context-sensitive fencing
TRANSCRIPT
![Page 1: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/1.jpg)
CONTEXT-SENSITIVE FENCING: SECURING SPECULATIVE EXECUTION VIA MICROCODE CUSTOMIZATION Mohammadkazem Taram, Ashish Venkat, Dean Tullsen University of California San Diego, University of Virginia
![Page 2: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/2.jpg)
PERFORMANCE V.S. SECURITY
�2
Security Performance
![Page 3: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/3.jpg)
PERFORMANCE V.S. SECURITY
�2
Security Performance
![Page 4: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/4.jpg)
PERFORMANCE V.S. SECURITY
�2
Security PerformanceFORESHADOW
![Page 5: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/5.jpg)
SPECTRE ATTACKS!
�3
Side-Channels
AttackerSpeculative Execution
Victim
➤ Leak secrets via side-channels + speculative execution
➤ Any modern processor with a Branch Predictor is vulnerable
![Page 6: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/6.jpg)
y = array2[array1[x] * 64];
SPECTRE V1 — BOUNDS CHECK BYPASS
�4
int Kernel_api_( int x ){
}
![Page 7: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/7.jpg)
if ( x < array1_size) //bounds check y = array2[array1[x] * 64];
SPECTRE V1 — BOUNDS CHECK BYPASS
�4
int Kernel_api_( int x ){
}
![Page 8: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/8.jpg)
if ( x < array1_size) //bounds check y = array2[array1[x] * 64];
SPECTRE V1 — BOUNDS CHECK BYPASS
�4
int Kernel_api_( int x ){
}
Mispredicted//not taken/fallthrough code
![Page 9: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/9.jpg)
if ( x < array1_size) //bounds check y = array2[array1[x] * 64];
SPECTRE V1 — BOUNDS CHECK BYPASS
�4
int Kernel_api_( int x ){
}
Too late to recover — data is exposed via side-channels
Mispredicted//not taken/fallthrough code
![Page 10: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/10.jpg)
➤ Restricting Speculation Using Fences and Barriers:
CURRENT SPECTRE V1 MITIGATIONS
�5
![Page 11: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/11.jpg)
➤ Restricting Speculation Using Fences and Barriers:
CURRENT SPECTRE V1 MITIGATIONS
�5
if ( x < array1_size) y = array2[array1[x] * 64];
![Page 12: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/12.jpg)
➤ Restricting Speculation Using Fences and Barriers:
CURRENT SPECTRE V1 MITIGATIONS
�5
if ( x < array1_size) speculative_fence; y = array2[array1[x] * 64];
![Page 13: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/13.jpg)
➤ Restricting Speculation Using Fences and Barriers:
CURRENT SPECTRE V1 MITIGATIONS
�5
if ( x < array1_size) speculative_fence; y = array2[array1[x] * 64];
Up to 10x Performance Overhead!
O. Oleksenko, B. Trach, T. Reiher, M. Silberstein, and C.Fetzer. 2018. You Shall Not Bypass
![Page 14: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/14.jpg)
THIS WORK : CONTEXT SENSITIVE FENCING
➤ Surgically injects fence micro-ops
�6
![Page 15: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/15.jpg)
THIS WORK : CONTEXT SENSITIVE FENCING
➤ Surgically injects fence micro-ops
�6
Only When Necessary
![Page 16: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/16.jpg)
THIS WORK : CONTEXT SENSITIVE FENCING
➤ Surgically injects fence micro-ops
�6
Right Type of FenceOnly When Necessary
![Page 17: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/17.jpg)
THIS WORK : CONTEXT SENSITIVE FENCING
➤ Surgically injects fence micro-ops
�6
Right Type of FenceOnly When Necessary No Recompilation
![Page 18: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/18.jpg)
MICRO-OP STREAM CUSTOMIZATION BY CONTEXT-SENSITIVE DECODING
�7
Native Instructions (e.g., inc [0x803ac] )
Instruction Decoder
Fetch
Rename
Execute
WB
ld t0, [0x803ac]
add, t0, t0, 1
st [0x803ac], t0
“Context-Sensitive Decoding: On-Demand Microcode Customization for Security and Energy Management” ISCA 2018, IEEE Micro Top Picks 2019
![Page 19: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/19.jpg)
MICRO-OP STREAM CUSTOMIZATION BY CONTEXT-SENSITIVE DECODING
�7
Native Instructions (e.g., inc [0x803ac] )
Instruction Decoder
Fetch
