Pavlos Aimoniotis: Advances in Speculative Side Channel Mitigations and New Exploitations
- Datum
- 12 december 2025, kl. 9.15
- Plats
- Polhemsalen, Ångströmlaboratoriet, Lägerhyddsvägen 1, Uppsala
- Typ
- Disputation
- Respondent
- Pavlos Aimoniotis
- Opponent
- Yan Solihin
- Handledare
- Stefanos Kaxiras
- Forskningsämne
- Datavetenskap
- Publikation
- https://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-566433
Abstract
Speculative execution optimizes processor performance by predicting the correct path of execution and executing instructions before it is legal to do so, introducing potential vulnerabilities when the prediction falls short and the program follows the wrong path of execution. While the processor recovers the architectural state, the microarchitectural state remains and can be exploited. In these vulnerabilities, that leverage the speculative side-channel (known as Spectre attacks), a secret is improperly accessed speculatively and then leaked by passing it to a transmitter instruction that leaves irreversible changes in the microarchitecture. Several proposed defenses try to close this security hole by prohibiting the propagation of speculatively loaded values, or by delaying the transmitter instructions (e.g., loads) from executing under speculation. Each of these proposed solutions leads to considerable performance degradation and, in certain instances, fails to entirely mitigate the security vulnerability.
This thesis tries to address the challenges of performance and security by proposing three works on optimizing the performance of existing speculative side-channel defenses, namely Janus, ReCon, and Doppelganger Loads, and two works on addressing security vulnerabilities by demonstrating attack scenarios, namely DOIN!, and Reorder Buffer Contention.
Regarding enhancing the performance of existing speculative mechanisms, Janus applies two of the simplest defense ideas in the same processor design and uses reinforcement learning to select the optimal performance-wise underlying defense mechanism on the fly, ReCon leverages non-speculative information leakage in an efficient manner to enable the execution of speculative load instructions that access non-secret values, and Doppelganger Loads employs an address predictor to unlock more speculative memory-level parallelism by predicting speculative load addresses in a secret-independent way. All the aforementioned techniques are able to recover a significant part of the lost performance introduced by speculative side-channel defenses.
On the other hand, to expose security vulnerabilities, DOIN! attack exploits inclusive caches and the co-existence of instructions and data in last-level caches to create observable timing differences in the data cache, surpassing speculative defenses, and Reorder Buffer Contention adds secret-dependent contention to the reorder buffer pushing in or out, on demand, a transmitter instruction able to leak the value of the speculatively loaded secret.