CacheRewinder: Revoking Speculative Cache Updates Exploiting Write-Back Buffer

Jongmin Lee1,a, Junyeon Lee2, Taeweon Suh1,b and Gunjae Koo1,c
1Korea University Seoul, South Korea
aflackekd@korea.ac.kr
bsuhtw@korea.ac.kr
cgunjaekoo@korea.ac.kr
2Samsung Electronics Seoul, South Korea
junyeon2.lee@samsung.com

ABSTRACT


Transient execution attacks are critical security threats since those attacks exploit speculative execution which is an essential architectural solution that can improve the performance of out-of-order processors significantly. Such attacks change cache state by accessing secret data during speculative executions, then the attackers leak the secret information exploiting cache timing side-channels. Even though software patches against transient execution attacks have been proposed, the software solutions significantly slow down the performance of a system.

In this paper, we propose CacheRewinder, an efficient hardware-based defense mechanism against transient execution attacks. CacheRewinder prevents leakage of secret information by revoking the cache updates done by speculative executions. To restore the cache state efficiently, CacheRewinder exploits the underutilized write-back buffer space as the temporary storage for victimized cache blocks evicted during speculative executions. Hence, when speculation fails CacheRewinder can quickly restore the cache state using the victim blocks held in the write-back buffer. Our evaluation exhibits CacheRewinder can effectively defend against transient execution attacks. The performance overhead by CacheRewinder is only 0.6%, which is negligible compared to the unprotected baseline processor. CacheRewinder also requires minimal storage cost since it exploits unused writeback buffer entries as storage for evicted cache blocks.

Keywords: Secure Architecture, Transient Execution Attacks, Speculative Execution, Cache Side-Channels.



Full Text (PDF)