FENCE
FENCE
Rename
Execute
WB
ld t0, [0x803ac]
add, t0, t0, 1
st [0x803ac], t0
“Context-Sensitive Decoding: On-Demand Microcode Customization for Security and Energy Management” ISCA 2018, IEEE Micro Top Picks 2019
![Page 20: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/20.jpg)
CONTEXT-SENSITIVE FENCING: AN EXAMPLE
�8
Micro-op Fusion
Regular Decoders
MSROM
Decoders
Context-Sensitive
Model Specific
RegistersOS
Macro-op Dispatcher
X86 Instructions
Fence Enforcement Configurations
Micro-op Queue
beqadd
![Page 21: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/21.jpg)
CONTEXT-SENSITIVE FENCING: AN EXAMPLE
�8
Micro-op Fusion
Regular Decoders
MSROM
Decoders
Context-Sensitive
Model Specific
RegistersOS
Macro-op Dispatcher
X86 Instructions
inc [0x803ac]
Fence Enforcement Configurations
Micro-op Queue
beqadd
(*ptr)++
![Page 22: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/22.jpg)
CONTEXT-SENSITIVE FENCING: AN EXAMPLE
�8
Micro-op Fusion
Regular Decoders
MSROM
Decoders
Context-Sensitive
Model Specific
RegistersOS
Macro-op Dispatcher
X86 Instructions
inc [0x803ac]
Fence Enforcement Configurations
Taint Tracking
Micro-op Queue
beqadd
(*ptr)++
![Page 23: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/23.jpg)
CONTEXT-SENSITIVE FENCING: AN EXAMPLE
�8
Micro-op Fusion
Regular Decoders
MSROM
Decoders
Context-Sensitive
Model Specific
RegistersOS
Macro-op Dispatcher
X86 Instructionsinc [0x803ac]
Fence Enforcement Configurations
Taint Tracking
____FENCE___ ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0
Micro-op Queue
beqadd
![Page 24: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/24.jpg)
CONTEXT-SENSITIVE FENCING: AN EXAMPLE
�9
Micro-op Fusion
Regular Decoders
MSROM
Decoders
Context-Sensitive
Model Specific
RegistersOS
Macro-op Dispatcher
X86 Instructionsinc [0x803ac]
Fence Enforcement Configurations
Taint Tracking
____FENCE___ ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0
Micro-op Queuest
addld
FENCEbeqadd
![Page 25: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/25.jpg)
CONTEXT SENSITIVE FENCING
➤ Surgically injects fence micro-ops
�10
Right Type of Fence Only When NecessaryNo Recompilation
![Page 26: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/26.jpg)
BUT WHAT FENCE SHOULD WE USE?
�11
Existing Intel Fences
![Page 27: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/27.jpg)
BUT WHAT FENCE SHOULD WE USE?
�11
Existing Intel Fences
Require Privileged Access
Clobber Architectural Registers
Enforced Early in the Pipeline
![Page 28: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/28.jpg)
EXISTING FENCES: SERIALIZING INSTRUCTIONS (SI)
�12
Instruction Decoder
Fetch
Rename
FU1
Com
mit
Dispatch
FU1
FU1
…
➤ Enforced early in the pipeline
➤ Examples:
➤ All Serializing Instructions
➤ Intel’s MFENCE
➤ Intel’s SFENCE
![Page 29: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/29.jpg)
EXISTING FENCES: INTEL LFENCE
�13
Instruction Decoder
Fetch
Rename
FU1
Com
mit
Dispatch
FU1
FU1
…
➤ Enforced early in the pipeline
➤ Example:
➤ Intel’s LFENCE
![Page 30: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/30.jpg)
LATE ENFORCEMENT FENCES
�14
➤ Shifts fence enforcement towards the leaking structure
➤ Reduces the impact on other instructions µ-op
Que
ue
Macro-op Stream Macro-to-µop
Translation Unit
µ-op
Dis
patc
her
Load Store-Queue
FU1 FU2
RSRS
RSRSRS
Cache
Cac
he
Con
trolle
r
Mem
Mem
C
ontro
ller
RS
![Page 31: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/31.jpg)
LATE ENFORCEMENT FENCES
�14
➤ Shifts fence enforcement towards the leaking structure
➤ Reduces the impact on other instructions µ-op
Que
ue
Macro-op Stream Macro-to-µop
Translation Unit
µ-op
Dis
patc
her
Load Store-Queue
FU1 FU2
RSRS
RSRSRS
Cache
Cac
he
Con
trolle
r
Mem
Mem
C
ontro
ller
RS
![Page 32: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/32.jpg)
LATE ENFORCEMENT FENCES
�14
➤ Shifts fence enforcement towards the leaking structure
➤ Reduces the impact on other instructions µ-op
Que
ue
Macro-op Stream Macro-to-µop
Translation Unit
µ-op
Dis
patc
her
Load Store-Queue
FU1 FU2
RSRS
RSRSRS
Cache
Cac
he
Con
