface for precise control.

Contribution

SpecControl provides a novel communication interface enabling dynamic, fine-grained control over speculative execution, improving security and performance compared to existing solutions.

Findings

SpecControl reduces mitigation overhead from over 50% to 23%.

It effectively defends against known and new speculative fetch attacks.

The approach enables flexible, targeted security measures without hardware modifications.

Abstract

New speculation-based attacks that affect large numbers of modern systems are disclosed regularly. Currently, CPU vendors regularly fall back to heavy-handed mitigations like using barriers or enforcing strict programming guidelines resulting in significant performance overhead. What is missing is a solution that allows for efficient mitigation and is flexible enough to address both current and future speculation vulnerabilities, without additional hardware changes. In this work, we present SpecControl, a novel hardware/software co-design, that enables new levels of security while reducing the performance overhead that has been demonstrated by state-of-the-art methodologies. SpecControl introduces a communication interface that allows compilers and application developers to inform the hardware about true branch dependencies, confidential control-flow instructions, and fine-grained instruction constraints in order to apply restrictions only when necessary. We evaluate SpecControl against known speculative execution attacks and in addition, present a new speculative fetch attack variant on the Pattern History Table (PHT) in branch predictors that shows how similar previously reported vulnerabilities are more dangerous by enabling unprivileged attacks, especially with the state-of-the-art branch predictors. SpecControl provides stronger security guarantees compared to the existing defenses while reducing the performance overhead of two state-of-the-art defenses from 51% and 43% to just 23%.