Microarchitectural Side-Channel Attacks And Defenses Based On Runahead Execution

In order to solve the problem that the memory wall seriously hinders the operation speed of the processor,various memory-level parallel technologies have been proposed one after another.Among them,Runahead execute can execute the instructions blocked by the pipeline in advance,which improves the performance of the processor and makes little modification to the pipeline,so it has received a lot of attention in the field of processor microarchitecture.However,due to the performance optimization technology of the processor,the secret data may be maliciously loaded into the cache in advance during the execution process,and when the processor finds an error or failure and then rolls back,it cannot clean up the data that has been loaded into the cache.Attackers can use covert channels to recover data,creating the risk of data breaches.Runahead execution improves processor performance by prefetching data and instructions,and the risk of data leakage that it may bring cannot be ignored.Therefore,this paper conducts research on side-channel attacks and defenses against the security problem of Runahead execution.First,we propose a non-transient and transient speculative execution attack based on Runahead execution.The core idea is that the attacker sets the processor in advance to enter the Runahead mode,and then recover the data loaded into the cache by the victim in Runahead mode through a covert channel.The attack proposed in this paper has unique advantages: non-transient speculative execution attacks do not require poisoning components,reducing the difficulty of implementing attacks;transient speculative execution attacks increase the number of unsafe fragments that can be exploited in real attacks,enhancing the attack danger.At the same time,the attacker can control the time when the processor is in Runahead mode,so that the speculative execution attack based on Runahead execution can be replayed,which improves the accuracy of the attack.After experimental verification,the Runahead execution does have security problems and will leak data.Secondly,in order to reduce the risk of data leakage by Runahead execution and provide a security perspective for the design of Runahead execution,this paper designs a lightweight defense technology.The core idea is to add a speculative load(SL)cache based on process isolation,which is mapped with address,key and process ID as input.When the processor loads data,it first searches in the speculative load cache.If the data hits,the data is loaded into the L1 cache.If the data miss,then it searches in the L1 cache,which is the same as the normal data loading process.In order to reduce the impact of the SL cache on performance,a counter is added to count the data put into the SL cache to reduce unnecessary access by the processor to the SL cache.