trolle
r
Mem
Mem
C
ontro
ller
RS
![Page 33: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/33.jpg)
NEWLY PROPOSED FENCES
➤ Load-Store Queue LFENCE (LSQ-LFENCE)
➤ Load-Store Queue MFENCE (LSQ-MFENCE)
➤ Reservation Station Fence (RSFENCE)
➤ Cache Fence (CFENCE)
µ-op
Que
ue
Macro-op Stream Macro-to-µop
Translation Unit
µ-op
Dis
patc
her
Load Store-Queue
FU1 FU2
RSRS
RSRSRS
Cache
Cac
he
Con
trolle
r
Mem
Mem
C
ontro
ller
RS
LSQ-Fences
RS-Fence
Cfence
�15
![Page 34: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/34.jpg)
ld
CACHE FENCE (CFENCE)
�16
CFENCE
ld
ld
Non-Modifying
Non-Modifying
➤ Allows all the load and stores to pass
➤ CFENCE labels any subsequent load as a non-modifying load
➤ allows non-modifying loads to pass through the CFENCE
➤ Non-modifying loads are restricted from modifying the cache state.
Non-Modifying
![Page 35: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/35.jpg)
CACHE FENCE (CFENCE)
�17
➤ if a cache hit -> read the contents of the cache,
➤ doesn’t change meta-data (e.g., LRU age bits)
➤ if a cache miss -> mark as uncacheable
➤ allow mem read without altering the cache state
Normal Load
Hit?
Update Metadata (LRU bits)
Serve the request
Fetch Cache Block from memory
Update Cache
Cache Controller
MissHit
![Page 36: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/36.jpg)
CACHE FENCE (CFENCE)
�18
➤ if a cache hit -> read the contents of the cache,
➤ doesn’t change meta-data (e.g., LRU age bits)
➤ if a cache miss -> mark as uncacheable
➤ allow mem read without altering the cache state
Non-Modifying Load
Hit?
Serve the request
Fetch Cache Block from memory
Cache Controller
MissHit
![Page 37: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/37.jpg)
RESULTS — FENCE ENFORCEMENT POLICIES
➤ Our CFENCE reduces the incurred performance overhead by 2.3X, bringing down the execution time overhead from 48% to 21%.
�19
ps sjeng bzip2 ping llu gcc ls nginx omnet gmeanInjected for All Kernel Loads
1.00
1.05
1.10
1.15
1.20
1.25
1.30
1.35
1.40
1.45
1.50
1.55
1.60
1.65
1.70
1.75
1.80
1.85
1.90
1.95
2.00
Nor
mal
ized
Exe
cution
Tim
e
LFENCE-LC
LSQ-MFENCE-LC
CFENCE-LC
48%
21%
![Page 38: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/38.jpg)
CONTEXT SENSITIVE FENCING
➤ Surgically injects fence micro-ops
�20
Right Type of Fence Only When NecessaryNo Recompilation
![Page 39: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/39.jpg)
FENCE FREQUENCY OPTIMIZATIONS
➤ Liberal Injection
➤ Injects fences before all the loads of a program
➤ completely stops speculation
�21
jeq
ld
add
ld
ld
![Page 40: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/40.jpg)
FENCE FREQUENCY OPTIMIZATIONS
➤ Liberal Injection
➤ Injects fences before all the loads of a program
➤ completely stops speculation
�22
jeqFenceldadd
ld
ld
Fence
Fence
![Page 41: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/41.jpg)
FENCE FREQUENCY OPTIMIZATIONS
➤ Basic Block-Level Fence Insertion*
➤ Speculation begins with a branch prediction
➤ A fence between branch and subsequent loads
�23
jeqFenceldadd
ld
ld
Fence
Fence
* Targeted Optimization — Only protects against variant 1
![Page 42: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/42.jpg)
FENCE FREQUENCY OPTIMIZATIONS
➤ Basic Block-Level Fence Insertion
➤ Speculation begins with a branch prediction
➤ We want a fence between each branch and subsequent loads
�24
jeqFenceldaddldld
* Targeted Optimization — Only protects against variant 1
![Page 43: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/43.jpg)
FENCE FREQUENCY OPTIMIZATIONS
➤ Taint-Based Fence Insertion
➤ Even one fence per basic block is too conservative
➤ Attacker performs operations based on untrusted data (e.g., attacker controlled out of bound index)
➤ Insert fences for only vulnerable loads that operate on untrusted data
➤ Dynamic Information Flow Tracker (DIFT)
�25
![Page 44: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/44.jpg)
DLIFT- AN INFORMATION FLOW TRACKER FOR SPECTRE ERA
�26
➤ Classic Information Flow Trackers
➤ Maintain and Evaluate Taints at Late Stages of the Pipeline
➤ Not so useful for Spectre!
