Boffins offer to make speculative execution great again with Spectre-Meltdown CPU fix

A group of computer science researchers has proposed a way to overcome the security risk posed by speculative execution, the data processing technique behind the Spectre and Meltdown vulnerabilities.

In a paper distributed this week through the ArXiv preprint server, "SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation," computer scientists from University of California, Riverside, College of William and Mary and Binghamton University describe a way to isolate the artifacts produced by speculative execution so that they can't be used to glean privileged data.

SafeSpec is "a design principle where speculative state is stored in temporary structures that are not accessible by committed instructions," the paper – co-authored by Khaled N. Khasawneh, Esmaeil Mohammadian Koruyeh, Chengyu Song, Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh – explains.

These temporary or "shadow structures," as the paper calls them, revise the memory hierarchy in a way that prevents speculation attacks.

"In particular, we expand the load-store queues to store a pointer to a temporary associative structure that holds speculatively loaded cache lines," the paper says. "We also introduce a similar structure to hold speculatively loaded TLB (translation lookaside buffer) entries."

The researchers claim their approach fixes currently known attack variations based on the Spectre and Meltdown data-leaking flaws, as well as a new class of attack they introduce called transient speculation attacks – which they claim can be mitigated by altering the size of the shadow structures used to isolate the speculatively generated data.

Speculating on security

Most modern computer chips employ speculative execution for speed. To fully utilize their ability to process groups of instructions in parallel, they employ a branch predictor to guess which path a program will take and then execute an expected set of instructions before it's needed.

When the program follows the anticipated path, the work has already been done, saving time; if the branch predictor guessed wrong, the resulting data simply gets discarded.

The problem with this technique, as chipmakers acknowledged earlier this year, is that code being processed under speculative execution is not subject to the same privilege checks as other instructions.

As a result, side-channel attacks can be devised to look beyond user memory into kernel memory.

Initially there were two Spectre variants (CVE 2017-5753 and 2017-5715) and one Meltdown variant (2017-5754). Three others have surfaced (2018-3640, 2018-3639, 2018-3665) since then and there may well be more to come.

These vulnerabilities have been addressed through adding the LFENCE instruction to compilers, processor interfaces added through microcode updates (IBRS, STIBP, IBPB), changes to the Windows, Linux, and macOS operating systems, Kernel Page-Table Isolation (KPTI), Return Trampoline (Retpoline), and PoisonIvy.

For the time being at least. The paper says Intel engineers have acknowledged that pending chip architecture changes will break Retpoline, Google's defense against the indirect branch target injection attacks know as Spectre variant 2. This footnote evidently wasn't intended for publication and may not persist in subsequent revisions.)

Whatever the case, SafeSpec promises to make speculative execution great again.

More work for Intel

The Register asked Intel for comment but the company wasn't able to make anyone available prior to publication. We understand, however, that the company is aware of this work.

The research, if validated and adopted, means more work for Intel and other chip makers.

"SafeSpec requires a deep redesign of the CPU to separate out the speculative state from the permanent state," the paper explains.

In a phone interview with The Register, Nael Abu-Ghazaleh, professor of computer science and engineering at UC Riverside and a co-author of the paper, said he believes SafeSpec can defend against the recently disclosed Lazy FP state bug affecting Intel math processors.

"Like the other variants of Spectre/Meltdown, the speculatively accessed floating point state would go to the shadow state, but not make it to the visible architectural state, preventing the attack," he said.

It also addresses another recently disclosed variant, Speculative Store Bypass (variant 4). "The good thing about it is it doesn't care about the source of the speculation," he said.

Abu-Ghazaleh acknowledged that SafeSpec requires some extra space on the L1 cache, but he considers the hardware changes to be minimal. And in terms of performance, he said, SafeSpec could even offer small improvements.

"I think it's really practical in terms of overhead," he said.

It's not a complete fix. As the paper acknowledges, other silicon structures affected by speculative instructions like the branch predictor and DRAM buffers also need to be fortified.

But it might just be better than past patches. ®