Scientists have devised a way to defeat the Meltdown and Spectre security vulnerabilities caused by speculative execution in modern processors.
In a research paper titled "SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation," computer scientists from University of California, Riverside, College of William and Mary and Binghamton University explained how the side effects caused by speculative execution could be isolated to prevent hackers from finding privileged information.
They said that SafeSpec was a “design principle where speculative state is stored in temporary structures that are not accessible by committed instructions.” This makes the memory hierarchy speculation leakage free prevents Meltdown and Spectre attacks.
This would mean expanding the “load-store queues to store a pointer to a temporary associative structure that holds speculatively loaded cache lines. We also introduce a similar structure to hold speculatively loaded TLB entries,” said researchers.
This would not only fix attacks based on Spectre and Meltdown but would also block a new variant of attacks which scientists call transient speculation attacks (TSAs).
“Although TSAs are strictly less powerful than the original attack, they must be carefully considered to ensure that leakage is not possible. One way to solve this problem is to either partition the speculative state per branch, or to size it generously, or even for the worst case scenario, to ensure that no leakage occurs through the shadow state. TSAs can also attempt to communicate covertly by creating contention on functional units or other shared structures,” said the paper.
To take advantage of this new method would require an extensive redesign of the processor to “separate out the speculative state from the permanent state”.
“We recognise that other structures affected by speculative instructions must also be protected using this principle or otherwise the attackers will switch to using them. Future work should look at protecting the branch predictor, DRAM buffers, account for prefetchers, as well as other structures,” said researchers.
They added that the principle of the methods relies on leaving speculative state in shadow structures, and only committing this state once the instructions that generate them are guaranteed to commit. “Thus, side-effects of misspeculation are hidden from the primary structures of the CPU, closing the vulnerability,” said the paper.
They added that the performance of the SafeSpec CPU was actually slightly higher than an unmodified CPU, despite conservative estimates on the shadow state. SafeSpec will need extra space in the L1 cache, according to scientists.
Scientists believe that the presented design represents a first step in many towards a principled protection of speculative execution.
Paul Ducklin, senior technologist at Sophos, told SC Media UK that Spectre/Meltdown story isn't really an issue, “it's part of a saga, in the literal sense of a long-running tale of thrust and counterthrust - a ongoing, circling battle between security and performance”.
“Some of the 'fixes' will be delivered in new hardware designs; some in low-level firmware and operating system changes; and others in new standards for compiling and constructing apps. Some of these changes many reduce performance slightly, and some people will complain, resist, and even refuse on the grounds that it will 'break their business'. Then a few early adopters will show that it's not hard at all, and then we'll all do it,” he said.