![Page 45: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/45.jpg)
DLIFT- AN INFORMATION FLOW TRACKER FOR SPECTRE ERA
�26
➤ Classic Information Flow Trackers
➤ Maintain and Evaluate Taints at Late Stages of the Pipeline
➤ Not so useful for Spectre!
![Page 46: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/46.jpg)
DLIFT- AN INFORMATION FLOW TRACKER FOR SPECTRE ERA
�26
➤ Classic Information Flow Trackers
➤ Maintain and Evaluate Taints at Late Stages of the Pipeline
➤ Not so useful for Spectre!Detect The Threat before it’s too late.
![Page 47: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/47.jpg)
Register Taintedrax Norbx No
Register Taintedrax Norbx Yes
DECODER-LEVEL (SPECULATIVE) INFORMATION FLOW TRACKER
�27
Fetch M
acro
-to-M
icro
Speculative Taint Map
Taint Evaluator
Reg. File TLB
Arch. Taint Map/RF
Fetch/Decode Execute Commit
Tain
t
Tain
t
Commit Logic
![Page 48: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/48.jpg)
Register Taintedrax Norbx No
Register Taintedrax Norbx Yes
add (%rbx), %rax
DECODER-LEVEL (SPECULATIVE) INFORMATION FLOW TRACKER
�27
Fetch M
acro
-to-M
icro
Speculative Taint Map
Taint Evaluator
Reg. File TLB
Arch. Taint Map/RF
Fetch/Decode Execute Commit
Tain
t
Tain
t
Commit Logic
![Page 49: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/49.jpg)
Register Taintedrax Norbx No
Register Taintedrax Norbx Yes
add (%rbx), %rax
DECODER-LEVEL (SPECULATIVE) INFORMATION FLOW TRACKER
�27
Fetch M
acro
-to-M
icro
Speculative Taint Map
Taint Evaluator
Reg. File TLB
Arch. Taint Map/RF
Fetch/Decode Execute Commit
Tain
t
Tain
t
Commit Logic
Not Tainted
![Page 50: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/50.jpg)
Register Taintedrax Norbx No
Register Taintedrax Norbx Yes
DECODER-LEVEL (SPECULATIVE) INFORMATION FLOW TRACKER
�27
Fetch M
acro
-to-M
icro
Speculative Taint Map
Taint Evaluator
Reg. File TLB
Arch. Taint Map/RF
Fetch/Decode Execute Commit
Tain
t
Tain
t
Commit Logic
Not Tainted
ld t1, (%rbx) add t1, %rax, %rax
Fence-Free Translation
![Page 51: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/51.jpg)
Register Taintedrax Norbx No
Register Taintedrax Norbx Yes
DECODER-LEVEL (SPECULATIVE) INFORMATION FLOW TRACKER
�27
Fetch M
acro
-to-M
icro
Speculative Taint Map
Taint Evaluator
Reg. File TLB
Arch. Taint Map/RF
Fetch/Decode Execute Commit
Tain
t
Tain
t
Commit Logic
Not Tainted
ld t1, (%rbx) add t1, %rax, %raxFence-Free
Translation
![Page 52: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/52.jpg)
Register Taintedrax Norbx No
Register Taintedrax Norbx Yes
DECODER-LEVEL (SPECULATIVE) INFORMATION FLOW TRACKER
�27
Fetch M
acro
-to-M
icro
Speculative Taint Map
Taint Evaluator
Reg. File TLB
Arch. Taint Map/RF
Fetch/Decode Execute Commit
Tain
t
Tain
t
Commit Logic
Not Tainted
Under-Tainted?
