{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:09:57Z","timestamp":1750219797468,"version":"3.41.0"},"reference-count":62,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2022,11,17]],"date-time":"2022-11-17T00:00:00Z","timestamp":1668643200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100004359","name":"Swedish Research Council","doi-asserted-by":"crossref","award":["2015-05159 and 2018-05254"],"award-info":[{"award-number":["2015-05159 and 2018-05254"]}],"id":[{"id":"10.13039\/501100004359","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Microsoft Research through its EMEA Ph.D. Scholarship Programme","award":["2021-020"],"award-info":[{"award-number":["2021-020"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Archit. Code Optim."],"published-print":{"date-parts":[[2023,3,31]]},"abstract":"<jats:p>MicroScope and other similar microarchitectural replay attacks take advantage of the characteristics of speculative execution to trap the execution of the victim application in a loop, enabling the attacker to amplify a side-channel attack by executing it indefinitely. Due to the nature of the replay, it can be used to effectively attack software that are shielded against replay, even under conditions where a side-channel attack would not be possible (e.g., in secure enclaves). At the same time, unlike speculative side-channel attacks, microarchitectural replay attacks can be used to amplify the correct path of execution, rendering many existing speculative side-channel defenses ineffective.<\/jats:p>\n          <jats:p>In this work, we generalize microarchitectural replay attacks beyond MicroScope and present an efficient defense against them. We make the observation that such attacks rely on repeated squashes of so-called \u201creplay handles\u201d and that the instructions causing the side-channel must reside in the same reorder buffer window as the handles. We propose Delay-on-Squash, a hardware-only technique for tracking squashed instructions and preventing them from being replayed by speculative replay handles. Our evaluation shows that it is possible to achieve full security against microarchitectural replay attacks with very modest hardware requirements while still maintaining 97% of the insecure baseline performance.<\/jats:p>","DOI":"10.1145\/3563695","type":"journal-article","created":{"date-parts":[[2022,9,19]],"date-time":"2022-09-19T11:58:46Z","timestamp":1663588726000},"page":"1-24","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Delay-on-Squash: Stopping Microarchitectural Replay Attacks in Their Tracks"],"prefix":"10.1145","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4172-8607","authenticated-orcid":false,"given":"Christos","family":"Sakalis","sequence":"first","affiliation":[{"name":"Uppsala University, Uppsala, Sweden"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8267-0232","authenticated-orcid":false,"given":"Stefanos","family":"Kaxiras","sequence":"additional","affiliation":[{"name":"Uppsala University, Uppsala, Sweden"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4232-6976","authenticated-orcid":false,"given":"Magnus","family":"Sj\u00e4lander","sequence":"additional","affiliation":[{"name":"Norwegian University of Science and Technology, Trondheim, Norway"}]}],"member":"320","published-online":{"date-parts":[[2022,11,17]]},"reference":[{"key":"e_1_3_2_2_2","unstructured":"Tor Project. [n.d]. The Tor Project | Privacy & Freedom Online. Retrieved September 24 2022 from https:\/\/torproject.org"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA45697.2020.00022"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00066"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/3075564.3075581"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1109\/LCA.2019.2916328"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/PACT.2019.00020"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISPASS.2004.1291357"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/2024716.2024718"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/362686.362692"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1145\/872757.872787"},{"key":"e_1_3_2_12_2","unstructured":"Standard Performance Evaluation Corporation. 2006. SPEC CPU2006 Benchmark Suite. Retrieved September 24 2022 from http:\/\/www.specbench.org\/cpu2006\/."},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/2086696.2086714"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1109\/90.851975"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/2757667.2757672"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1145\/3316781.3317914"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-44709-1_21"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1007\/s13389-016-0141-6"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/1594233.1594276"},{"key":"e_1_3_2_20_2","unstructured":"Andrew F. Glew. 1998. MLP yes! ILP no. Retrieved September 24 2022 from https:\/\/www.semanticscholar.org\/paper\/MLP-yes!-ILP-no-Glew\/b9b1144799183affa96c5becfd5920c039fb337e."},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.2200\/S00309ED1V01Y201011CAC012"},{"key":"e_1_3_2_22_2","first-page":"955","volume-title":"Proceedings of the USENIX Security Symposium","author":"Gras Ben","year":"2018","unstructured":"Ben Gras, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2018. Translation leak-aside buffer: Defeating cache side-channel protections with TLB attacks. In Proceedings of the USENIX Security Symposium. 