Protean: A Programmable Spectre Defense

We present the Protean Spectre defense—the first to be altogether comprehensive, covering all side channels and speculation; programmer-transparent, requiring no source modifications; and programmable, tailoring its hardware protections to software’s security needs. Several Spectre defenses offer the first two features, but protect a hardware-defined subset of architectural state from transiently leaking. Meanwhile, many Spectre-vulnerable programs process secrets in many ways such that rigid protections cannot both performantly and fully secure. Protean overcomes this limitation through: (1) ProtISA, an ISA extension that allows software to tell which architectural registers and memory bytes require protection from transiently leaking at each program point; (2) ProtCC, a compiler that automatically infers and programs ProtISA protections for vulnerable code with minimal user input; and (3) ProtDelay and ProtTrack, two alternative hardware mechanisms that performantly enforce software-defined ProtISA protections. By flexibly tailoring a hardware Spectre defense to a program’s data protection needs, Protean significantly reduces the overhead of fully securing vulnerable programs. With ProtDelay/ProtTrack, it averages 0.27x/0.18x and 0.42x/0.34x of the runtime overhead of the best secure baseline for programs with and without mixed security needs, respectively, at lower/comparable hardware complexity.

pdf