Integrated Circuits and Systems >

2025 , Vol. 2 >Issue 3: 158 - 166

DOI: https://doi.org/10.23919/ICS.2025.3550116

Regular Papers

TLBshield: A Secure Reinforce on Translation Lookaside Buffer With Security and Performance Trade-Off to Mitigate the Speculative Attacks

  • YUYANG LIU ,
  • RUNYE DING ,
  • YUJIE CHEN ,
  • PUJIN XIE ,
  • YAO LIU ,
  • ZHIYI YU
Expand
  • School of Microelectronics Science and Technology, Sun Yat-sen University, Zhuhai 519082, China
YAO LIU (e-mail: ).

YAO LIU (Member, IEEE);

ZHIYI YU (Senior Member, IEEE)

Received date: 2025-01-15

  Revised date: 2025-02-25

  Accepted date: 2025-03-06

  Online published: 2025-10-22

Fold

Abstract

Since the discovery of speculative execution attacks based on side channels, there has been a long history of research on their attack mechanisms and defense principles. To explore TLB side channels, we constructed a System-on-Chip (SoC) centered around the XuanTie C910 processor on a Virtex UltraScale+ HBM VCU128 FPGA and ran the Linux operating system on this platform. We successfully implemented the Spectre-v1 attack targeting the multi-level TLB structure of the XuanTie C910 processor, identifying the second-level TLB as the primary target of the attack. In addition, we proposed a defense mechanism called TLBshield-v1, which employs a 50-percent block rate policy on the write-back channel from the Page Table Walker to the second-level TLB, thereby mitigating all attacks based on the second-level TLB. We tested a 50-percent block rate policy, which reduced the success rate of the Spectre-v1 attack from 100 percent to 55.7 percent, with a performance overhead of only 1.77 percent. Furthermore, we designed TLBshield-v2, with different block rates of second-level TLB, tested their corresponding performance overheads and security implications, and introduced a normalized evaluation metric, Security-Versus-Performance to determine the optimal design strategy that balances performance overhead and security under varying security requirements.

Key words: Computer security; FPGA; spectre attack; speculative execution attack; system-on-chip; translation lookaside buffer

Cite this article

YUYANG LIU , RUNYE DING , YUJIE CHEN , PUJIN XIE , YAO LIU , ZHIYI YU . TLBshield: A Secure Reinforce on Translation Lookaside Buffer With Security and Performance Trade-Off to Mitigate the Speculative Attacks[J]. Integrated Circuits and Systems, 2025 , 2(3) : 158 -166 . DOI: 10.23919/ICS.2025.3550116

References

Publishing order | Descend order by publishing year | Descend order by cited within
[1]
P. Kocher et al., “Spectre attacks: Exploiting speculative execution,” Commun. ACM, vol. 63, no. 7, pp. 93-101, 2020.

[2]
M. Lipp et al., “Meltdown,” 2018, arXiv:1801.01207.

[3]
J. Horn, “Speculative execution, variant 4:Speculative store bypass,” 2018.[Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-3639

[4]
E. M. Koruyeh, K. N. Khasawneh, C. Song, and N. Abu- Ghazaleh, “Spectre returns! speculation attacks using the return stack buffer,” in Proc. 12th USENIX Workshop Offensive Technol., 2018, pp. 1-12.

[5]
G. Maisuradze and C. Rossow, “ret2spec: Speculative execution using return stack buffers,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2018, pp. 2109-2122.

[6]
B. A. Shivakumar et al., “Spectre declassified: Reading from the right place at the wrong time,” in Proc. IEEE Symp. Secur. Privacy, 2023, pp. 1753-1770.

[7]
M. Bauer, L. A. Hetterich, C. Rossow, and M. Schwarz, “Switchpoline: A software mitigation for spectre-BTB and spectre-BHB on ARMV,” in Proc. ACM ASIA Conf. Comput. Commun. Secur., 2024, pp. 217-230.

[8]
J. Yu, M. Yan, A. Khyzha, A.Morrison, J. Torrellas, and C.W. Fletcher, “Speculative taint tracking (STT): A comprehensive protection for speculatively accessed data,” in Proc. 52nd Annu. IEEE/ACM Int. Symp. Microarchit., 2019, pp. 954-968.

[9]
O. Weisse, I. Neal, K. Loughlin, T. F. Wenisch, and B. Kasikci, “NDA: Preventing speculative execution attacks at their source,” in Proc. 52nd Annu. IEEE/ACM Int. Symp. Microarchit., 2019, pp. 572-586.

[10]
F. Liu and R. B. Lee, “Random fill cache architecture in Proc. 47th Annu. IEEE/ACM Int. Symp. Microarchit., 2014, pp. 203-215.

[11]
S. Deng, W. Xiong, and J. Szefer, “Secure TLBS in Proc. 46th Int. Symp. Comput. Archit., 2019, pp. 346-359.

[12]
M. Yan, J. Choi, D. Skarlatos, A. Morrison, C. Fletcher, and J. Torrellas, “InvisiSpec: Making speculative execution invisible in the cache hierarchy,” in Proc. 51st Annu. IEEE/ACM Int. Symp. Microarchit., 2018, pp. 428-441.

