

## fence.t: Hardware Support for Preventing Microarchitectural Timing Channels

seL4 Summit 2022 10.10.2022

Nils Wistoffnwistoff@iis.ee.ethz.ch

Professors: Gernot Heiser

Luca Benini

gernot@unsw.edu.au lbenini@iis.ee.ethz.ch

**PULP Platform** Open Source Hardware, the way it should be!



@pulp\_platform 🔰 pulp-platform.org





The Today Weekly edition Economist

Science &

technology

The chips are down

≡ Menu

Two security flaws in modern chips cause big headaches for the tech business

Fixing the underlying problems will take a long time



Jan 4th 2018

**ETH** zürich

IT WAS a one-two punch for the computer industry. January 3rd saw the disclosure of two serious flaws in the design of the processors that power most of the world's computers. The first, appropriately called Meltdown, affects only chips made by Intel, and makes it possible to dissolve the virtual walls between the digital memory used by different programs, allowing hackers to steal sensitive data, such as passwords or a computer's encryption keys. The second,

ALMA MATER STUDIORUM Università di Bologna

#### ANDY GREENBERG SECURITY 01.03.2010 03:00 PM

#### A Critical Intel Flaw Breaks Basic Security for Most Computers

A Google-led team of researchers has found a critical chip flaw that developers are scrambling to patch in millions of computers.

SPECTRE

Speculative Execution **Covert Channel** 



Intel's processors have a security bug and the fix could slow down PCs

By Tom Warren | @tomwarren | Jan 3, 2018, 8:45am EST

TCs CVA6 fence.t CS Costs End



**ETH** zürich

ALMA MATER STUDIORUM Università di Bologna





TCs CVA6 fence.t CS Costs End









seL4 Summit 2022



4

TCs CVA6 fence.t CS Costs End



TCs CVA6 fence.t CS Costs End

#### Hardware

Microarchitectural State



seL4 Summit 2022



**ETH** zürich

ALMA MATER STUDIORUM Università di Bologna





TCs CVA6 fence.t CS Costs End







**ETH** zürich ALMA MATER STUDIORUM Università di Bologna

seL4 Summit 2022

7

TCs

CS

End

















# CVA6 (Ariane)



- Open-source 64-bit application-class RISC-V processor
- Boots Linux (or seL4)
- Developed by PULP team at ETH
- Now owned and maintained by OpenHW Group
- Widely used in academia and industry

ALMA MATER STUDIORUM





TCs CVA6 fence.t CS Costs End

# RTL Simulation FPGA Emulation ASIC Image: Strate S

RISC-V®

### speed, turn-around time, cost



seL4 Summit 2022

## Timing Channels on CVA6





<u></u>10<sup>−2</sup>

**10**−3

TCs

CVA6 fence.t

CS

Costs

End

Probability

Security Performan

224

256

## Timing Channels on CVA6







14

seL4 Summit 2022

## Timing Channels on CVA6



TCs

CVA6 fence.t



160

192 224

noise

## L1 Data Cache: Software Mitigation

**ETH** zürich

ALMA MATER STUDIORUM







seL4 Summit 2022

## L1 Data Cache: Software Mitigation

**ETH** zürich

ALMA MATER STUDIORUM





## fence.t Instruction



TCs

CVA6 fence.t CS Costs End





**ETH** zürich

## fence.t Implementation: Basic Flush

**ETH** zürich

ALMA MATER STUDIORUM



P d P

> TCs CVA6 fence.t CS Costs End

seL4 Summit 2022





## L1 Data Cache: Basic Flush



TCs CVA6

fence.t

CS

Costs

End

#### fence.t (flush targeted components on context switch)



 $N = 10^6$ , M = 7.7 mb,  $M_0 = 1.4$  mb



20



#### Unmitigated

seL4 Summit 2022

Probability

**ETH** zürich ALMA MATER STUDIORUM Università di Bologna

## L1 Data Cache: Basic Flush



TCs CVA6

CS

Costs

End

#### fence.t (flush targeted components on context switch)



Unmitigated



 $N = 10^6$ , M = 1667.3 mb,  $M_0 = 0.5$  mb

ALMA MATER STUDIORUM Università di Bologna

**ETH** zürich

seL4 Summit 2022

Probability



## 2<sup>nd</sup> Order Microarchitectural State

**ETH** zürich

ALMA MATER STUDIORUM



TCs CVA6 fence.t CS Costs End



## fence.t Implementation: Extensive Selective Flush





TCs CVA6 fence.t CS Costs End



**ETH** zürich



## fence.t Implementation: Microreset



TCs CVA6 fence.t CS Costs End



seL4 Summit 2022



## fence.t Implementation: Microreset

- Step 1: Save the program counter.
- Step 2: Save locally modified (dirty) architectural state. e.g. dirty cache lines in a write-back cache
- Step 3: Drain pending transactions.
  - e.g. memory transactions from previous write-back
- Step 4: Clear components that cannot be cleared in a single cycle. e.g. cache SRAMs
- Step 5: Assert Microreset.
- Step 6: Continue execution from saved program counter.



TCs CVA6 fence.t CS Costs End





## L1 Data Cache Channel: Microreset



ALMA MATER STUDIORUM Università di Bologna

**ETH** zürich

#### Unmitigated



 $N = 10^{6}$ , M = 21.7 mb,  $M_{0} = 27.8$  mb



26

seL4 Summit 2022

Probability

## fence.t (Microreset)



CVA6 fence.t

CS

Costs

End

**ETH** zürich

ALMA MATER STUDIORUM



TCs CVA6

fence.t

CS

Costs End



TCs CVA6 fence.t CS Costs End



 $M = 1297.9 \text{ mb}, M_0 = 0.5 \text{ mb}$ 









sel 4 Summit 2022

**ETH** zürich

ALMA MATER STUDIORUM Università di Bologna



P D P

> TCs CVA6 fence.t CS Costs End











ETHZÜRICH alma mater studiorum

seL4 Summit 2022

32



TCs

## Costs

- 2 threads: 1 benchmark + 1 idle
- 1GHz system clock
- 10ms timeslice
- Context switch every 10M cycles

• Synthesis in GF22FDX @1GHz



Splash-2 Benchmark Overhead (%)







## Conclusion

**ETH** zürich

- Existing ISA cannot prevent timing channels.
- fence.t instruction enables temporal partitioning of hardware.
- Microreset is a systematic and straight-forward implementation of fence.t.
- Negligible hardware costs, 0.7% average performance impact.
- Time protection is a system-wide challenge.
- Contributing to the RISC-V spec!

ALMA MATER STUDIOR







TCs CVA6 fence.t CS Costs End



seL4 Summit 2022