A Scheduling-Aware Defense Against Prefetching-Based Side-Channel Attacks

TL;DR

This paper introduces PreFence, a scheduling-aware defense mechanism that temporarily disables CPU prefetchers during security-critical operations to prevent prefetch-based side-channel attacks, with minimal performance impact.

Contribution

The work systematizes prefetch-based side-channel vulnerabilities and presents PreFence, a novel, adaptable countermeasure for x86_64 and ARM processors that effectively mitigates these attacks.

Findings

PreFence reliably stops prefetch leakage.

Negligible performance impact during security-critical operations.

Effective on x86_64 and ARM architectures.

Abstract

Modern computer processors use microarchitectural optimization mechanisms to improve performance. As a downside, such optimizations are prone to introducing side-channel vulnerabilities. Speculative loading of memory, called prefetching, is common in real-world CPUs and may cause such side-channel vulnerabilities: Prior work has shown that it can be exploited to bypass process isolation and leak secrets, such as keys used in RSA, AES, and ECDH implementations. However, to this date, no effective and efficient countermeasure has been presented that secures software on systems with affected prefetchers. In this work, we answer the question: How can a process defend against prefetch-based side channels? We first systematize prefetching-based side-channel vulnerabilities presented in academic literature so far. Next, we design and implement PreFence, a scheduling-aware defense against these side channels that allows processes to disable the prefetcher temporarily during security-critical operations. We implement our countermeasure for an x86_64 and an ARM processor; it can be adapted to any platform that allows to disable the prefetcher. We evaluate our defense and find that our solution reliably stops prefetch leakage. Our countermeasure causes negligible performance impact while no security-relevant code is executed, and its worst case performance is comparable to completely turning off the prefetcher. The expected average performance impact depends on the security-relevant code in the application and can be negligible as we demonstrate with a simple web server application. We expect our countermeasure could widely be integrated in commodity OS, and even be extended to signal generally security-relevant code to the kernel to allow coordinated application of countermeasures.