Fletcher, Marinov, Torrellas Lead Team Developing New Defense Against Spectre, Meltdown Attacks

To work quickly and efficiently, processors rely on something known as Speculative Execution, making what are essentially educated guesses about what instructions to execute. But speculative execution includes a security flaw that opened the door to Spectre, Meltdown, and other attacks that set off alarms in the computational world over the past year.

Chip makers have released patches to address many of those vulnerabilities, but they are only partial solutions and hamper performance.

“They have come out with halfway solutions, such as changing your hardware to stop at a branch rather than speculate,” said Willett Faculty Scholar and Professor Josep Torrellas. “But (with those defenses) performance suffers substantially.”

A solution proposed by the three Illinois Computer Science researchers and colleagues from two other universities, however, has the potential to provide a better, more permanent fix, while retaining high performance. Intel is funding their work with a $1.5 million, three-year grant.

The idea is to keep speculative execution out of sight, hidden from attackers, according to Computer Science Assistant Professor Christopher Fletcher. He is a co-PI for the research, along with Torrellas and Professor Darko Marinov from Illinois CS, Assistant Professor Adam Morrison from the University of Tel Aviv, and Assistant Professor Mohit Tiwari of the University of Texas.

“We call it invisible speculation, or InvisiSpec,” Fletcher said.

Attackers monitor the footprint left in a processor’s microarchitecture by speculative execution for clues to a thread’s actions. One of the easier-to-gather clues comes from the state left by the victim program in the memory subsystem.

To make speculative execution invisible, InvisiSpec has speculative loads that read data into a new buffer instead of the caches. That means nothing is modified in the memory system and no footprint is left behind. When that speculative load is deemed safe, it is made visible to the rest of the system.

The researchers say their work has three key advantages over previous defenses:

• No need to change the program in any way;
• No need to separate the victim and adversary into different security domains;
• A potentially complete solution to speculative execution attacks.

  

Simulations conducted by the researchers found their approach had a much less drastic effect on performance than previously deployed, partial defenses. The paper on InvisiSpec was presented at the International Symposium on Micro Architecture in Fukuoka, Japan in October 2018.

Next the researchers hope to build on their existing work, looking for ways to make InvisiSpec more efficient. One idea is to find ways to judge some types of loads to be inherently safe, so they can be treated as they traditionally have been by processors.

"We are first exploring a static analysis, similar to what a compiler does," Marinov said.

The project also has the benefit of strengthening ties between Illinois Computer Science and Intel, the researchers noted.