Abstract
Speculative execution attacks are enormous security vulnerabilities that can cause information leakage through dangerous covert channels in computer systems. Hardware defenses mitigate speculative execution attacks through microarchitectural modifications to processor architectures such as central processing units (CPUs). However, current hardware defenses face significant challenges in better balancing the critical aspects of security, performance, and hardware resource utilization in modern processors. The thesis aims to holistically improve these key aspects of modern CPU microarchitecture by developing practical core-centric hardware defenses and exploring the methods based on instruction set architecture (ISA) that facilitate software-hardware interaction, thereby flexibly safeguarding processors against speculative execution attacks. This thesis serves as a foundation for building secure and efficient attack-aware computer defense systems through the software-hardware collaborative protection capable of adapting to different attack scenarios. Specifically, the thesis encompasses novel defense strategies, hardware microarchitectural implementations, software configuration interface for instruction instrumentation, theoretical attack modeling, and trade-off analyses among existing hardware defenses. Hardware defenses are implemented and evaluated on top of the Berkeley’s out-of-order RISC-V processor core using the VCU118 FPGA platform running Linux, with the goal of obtaining realistic hardware resource evaluations.First, the thesis includes an implicit attack flow model specifically designed to capture the critical steps of implicit cache-based speculative execution attacks. Implicit cache-based speculative execution attacks pose a serious threat to the information security of modern processors by enabling dangerous cache-based covert channels, yet they remain unaddressed by the existing hardware defenses specifically designed to block speculative cache-based covert channels. Therefore, a refined implicit attack flow model is proposed to specifically capture the critical steps of implicit cache-based speculative execution attacks. The attack flow model reveals why these implicit attacks pose a severe threat to the existing hardware defenses. The attack flow model enables effective analysis of implicit security vulnerabilities in existing hardware defenses and facilitates the identification of obscure security vulnerabilities for future research.
Second, a security-enhanced tracking and mitigation microarchitecture is implemented to effectively mitigate both implicit and explicit cache-based speculative execution attacks. When analyzing the trade-offs among security, performance, and hardware overhead in existing hardware defenses designed specifically for speculative cache-based covert channels, an observation is that these defenses focus predominantly on explicit channels, leaving implicit channels less addressed. To mitigate both implicit and explicit attacks, the proposed microarchitecture delays the execution of a wider range of potential transmit instructions, offering stronger security compared to these existing defenses. The proposed microarchitecture leverages dynamic hardware information flow tracking, which combines a tracking mechanism with an instruction delay mechanism, to achieve speculative taint protection. In addition, integrating an efficient global taint mask into the instruction delay mechanism enables the microarchitecture to maintain only a negligible register-based hardware resource overhead on FPGA.
Third, the thesis involves a configurable CPU microarchitecture with a software configuration interface for instruction instrumentation, so as to provide robust and flexible mitigation against not only cache-based speculative execution attacks but also other known and unknown speculative covert channels. A classification of existing hardware defenses is presented along with their trade-off analyses, demonstrating that existing hardware defenses have limitations regarding either security or performance. The limitations indicate that it is difficult to achieve better security and performance of a processor against speculative execution attacks using a single defense method. Improving defensive flexibility is a promising opportunity to alleviate the limitations. Therefore, a configurable CPU microarchitecture that provides optimized switchable hardware defensive modes is proposed to flexibly mitigate speculative execution attacks. The microarchitecture includes a high-security defensive mode for mitigating unanticipated attack scenarios and two proposed performance-optimized defensive modes for mitigating anticipated attack scenarios. The multiple hardware modes allow for flexibility in mitigating different attack scenarios with better performance. These modes can be switched without modifying the hardware, and switching the microarchitecture to the suitable mode is achieved through the provided software configuration interface and instruction instrumentation. The microarchitecture introduces a negligible hardware resource overhead on FPGA. Overall, the microarchitecture lays the foundation for attack-aware computer defense systems with flexible resilience to speculative execution attacks through adjustable defensive modes tailored for different software-implemented attack scenarios.
Finally, the thesis concludes all research works and and outlines directions for future work. Future research directions focus on trusted execution environments (TEEs), hardware defenses supporting multiple-core environments, software-hardware collaborative system protection, and attack-aware computer system.
| Date of Award | 16 Apr 2026 |
|---|---|
| Original language | English |
| Awarding Institution |
|
| Supervisor | Chak Chung Ray CHEUNG (Supervisor) |
Cite this
- Standard