Traditional side-channels take advantage of secrets being used as inputs to unsafe instructions, used for memory accesses, or used in control flow decisions. Constant-time programming, which restricts such code patterns, has been widely adopted as a defense against these vulnerabilities. However, new hardware optimizations in the form of Data Memory-dependent Prefetchers (DMP) present in Apple, Intel, and ARM CPUs have shown such defenses are not sufficient. These prefetchers, unlike classical prefetchers, use the content of memory as well as the trace of prior accesses to determine prefetch targets. An adversary abusing such a prefetcher has been shown to be able to mount attacks leaking data-at-rest; data that is never used by the program, even speculatively, in an unsafe manner. In response, this paper introduces SplittingSecrets, a compiler-based tool that can harden software libraries against side-channels arising from DMPs. SplittingSecrets's approach avoids reasoning about the complex internals of different DMPs and instead relies on one key aspect of all DMPs: activation requires data to resemble addresses. To prevent secret data from leaking, SplittingSecrets transforms memory operations to ensure that secrets are never stored in memory in a manner resembling an address, thereby avoiding DMP activation on those secrets. Rather than disable a DMP entirely, SplittingSecrets can provide targeted hardening for only specific secrets entirely in software. We have implemented SplittingSecrets using LLVM, supporting both source-level memory operations and those generated by the compiler backend for the AArch64 architecture, We have analyzed the performance overhead involved in safeguarding secrets from DMP-induced attacks using common primitives in libsodium, a popular cryptographic library when built for Apple M-series CPUs.

翻译：传统侧信道攻击利用秘密信息作为不安全指令的输入、用于内存访问或用于控制流决策。限制此类代码模式的恒定时间编程已被广泛采纳为针对这些漏洞的防御手段。然而，苹果、英特尔和ARM CPU中存在的数据内存依赖型预取器（DMP）形式的新型硬件优化表明，此类防御并不充分。与经典预取器不同，这些预取器利用内存内容以及先前访问的踪迹来确定预取目标。研究表明，滥用此类预取器的攻击者能够发起泄露静态数据的攻击；这些数据即使以推测方式也从未被程序以不安全的方式使用。为此，本文提出SplittingSecrets，一种基于编译器的工具，可强化软件库以抵御由DMP引发的侧信道攻击。SplittingSecrets的方法避免了对不同DMP复杂内部机制的推理，转而依赖于所有DMP的一个关键特性：激活要求数据必须类似于地址。为防止秘密数据泄露，SplittingSecrets通过转换内存操作来确保秘密信息永远不会以类似地址的形式存储在内存中，从而避免DMP基于这些秘密被激活。SplittingSecrets并非完全禁用DMP，而是能够完全在软件层面对特定秘密提供针对性强化。我们已使用LLVM实现了SplittingSecrets，同时支持源代码级内存操作和编译器后端为AArch64架构生成的操作。通过分析在苹果M系列CPU上构建的流行密码库libsodium中常用原语的保护效果，我们评估了防御DMP诱导攻击所涉及的性能开销。