Risky Translations: Securing TLBs against Timing Side Channels

Florian Stolz, Jan Philipp Thoma, Pascal Sasdrich, T. Güneysu
{"title":"Risky Translations: Securing TLBs against Timing Side Channels","authors":"Florian Stolz, Jan Philipp Thoma, Pascal Sasdrich, T. Güneysu","doi":"10.46586/tches.v2023.i1.1-31","DOIUrl":null,"url":null,"abstract":"Microarchitectural side-channel vulnerabilities in modern processors are known to be a powerful attack vector that can be utilized to bypass common security boundaries like memory isolation. As shown by recent variants of transient execution attacks related to Spectre and Meltdown, those side channels allow to leak data from the microarchitecture to the observable architectural state. The vast majority of attacks currently build on the cache-timing side channel, since it is easy to exploit and provides a reliable, fine-grained communication channel. Therefore, many proposals for side-channel secure cache architectures have been made. However, caches are not the only source of side-channel leakage in modern processors and mitigating the cache side channel will inevitably lead to attacks exploiting other side channels. In this work, we focus on defeating side-channel attacks based on page translations.It has been shown that the Translation Lookaside Buffer (TLB) can be exploited in a very similar fashion to caches. Since the main caches and the TLB share many features in their architectural design, the question arises whether existing countermeasures against cache-timing attacks can be used to secure the TLB. We analyze state-ofthe-art proposals for side-channel secure cache architectures and investigate their applicability to TLB side channels. We find that those cache countermeasures are notdirectly applicable to TLBs, and propose TLBcoat, a new side-channel secure TLB architecture. We provide evidence of TLB side-channel leakage on RISC-V-based Linux systems, and demonstrate that TLBcoat prevents this leakage. We implement TLBcoat using the gem5 simulator and evaluate its performance using the PARSEC benchmark suite.","PeriodicalId":13186,"journal":{"name":"IACR Trans. Cryptogr. Hardw. Embed. Syst.","volume":"40 1","pages":"1-31"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Trans. Cryptogr. Hardw. Embed. Syst.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tches.v2023.i1.1-31","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2

Abstract

Microarchitectural side-channel vulnerabilities in modern processors are known to be a powerful attack vector that can be utilized to bypass common security boundaries like memory isolation. As shown by recent variants of transient execution attacks related to Spectre and Meltdown, those side channels allow to leak data from the microarchitecture to the observable architectural state. The vast majority of attacks currently build on the cache-timing side channel, since it is easy to exploit and provides a reliable, fine-grained communication channel. Therefore, many proposals for side-channel secure cache architectures have been made. However, caches are not the only source of side-channel leakage in modern processors and mitigating the cache side channel will inevitably lead to attacks exploiting other side channels. In this work, we focus on defeating side-channel attacks based on page translations.It has been shown that the Translation Lookaside Buffer (TLB) can be exploited in a very similar fashion to caches. Since the main caches and the TLB share many features in their architectural design, the question arises whether existing countermeasures against cache-timing attacks can be used to secure the TLB. We analyze state-ofthe-art proposals for side-channel secure cache architectures and investigate their applicability to TLB side channels. We find that those cache countermeasures are notdirectly applicable to TLBs, and propose TLBcoat, a new side-channel secure TLB architecture. We provide evidence of TLB side-channel leakage on RISC-V-based Linux systems, and demonstrate that TLBcoat prevents this leakage. We implement TLBcoat using the gem5 simulator and evaluate its performance using the PARSEC benchmark suite.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
有风险的翻译:确保tlb不受定时侧信道的影响
众所周知,现代处理器中的微体系结构侧通道漏洞是一种强大的攻击向量,可以用来绕过内存隔离等常见安全边界。正如最近与Spectre和Meltdown相关的瞬态执行攻击变体所示,这些侧通道允许将数据从微架构泄漏到可观察的架构状态。目前绝大多数攻击都建立在缓存计时侧通道上,因为它很容易被利用,并且提供了可靠的、细粒度的通信通道。因此,人们提出了许多关于侧信道安全缓存架构的建议。然而,在现代处理器中,缓存并不是侧通道泄漏的唯一来源,减轻缓存侧通道将不可避免地导致利用其他侧通道的攻击。在这项工作中,我们专注于击败基于页面翻译的侧信道攻击。已经证明,可以以与缓存非常相似的方式利用翻译暂存缓冲区(TLB)。由于主缓存和TLB在其体系结构设计中共享许多特性,因此出现了是否可以使用现有的针对缓存定时攻击的对策来保护TLB的问题。我们分析了边信道安全缓存架构的最新建议,并研究了它们对TLB边信道的适用性。我们发现这些缓存对策并不直接适用于TLB,并提出了一种新的边信道安全TLB架构TLBcoat。我们提供了基于risc - v的Linux系统上TLB侧通道泄漏的证据,并证明TLBcoat可以防止这种泄漏。我们使用gem5模拟器实现TLBcoat,并使用PARSEC基准测试套件评估其性能。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
MMM: Authenticated Encryption with Minimum Secret State for Masking Don't Forget Pairing-Friendly Curves with Odd Prime Embedding Degrees LPN-based Attacks in the White-box Setting Enhancing Quality and Security of the PLL-TRNG Protecting Dilithium against Leakage Revisited Sensitivity Analysis and Improved Implementations
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1