Secure Access Policy (SAP): Invisibly Executing Speculative Unsafe Accesses in an Isolated Environment

In recent years, speculative execution attacks bring severe threats to hardware security. An attacker tempts the victim process to read secret data during speculative execution and recovers it via micro-architectural covert channels. Most defense strategies in the literature adopt a blocking approach, in which the execution of malicious speculative instructions is withheld until they become safe and, thus, excessive performance overhead is inevitable. Although several non-blocking approaches have also been proposed, extra hardware components are introduced to buffer data of speculative cache accesses, bringing on significant hardware costs. In this paper, we propose the Secure Access Policy (SAP) to enable the non-blocking execution of malicious speculative instructions in an isolated environment, which reuses the existing Line Fill Buffer and Translation Lookaside Buffer, without introducing any new hardware component. The isolated environment, named Safe Shelter area (SS area), maintains the data accessed by malicious speculative instructions and those data cannot be transmitted to the outside. An improved taint tracking technique is introduced to effectively reduce the number of accesses to the SS area. In addition, an extended cache coherence mechanism and a process-bound technique are also proposed to guarantee the validity and security of SS area’s data. We evaluate SAP on SPEC2006 and PARSEC3.0 workloads. The evaluation results show that SAP can effectively defend those attacks leveraging speculative executions and cache covert channels, and outperforms existing approaches in performance overhead, 2.35% and 3.21% in the Spectre and Futuristic defense models, respectively.