



# ReViCe: <u>Re</u>using <u>Vi</u>ctim Cache to Prevent Speculative <u>Cache Le</u>akage

<u>Sungkeun Kim</u>, Farabi Mahmud, Jiayi Huang, Pritam Majumder, Neophytos Christou<sup>\*</sup>, Abdullah Muzahid, Chia-Che Tsai, Eun Jung Kim

Texas A&M University \*University Of Cyprus



## **Vulnerable Performance Optimization**

- □ Attackers can access the secret through speculative execution.
- □ Attackers transmit the secret through cache side channel.





# Problem: Speculation Based Attacks (Spectre V1)



Meltdown

Spectre



# Solution: ReViCe - An Undo-Based Mitigation



Meltdown

Spectre

UNIVERSITY<sub>®</sub>

# ReViCe – Motivations





- Delay update until Branch resolution
- Penalized by correctly speculated load.
- Penalized by incorrectly speculated load.







### Threat model

- □ Mis-Speculative load can access the secret.
- □ Cache side channel transmits the secret.
- □ Attacker has access to the source code of the victim program
- $\hfill\square$  OS is correct and trusted by the victim.
- Out of Scope
  - Other side channels: TLB, Branch Prediction History
  - Foreshadow



# ReViCe - Design





 $\prod_{U N I V E R} A^{*}_{V N I V E R} A^{*}_{N N I V E R}$ 

### Victim Cache – Confirm Correct Speculative Changes



#### Victim Cache – Restore Speculative Changes



Delayed Downgrade Coherence State [Yao et al. HPCA `18]



# ReViCe – Evaluation



- Simulation based
  - gem5 full system simulator
  - Out of order processor (Single, Octa cores)
- $\square$  Proof-of-concept (4 x 3 x 2 = 24 attack programs)
  - Four Spectre Variants
  - Three Cache Side Channels
  - Same Core and Cross Cores
- $\hfill\square$  Performance evaluation
  - SPEC2017, PARSEC

Compared against InvisiSpec, Selective Delay, CleanupSpec



PoC and Performance

Details in the paper





- □ Problem: Mitigating Speculation based attack leveraging cache side channel.
- Prior works: Either high overhead or incomplete
- □ Key insights: Hide speculation using Jitter and Restore from Victim Cache.
- $\square$  ReViCe is secure with better performance.





## Sungkeun Kim ksungkeun84@tamu.edu

