Microarchitectural Timing Channels and their Prevention on an Open-Source 64-bit RISC-V Core

Authors: Nils Wistoff, Moritz Schneider, Frank Kagan Gürkaynak, Luca Benini, and Gernot Heiser

Proceedings of the 2021 Design, Automation & Test in Europe (DATE 2021)

Abstract

Microarchitectural timing channels use variations in the timing of events, resulting from competition for limited hardware resources, to leak information in violation of the operating system’s security policy. Such channels also exist on a simple in-order RISC-V core, as we demonstrate on the open-source RV64GC Ariane core. Time protection, recently proposed and implemented in the seL4 microkernel, aims to prevent timing channels, but depends on a controlled reset of microarchitectural state. Using Ariane, we show that software techniques for performing such a reset are insufficient and highly inefficient. We demonstrate that adding a single flush instruction is sufficient to close all five evaluated channels at negligible hardware costs, while requiring only minor modifications to the software stack.

People

Dr. Moritz Schneider

Post-doc

BibTex

@INPROCEEDINGS{wistoff2021microarchitectural,
	isbn = {978-3-9819263-5-4},
	doi = {10.23919/DATE51398.2021.9474214},
	year = {2021-02},
	booktitle = {Proceedings of the 2021 Design, Automation & Test in Europe (DATE 2021)},
	type = {Conference Paper},
	author = {Wistoff, Nils and Schneider, Moritz and Gürkaynak, Frank Kagan and Benini, Luca and Heiser, Gernot},
	abstract = {Microarchitectural timing channels use variations in the timing of events, resulting from competition for limited hardware resources, to leak information in violation of the operating system's security policy. Such channels also exist on a simple in-order RISC-V core, as we demonstrate on the open-source RV64GC Ariane core. Time protection, recently proposed and implemented in the seL4 microkernel, aims to prevent timing channels, but depends on a controlled reset of microarchitectural state. Using Ariane, we show that software techniques for performing such a reset are insufficient and highly inefficient. We demonstrate that adding a single flush instruction is sufficient to close all five evaluated channels at negligible hardware costs, while requiring only minor modifications to the software stack.},
	keywords = {Covert channels; Timing channels; Computer architecture; Microarchitecture; Operating systems; System security; Time protection},
	language = {en},
	address = {Piscataway, NJ},
	publisher = {IEEE},
	title = {Microarchitectural Timing Channels and their Prevention on an Open-Source 64-bit RISC-V Core},
	PAGES = {627 - 632},
	Note = {24th Design, Automation and Test in Europe Conference (DATE 2021); Conference Location: Online; Conference Date: February 1-5, 2021}
}

Research Collection: 20.500.11850/559589