Modern computer processors use microarchitectural optimization mechanisms to improve performance. As a downside, such optimizations are prone to introducing side-channel vulnerabilities. Speculative loading of memory, called prefetching, is common in real-world CPUs and may cause such side-channel vulnerabilities: Prior work has shown that it can be exploited to bypass process isolation and leak secrets, such as keys used in RSA, AES, and ECDH implementations. However, to this date, no effective and efficient countermeasure has been presented that secures software on systems with affected prefetchers. In this work, we answer the question: How can a process defend against prefetch-based side channels? We first systematize prefetching-based side-channel vulnerabilities presented in academic literature so far. Next, we design and implement PreFence, a scheduling-aware defense against these side channels that allows processes to disable the prefetcher temporarily during security-critical operations. We implement our countermeasure for an x86_64 and an ARM processor; it can be adapted to any platform that allows to disable the prefetcher. We evaluate our defense and find that our solution reliably stops prefetch leakage. Our countermeasure causes negligible performance impact while no security-relevant code is executed, and its worst case performance is comparable to completely turning off the prefetcher. The expected average performance impact depends on the security-relevant code in the application and can be negligible as we demonstrate with a simple web server application. We expect our countermeasure could widely be integrated in commodity OS, and even be extended to signal generally security-relevant code to the kernel to allow coordinated application of countermeasures.

翻译：现代计算机处理器采用微架构优化机制以提升性能。然而，此类优化也容易引入侧信道安全漏洞。内存的推测性加载（称为预取操作）在实际CPU中普遍存在，并可能引发此类侧信道漏洞：已有研究表明，攻击者可利用该机制绕过进程隔离并泄露敏感信息，例如RSA、AES和ECDH实现中使用的密钥。但迄今为止，尚未出现能有效保护受预取器影响系统上软件运行安全的高效防护方案。本研究旨在回答：进程应如何防御基于预取的侧信道攻击？我们首先系统梳理了现有学术文献中基于预取操作的侧信道漏洞，进而设计并实现了PreFence——一种面向调度的防御机制，允许进程在安全关键操作期间临时禁用预取器。我们在x86_64和ARM处理器上实现了该防护方案，该方案可适配至任何支持禁用预取器的硬件平台。评估结果表明，我们的防御机制能可靠阻断预取泄露。在未执行安全相关代码时，该方案产生的性能影响可忽略不计；其最坏情况下的性能表现与完全关闭预取器相当。预期平均性能影响取决于应用程序中安全相关代码的比例，正如我们通过简易Web服务器应用所演示的，这种影响可能微乎其微。我们预期该防护方案可广泛集成于商用操作系统中，甚至可扩展为向内核传递通用安全相关代码信号，以实现协同化的防护措施应用。