M.Sc Thesis


M.Sc StudentBerkenstadt Alon
SubjectImproving Speculative Execution Attack Mitigations
via Mitigation-Aware Compliation
DepartmentDepartment of Electrical and Computer Engineering
Supervisors ASSOCIATE PROF. Mark Silberstein
DR. Yakir Vizel
Full Thesis textFull thesis text - English Version


Abstract

In the pursuit of high-performance computer systems, CPU designers apply various optimizations for better throughput and resource utilization. Those optimizations do increase performance significantly and might seem, in every other sense, transparent to a naive user. But in fact, hardware optimizations in CPUs can be used to compromise the security in computer systems.

Trusted execution environments (TEEs) rely on trusted CPUs as the foundation of integrity and confidentiality in computer systems. However, recent disclosures demonstrate how transient execution attacks can jeopardize security properties. An attacker can exploit Spectre, Meltdown, and other transient execution vulnerabilities to execute arbitrary code and leak secret data, leaving TEEs vulnerable.

Unfortunately, not all such vulnerabilities are planned to be mitigated in hardware any time soon, and novel vulnerabilities are still being discovered without the ability to fix the already manufactured hardware. Thus, software mitigation is often the only immediate solution. Software-based techniques that harden the code to prevent undesirable misspeculation side-effects are the only way to protect against such attacks until hardware gets patched.

The rapid evolution of software mitigations has led to the development of many tools, techniques, and compiler modifications, but they are typically added as an afterthought, thereby not well-integrated. Each solves a separate vulnerability independently of other mitigations without integrating with the whole code generation pipeline. As a result, the software might have lower performance and be less secure than one would hope.

By our approach, the whole code generation pipe is a tool leveraged to achieve efficient security rather than a constraint, independent of security. We argue that compilation should be more aware of security and mitigations to improve security and efficiency. We support that argument with several issues found in the commodity compiler LLVM. Moreover, we suggest solutions to the issues and showcase the impact on performance and security.

First, we find that some optimizations introduce new vulnerabilities, turning non-vulnerable code into vulnerable. Thus, the order in which mitigations and optimizations are applied affects the security and requires mitigation pass on an optimized version of the code. Otherwise, the mitigation decision made by the compiler may not provide the expected safety. We support that claim with qualitative analysis of specific optimizations and quantitative analysis of full-scale benchmarks with different sets of compilation configurations.

At the same time, the post-optimization mitigation patches are not accounted for by popular optimization techniques, leading to incorrect optimization decisions by optimizer heuristics and significant performance loss. The direct cause for that issue is that the cost-model of code is affected by the requirement to apply mitigations, although the eventual cost is not manifested in the heuristic logic.

To overcome the first problem, we suggest an efficient and secure integration of Spectre V1 and Spectre V2 mitigation techniques. The proposed unified technique offers improved security in common mitigation practices and is based on interdependencies analysis between optimizations and mitigations for achieving better performance. For the second problem, we present a few changes to optimization heuristics that gain up to X5.97 speedup for LVI mitigated code.