{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:17:43Z","timestamp":1750220263643,"version":"3.41.0"},"reference-count":29,"publisher":"Association for Computing Machinery (ACM)","issue":"12","license":[{"start":{"date-parts":[[2021,11,19]],"date-time":"2021-11-19T00:00:00Z","timestamp":1637280000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1816226"],"award-info":[{"award-number":["1816226"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Commun. ACM"],"published-print":{"date-parts":[[2021,12]]},"abstract":"<jats:p>Speculative execution attacks present an enormous security threat, capable of reading arbitrary program data under malicious speculation, and later exfiltrating that data over microarchitectural covert channels. This paper proposes speculative taint tracking (STT), a high security and high performance hardware mechanism to block these attacks. The main idea is that it is safe to execute and selectively forward the results of speculative instructions that read secrets, as long as we can prove that the forwarded results do not reach potential covert channels. The technical core of the paper is a new abstraction to help identify all micro-architectural covert channels, and an architecture to quickly identify when a covert channel is no longer a threat. We further conduct a detailed formal analysis on the scheme in a companion document. When evaluated on SPEC06 workloads, STT incurs 8.5% or 14.5% performance overhead relative to an insecure machine.<\/jats:p>","DOI":"10.1145\/3491201","type":"journal-article","created":{"date-parts":[[2021,11,19]],"date-time":"2021-11-19T15:30:18Z","timestamp":1637335818000},"page":"105-112","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Speculative taint tracking (STT)"],"prefix":"10.1145","volume":"64","author":[{"given":"Jiyong","family":"Yu","sequence":"first","affiliation":[{"name":"University of Illinois at Urbana-Champaign, IL"}]},{"given":"Mengjia","family":"Yan","sequence":"additional","affiliation":[{"name":"Massachusetts Institute of Technology, Cambridge, MA"}]},{"given":"Artem","family":"Khyzha","sequence":"additional","affiliation":[{"name":"Tel Aviv University, Israel"}]},{"given":"Adam","family":"Morrison","sequence":"additional","affiliation":[{"name":"Tel Aviv University, Israel"}]},{"given":"Josep","family":"Torrellas","sequence":"additional","affiliation":[{"name":"University of Illinois at Urbana-Champaign, IL"}]},{"given":"Christopher W.","family":"Fletcher","sequence":"additional","affiliation":[{"name":"University of Illinois at Urbana-Champaign, IL"}]}],"member":"320","published-online":{"date-parts":[[2021,11,19]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"IACR'06","author":"Aciicmez O.","year":"2006","unstructured":"Aciicmez, O., Seifert, J.-P., Koc, C.K. Predicting secret keys via branch prediction. In IACR'06 (2006)."},{"key":"e_1_2_1_2_1","volume-title":"IACR'18","author":"Aldaya A.C.","year":"2018","unstructured":"Aldaya, A.C., Brumley, B.B., ul Hassan, S., Garc\u00eda, C. P., Tuveri, N. Port contention for fun and profit. In IACR'18 (2018)."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.44"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363194"},{"key":"e_1_2_1_5_1","volume-title":"USENIX Security'19","author":"Canella C.","year":"2019","unstructured":"Canella, C., Bulck, J.V., Schwarz, M., Lipp, M., von Berg, B., Ortner, P., Piessens, F., Evtyushkin, D., Gruss, D. A systematic evaluation of transient execution attacks and defenses. In USENIX Security'19 (2019)."},{"key":"e_1_2_1_6_1","volume-title":"ISCA'98","author":"Chrysos G.Z.","year":"1998","unstructured":"Chrysos, G.Z., Emer, J.S. Memory dependence prediction using store sets. In ISCA'98 (1998)."},{"key":"e_1_2_1_7_1","volume-title":"ISCA'07","author":"Dalton M.","year":"2007","unstructured":"Dalton, M., Kannan, H., Kozyrakis, C. Raksha: A flexible information flow architecture for software security. In ISCA'07 (2007)."},{"key":"e_1_2_1_8_1","volume-title":"ICPP'91","author":"Gharachorloo K.","year":"1991","unstructured":"Gharachorloo, K., Gupta, A., Hennessy, J. Two techniques to enhance the performance of memory consistency models. In ICPP'91 (1991)."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.1982.10014"},{"key":"e_1_2_1_10_1","volume-title":"Side-channel analysis of cryptographic software via early-terminating multiplications. In","author":"Gro\u00dfsch\u00e4dl J.","year":"2009","unstructured":"Gro\u00dfsch\u00e4dl, J., Oswald, E., Page, D., Tunstall, M. Side-channel analysis of cryptographic software via early-terminating multiplications. In (2009)."