Microarchitectural attacks such as Spectre and Meltdown undermine security by exploiting software-visible side effects of microarchitectural optimizations like caches and speculative execution. To use modern hardware securely, programmers must take into account the security implications of these optimizations. Yet instruction set architectures (ISAs)—the conventional abstraction layer between hardware and software—are ill-suited for secure programming: by design, they abstract from microarchitectural details and therefore fail to reflect their security consequences. A new security abstraction is emerging to fill this void: hardware-software leakage contracts. To support the principled development of secure software on modern hardware such contracts characterize side-channel leakage at the ISA level. Thereby they enable programmers and compilers to generate code that is provably resistant to side-channel attacks—without having to explicitly reason about the microarchitecture. On the other hand, they provide a specification for hardware designers to ensure that microarchitectures do not introduce unintended and undocumented side channels. This paper introduces the foundations of this emerging topic, discussing recent contributions and unresolved challenges along the way.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Foundations of Hardware-Software Leakage Contracts

  • Jan Reineke

摘要

Microarchitectural attacks such as Spectre and Meltdown undermine security by exploiting software-visible side effects of microarchitectural optimizations like caches and speculative execution. To use modern hardware securely, programmers must take into account the security implications of these optimizations. Yet instruction set architectures (ISAs)—the conventional abstraction layer between hardware and software—are ill-suited for secure programming: by design, they abstract from microarchitectural details and therefore fail to reflect their security consequences. A new security abstraction is emerging to fill this void: hardware-software leakage contracts. To support the principled development of secure software on modern hardware such contracts characterize side-channel leakage at the ISA level. Thereby they enable programmers and compilers to generate code that is provably resistant to side-channel attacks—without having to explicitly reason about the microarchitecture. On the other hand, they provide a specification for hardware designers to ensure that microarchitectures do not introduce unintended and undocumented side channels. This paper introduces the foundations of this emerging topic, discussing recent contributions and unresolved challenges along the way.