Researchers develop SafeSpec to overcome vulnerabilities like Spectre and Meltdown
Computer scientists from the University of California, the College of William and Mary, and Binghamton University have published a paper detailing a new "design principle" that avoids speculative execution vulnerabilities.
Researchers says that the SafeSpec model supports "speculation in a way that is immune to the sidechannel leakage necessary for attacks such as Meltdown and Spectre". Importantly, the design also avoids the problems associated with other Meltdown/Spectre fixes.
- CVE-2018-3665: Floating Point Lazy State Save/Restore vulnerability affects Intel chips
- Spectre and Meltdown variant 4: Microsoft, Google and Intel reveal new Speculative Store Bypass chip vulnerability
- Intel: some processors will never receive Meltdown and Spectre patches
In a paper entitled "SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation", six researchers "explore whether speculation can be made leakage free in a principled way, enabling CPUs to retain the performance advantages of speculation while removing the security vulnerabilities that speculation exposes". With this in mind, SafeSpec stores the speculative state "in temporary structures that are not accessible by committed instructions".
The team says in its paper that SafeSpec does not suffer with any of the performance issues associated with Meltdown and Spectre patches, not does it break Google's Retpoline technique for preventing branch-target-injection.
As instructions transition from being speculative to commitable, any speculative state is moved to the permanent structures. On the other hand, if a speculative branch is squashed, the speculative side effects are canceled in place leaving no measurable side effects in the permanent structures and closing the vulnerability exploited by speculation attacks.
Importantly, SafeSpec protects not only against the known variants of Spectre and Meltdown, but also new variants developed by the researchers as part of its work -- and the team says that using the design actually helped to improve CPU performance.
The principle relies on leaving speculative state in shadow structures, and only committing this state once the instructions that generate them are guaranteed to commit. Thus, side-effects of misspeculation are hidden from the primary structures of the CPU, closing the vulnerability.
We applied the principle to protecting caches and TLBs of the CPU, which are the primary leakage vectors used in published speculation attacks. Our design completely closes all three published attacks, as well as new variants that we developed to leak through the I-cache or the TLBs. We showed that careful design is needed to prevent a form of leakage that can arise while instructions share the speculative state. We mitigate this leakage by sizing the speculative state conservatively. Constructed this way, transient attacks also become impractical.
There is still work to do, and you should not expect to see speculative execution vulnerabilities wiped about in the near future. However, the researchers believe that the design "represents a first step in many towards a principled protection"against such vulnerabilities.