},{"key":"e_1_2_1_11_1","volume-title":"Computer Architecture: A Quantitative Approach","author":"Hennessy J.L.","year":"2017","unstructured":"Hennessy, J.L., Patterson, D.A. Computer Architecture: A Quantitative Approach, 6th edn. Morgan Kaufmann Publishers Inc., 2017.","edition":"6"},{"key":"e_1_2_1_12_1","volume-title":"Q2 2018 speculative execution side channel update","author":"Intel","year":"2018","unstructured":"Intel. Q2 2018 speculative execution side channel update, 2018. https:\/\/www.intel.com\/content\/www\/us\/en\/security-center\/advisory\/intel-sa-00115.html."},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.5555\/102832"},{"key":"e_1_2_1_14_1","volume-title":"MICRO'18","author":"Kiriansky V.","year":"2018","unstructured":"Kiriansky, V., Lebedev, I.A., Amarasinghe, S.P., Devadas, S., Emer, J. DAWG: A defense against cache timing attacks in speculative execution processors. In MICRO'18 (2018)."},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00002"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/237090.237173"},{"key":"e_1_2_1_17_1","volume-title":"Proceedings of BSDCan 2005","author":"Percival C.","year":"2005","unstructured":"Percival, C. Cache missing for fun and profit. In Proceedings of BSDCan 2005 (2005)."},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.1998.742775"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2002.806121"},{"key":"e_1_2_1_20_1","volume-title":"ESORICS'19","author":"Schwarz M.","year":"2019","unstructured":"Schwarz, M., Schwarzl, M., Lipp, M., Gruss, D. Netspectre: Read arbitrary memory over network. In ESORICS'19 (2019)."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1024393.1024404"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/1508244.1508258"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1147\/rd.111.0025"},{"key":"e_1_2_1_24_1","volume-title":"USENIX Security'18","author":"Van Bulck J.","year":"2008","unstructured":"Van Bulck, J., Minkin, M., Weisse, O., Genkin, D., Kasikci, B., Piessens, F., Silberstein, M., Wenisch, T.F., Yarom, Y., Strackx, R. Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In USENIX Security'18 (2008)."},{"key":"e_1_2_1_25_1","volume-title":"MICRO'18","author":"Yan M.","year":"2018","unstructured":"Yan, M., Choi, J., Skarlatos, D., Morrison, A., Fletcher, C.W., Torrellas, J. InvisiSpec: Making speculative execution invisible in the cache hierarchy. In MICRO'18 (2018)."},{"key":"e_1_2_1_26_1","volume-title":"L3 cache side-channel attack. In USENIX Security'14","author":"Yarom Y.","year":"2014","unstructured":"Yarom, Y., Falkner, K. Flush+Reload: A high resolution, low noise, L3 cache side-channel attack. In USENIX Security'14 (2014)."},{"key":"e_1_2_1_27_1","volume-title":"NDSS'19","author":"Yu J.","year":"2018","unstructured":"Yu, J., Hsiung, L., Hajj, M.E., Fletcher, C.W. Data oblivious ISA extensions for side channel-resistant and high performance computing. In NDSS'19. https:\/\/eprint.iacr.org\/2018\/808."},{"volume-title":"ISCA'20","author":"Yu J.","key":"e_1_2_1_28_1","unstructured":"Yu, J., Mantri, N., Torrellas, J., Morrison, A., Fletcher, C.W. Speculative data-oblivious execution: Mobilizing safe prediction for safe and efficient speculative execution. In ISCA'20."},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3352460.3358274"}],"container-title":["Communications of the ACM"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3491201","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3491201","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3491201","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T19:30:56Z","timestamp":1750188656000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3491201"}},"subtitle":["a comprehensive protection for speculatively accessed data"],"short-title":[],"issued":{"date-parts":[[2021,11,19]]},"references-count":29,"journal-issue":{"issue":"12","published-print":{"date-parts":[[2021,12]]}},"alternative-id":["10.1145\/3491201"],"URL":"https:\/\/doi.org\/10.1145\/3491201","relation":{},"ISSN":["0001-0782","1557-7317"],"issn-type":[{"type":"print","value":"0001-0782"},{"type":"electronic","value":"1557-7317"}],"subject":[],"published":{"date-parts":[[2021,11,19]]},"assertion":[{"value":"2021-11-19","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}