[13]
K. N. Khasawneh, E. M. Koruyeh, C. Song, D. Evtyushkin, D. Ponomarev, and N. Abu-Ghazaleh, “SafeSpec: Banishing the spectre of a meltdown with leakage-free speculation,” in Proc. 56th ACM/IEEE Des. Automat. Conf., 2019, pp. 1-6.

[14]
Z. Wang and R. B. Lee, “A novel cache architecture with enhanced performance and security,” in Proc. 41st IEEE/ACMInt. Symp. Microarchit., 2008, pp. 83-93.

[15]
V. Costan, I. Lebedev, and S. Devadas, “Sanctum: Minimal hardware extensions for strong software isolation,” in Proc. 25th USENIX Secur. Symp., 2016, pp. 857-874.

[16]
L. Domnitser, A. Jaleel, J. Loew, N. Abu-Ghazaleh, and D. Ponomarev, “Non-monopolizable caches: Low-complexity mitigation of cache side channel attacks,” ACM Trans. Archit. Code Optim., vol. 8, no. 4, pp. 1-21, 2012.

[17]
R. B. Lee, P. C. Kwan, J. P. McGregor, J. Dwoskin, and Z. Wang, “Architecture for protecting critical secrets in microprocessors,” in Proc. 32nd Int. Symp. Comput. Archit., 2005, pp. 2-13.

[18]
Y. Wang, A. Ferraiuolo, D. Zhang, A. C. Myers, and G. E. Suh, “SecDCP: Secure dynamic cache partitioning for efficient timing channel protection,” in Proc. 53rd Annu. Des. Automat. Conf., 2016, pp. 1-6.

[19]
Z. Wang and R. B. Lee, “New cache designs for thwarting software cache-based side channel attacks,” in Proc. 34th Annu. Int. Symp. Comput. Archit., 2007, pp. 494-505.

[20]
M. Yan, B. Gopireddy, T. Shull, and J. Torrellas, “Secure hierarchyaware cache replacement policy (SHARP) defending against cachebased side channel atacks,” ACM SIGARCH Comput. Archit. News, vol. 45, no. 2, pp. 347-360, 2017.

[21]
D. Zhang, A. Askarov, and A. C. Myers, “Language-based control and mitigation of timing channels,” in Proc. 33rd ACM SIGPLAN Conf. Program. Lang. Des. Implementation, 2012, pp. 99-110.

[22]
D. Zhang, Y. Wang, G. E. Suh, and A. C. Myers, “A hardware design language for timing-sensitive information-flow security,” ACM Sigplan Notices, vol. 50, no. 4, pp. 503-516, 2015.

[23]
O. Aciiçmez and Ç. K. Koç “Trace-driven cache attacks on AES (short paper),” in Proc. 8th Int. Conf. Inf. Commun. Secur., Raleigh, NC, USA, Dec. 2006, pp. 112-121.

[24]
D. J. Bernstein, “Cache-timing attacks on AES,” 2005.[Online]. Available: http://wistp2007.wistp.org/fileadmin/damiensauveron/Cours/M2/certification/Attacks/TimingAttack/cachetiming-20050414.pdf

[25]
J. Bonneauand I. Mironov, “Cache-collision timing attacks against AES,” in Proc. 8th Int. Workshop Cryptogr. Hardware Embedded Syst.- CHES 2006, Yokohama, Japan, Oct. 2006, pp. 201-215.

[26]
D. Gullasch, E. Bangerter, and S. Krenn, “Cache games-bringing access-based cache attacks on AES to practice,” in Proc. 2011 IEEE Symp. Secur. Privacy, 2011, pp. 490-505.

[27]
C Percival, “Cache missing for fun and profit,” 2005.[Online]. Available: http://wistp2007.wistp.org/fileadmin/damiensauveron/Cours/M2/sicom/Attacks/TimingAttack/htt.pdf

[28]
B. Gras, K. Razavi, H. Bos, and C. Giuffrida, “Translation leak-aside buffer: Defeating cache side-channel protections with TLB attacks,” in Proc. 27th USENIX Secur. Symp., 2018, pp. 955-972.

[29]
Y. Liu, R. Ding, Y. Chen, P. Xie, Y. Liu, and Z. Yu, “TLBshield: A low-cost secure reinforce on translation lookaside buffer to mitigate the speculative attacks,” in Proc. IEEE 17th Int. Conf. Solid-State Integr. Circuit Technol., 2024, pp. 1-3.

[30]
C. Chen et al., “Xuantie-910: A commercial multi-core 12-stage pipeline out-of-order 64-bit high performance RISC-V processor with vector extension: Industrial product,” in Proc. ACM/IEEE 47th Annu. Int. Symp. Comput. Archit., 2020, pp. 52-64.

[31]
Y. Yarom and K. Falkner,“FLUSH+RELOAD: A high resolution, low noise, L3 cache Side-Channel attack,” in Proc. 23rd USENIX Secur. Symp., 2014, pp. 719-732.

Options
Outlines

/