Exorcist: Enabling Atomic-Level Runtime Detection of Spectre Attacks using Precise Event Based Sampling
Hao Jia, Haoyu Ma, Changfeng Ding, Jinku LiWhile being key hardware techniques for improving the performance of modern processors, the speculative execution mechanisms also lead to side-channel attacks, which pose significant threats to the security of computer systems. While researchers have proposed various solutions to mitigate the threat posed by speculative attacks, most existing approaches have focused on offline static vulnerability analysis, which suffers from significant limitations of incompleteness and poor scalability.
Based on Intel's Precise Event Based Sampling (PEBS) technique, this paper proposes Exorcist, a novel runtime framework for detecting Spectre-PHT attacks at the atomic level. Leveraging the key observation that the atomic execution of a Spectre-PHT gadget triggers both a cache miss and a branch mis-precision in a fixed sequence, Exorcist uses carefully configured PEBS monitoring to efficiently capture all related fine-grained hardware performance events, then launches a kernel- and user-level collaborated taint analysis to effectively pinpoint Spectre-PHT gadgets that have actually exploited vulnerable speculative executions. Our approach significantly reduces the amount of native instructions needed to be processed to confirm actual Spectre exploitation, making it capable of achieving high accuracy and a negligible false positive rate with second-level response time. We have implemented a prototype of Exorcist and performed a comprehensive evaluation on it. Experimental results indicate that Exorcist can efficiently detect Spectre-PHT attacks at runtime with acceptable performance overhead, including JIT-compiled Spectre-PHT payloads written in JavaScript that are beyond the reach of existing offline analysis-based approaches.