ld t1, (%rbx) add t1, %rax, %raxFence-Free
Translation
![Page 53: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/53.jpg)
Register Taintedrax Norbx No Flush
Register Taintedrax Norbx Yes
DECODER-LEVEL (SPECULATIVE) INFORMATION FLOW TRACKER
�27
Fetch M
acro
-to-M
icro
Speculative Taint Map
Taint Evaluator
Reg. File TLB
Arch. Taint Map/RF
Fetch/Decode Execute Commit
Tain
t
Tain
t
Commit Logic
Not Tainted
Under-Tainted?
ld t1, (%rbx) add t1, %rax, %rax
Fence-Free Translation
![Page 54: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/54.jpg)
Register Taintedrax Norbx No Flush
Register Taintedrax Norbx Yes
DECODER-LEVEL (SPECULATIVE) INFORMATION FLOW TRACKER
�27
Fetch M
acro
-to-M
icro
Speculative Taint Map
Taint Evaluator
Reg. File TLB
Arch. Taint Map/RF
Fetch/Decode Execute Commit
Tain
t
Tain
t
Commit Logic
Not Tainted
Taint Recovery Copy
Under-Tainted?
ld t1, (%rbx) add t1, %rax, %rax
Fence-Free Translation
Register Taintedrax Norbx Yes
![Page 55: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/55.jpg)
Register Taintedrax Norbx No Flush
Register Taintedrax Norbx Yes
DECODER-LEVEL (SPECULATIVE) INFORMATION FLOW TRACKER
�27
Fetch M
acro
-to-M
icro
Speculative Taint Map
Taint Evaluator
Reg. File TLB
Arch. Taint Map/RF
Fetch/Decode Execute Commit
Tain
t
Tain
t
Commit Logic
Not Tainted
Taint Recovery Copy
Under-Tainted?
ld t1, (%rbx) add t1, %rax, %rax
Fence-Free Translation
Register Taintedrax Norbx Yes
add (%rbx), %rax
![Page 56: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/56.jpg)
Register Taintedrax Norbx No Flush
Register Taintedrax Norbx Yes
DECODER-LEVEL (SPECULATIVE) INFORMATION FLOW TRACKER
�27
Fetch M
acro
-to-M
icro
Speculative Taint Map
Taint Evaluator
Reg. File TLB
Arch. Taint Map/RF
Fetch/Decode Execute Commit
Tain
t
Tain
t
Commit Logic
Taint Recovery Copy
Under-Tainted?
ld t1, (%rbx) add t1, %rax, %rax
Fence-Free Translation
Register Taintedrax Norbx Yes
add (%rbx), %rax
Tainted
![Page 57: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/57.jpg)
Register Taintedrax Norbx No Flush
Register Taintedrax Norbx Yes
DECODER-LEVEL (SPECULATIVE) INFORMATION FLOW TRACKER
�27
Fetch M
acro
-to-M
icro
Speculative Taint Map
Taint Evaluator
Reg. File TLB
Arch. Taint Map/RF
Fetch/Decode Execute Commit
Tain
t
Tain
t
Commit Logic
Taint Recovery Copy
Under-Tainted?
ld t1, (%rbx) add t1, %rax, %rax
Register Taintedrax Norbx Yes
add (%rbx), %rax
Fence Injection
FENCE ld t1, (%rbx)
add t1, %rax, %rax
Tainted
![Page 58: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/58.jpg)
RESULTS — FENCE FREQUENCY OPTIMIZATION
➤ Taint-Based CFENCE injection reduces the performance overhead to just 7.7%
�28
ps sjeng bzip2 ping llu gcc ls nginx omnet gmeanCFENCE
1.00
1.05
1.10
1.15
1.20
1.25
1.30
1.35
1.40
1.45
1.50
1.55
1.60
Nor
mal
ized
Exe
cution
Tim
e
Always Fencing
DLIFT-Based Fencing
DLIFT + Once per BB
![Page 59: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/59.jpg)
CONTEXT-SENSITIVE FENCING
�29
Low Performance Overhead
![Page 60: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/60.jpg)
CONTEXT-SENSITIVE FENCING
�29
No Recompilation
Low Performance Overhead
![Page 61: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/61.jpg)
CONTEXT-SENSITIVE FENCING
�29
No Recompilation
Low Performance Overhead
Minimal Changes to Processor
![Page 62: CONTEXT-SENSITIVE FENCING](https://reader033.vdocuments.us/reader033/viewer/2022042804/626872639bf3ea2ad056ed19/html5/thumbnails/62.jpg)
THANKS! QUESTIONS?