955\u2013972. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/gras."},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/197320.197346"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3316781.3317903"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2018.2868054"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev45635.2020.00029"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2018.00083"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-48405-1_25"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/1456508.1456514"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00033"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA.2019.00043"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/1669112.1669172"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCAD.2011.6105405"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1007\/s41635-017-0025-y"},{"key":"e_1_3_2_35_2","first-page":"1289","volume-title":"Proceedings of the USENIX Security Symposium","author":"Matetic Sinisa","year":"2017","unstructured":"Sinisa Matetic, Mansoor Ahmed, Kari Kostiainen, Aritra Dhar, David Sommer, Arthur Gervais, Ari Juels, and Srdjan Capkun. 2017. ROTE: Rollback protection for trusted execution. In Proceedings of the USENIX Security Symposium. 1289\u20131306. https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/matetic."},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23294"},{"key":"e_1_3_2_37_2","first-page":"1","article-title":"Spectre is here to stay: An analysis of side-channels and speculative execution","author":"Mcilroy Ross","year":"2019","unstructured":"Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer, and Toon Verwaest. 2019. Spectre is here to stay: An analysis of side-channels and speculative execution. arXiv:1902.05178 [cs] (Feb. 2019), 1\u201326. http:\/\/arxiv.org\/abs\/1902.05178","journal-title":"arXiv:1902.05178 [cs]"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66787-4_4"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.2005.42"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1007\/11605805_1"},{"key":"e_1_3_2_41_2","first-page":"1","article-title":"Partitioned cache architecture as a side-channel defence mechanism","author":"Page Daniel","year":"2005","unstructured":"Daniel Page. 2005. Partitioned cache architecture as a side-channel defence mechanism. IACR Cryptology ePrint Archive (Aug. 2005), 1\u201314. https:\/\/eprint.iacr.org\/2005\/280","journal-title":"IACR Cryptology ePrint Archive"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1145\/3352460.3358314"},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1145\/3310273.3321558"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/3307650.3322216"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2020.3014456"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354252"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/IISWC.2011.6114207"},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1145\/3307650.3322228"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1145\/3445814.3446716"},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1145\/3297858.3304060"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/3410463.3414640"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2005.122"},{"key":"e_1_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134038"},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2006.20"},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.1145\/3352460.3358306"},{"key":"e_1_3_2_56_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.45"},{"key":"e_1_3_2_57_2","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2018.00042"},{"key":"e_1_3_2_58_2","first-page":"719","volume-title":"Proceedings of the USENIX Security Symposium","author":"Yarom Yuval","year":"2014","unstructured":"Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In Proceedings of the USENIX Security Symposium. 719\u2013732."},{"key":"e_1_3_2_59_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA45697.2020.00064"},{"key":"e_1_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.1145\/3352460.3358274"},{"key":"e_1_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1145\/1669112.1669166"},{"key":"e_1_3_2_62_2","doi-asserted-by":"publisher","DOI":"10.1145\/3373376.3378487"},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO50266.2020.00094"}],"container-title":["ACM Transactions on Architecture and Code Optimization"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3563695","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3563695","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:38:09Z","timestamp":1750178289000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3563695"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,11,17]]},"references-count":62,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,3,31]]}},"alternative-id":["10.1145\/3563695"],"URL":"https:\/\/doi.org\/10.1145\/3563695","relation":{},"ISSN":["1544-3566","1544-3973"],"issn-type":[{"type":"print","value":"1544-3566"},{"type":"electronic","value":"1544-3973"}],"subject":[],"published":{"date-parts":[[2022,11,17]]},"assertion":[{"value":"2021-11-02","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-09-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-11-17","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}