This paper introduces Okapi, an innovative hardware/software cross-layer architecture designed to mitigate Transient Execution Side Channel (TES) attacks, including Spectre variants, in modern computing systems. A key contribution of Okapi is a set of security features building upon each other to offer various trade-offs between performance and security. At its core, Okapi allows for speculative data accesses if the targeted memory region has already been accessed non-speculatively before in the same trust domain. It delays first-time accesses until the speculation is resolved. Okapi stands out for its flexibility in security implementation. For environments with less stringent security needs, Okapi's features can be deactivated to eliminate performance overhead. When activated, the hardware modifications alone provide robust protection against transient execution attacks at a thread-level granularity, including all universal read gadgets like Spectre-PHT and Spectre-BTB. This incurs an average performance overhead of only 3.6 % for the SPEC CPU2017 benchmark suite. On top, Okapi introduces the OkapiReset instruction for additional software-level security support. This instruction, which can be manually inserted by developers or automatically via a compiler extension, allows for fully secure speculation and for trust domain sizes smaller than a thread. While the manual insertion of OkapiReset incurs an additional 0.6 % performance overhead, the automated compiler extension approach results in a 23.1 % overhead for making a cryptographic library fully secure. With an approximate 0.4 % hardware overhead, Okapi provides a highly scalable and adaptable solution for secure speculation in state-of-the-art processor design.

翻译：本文提出Okapi——一种创新的硬件/软件跨层架构，旨在缓解现代计算系统中的瞬态执行侧信道攻击（包括Spectre变种）。Okapi的核心贡献在于构建了一组相互增强的安全特性，可在性能与安全性之间提供多种权衡方案。其基础机制允许对同一信任域内先前已通过非推测方式访问过的内存区域进行推测性数据访问，同时将首次访问延迟至推测解析完成。Okapi在安全实现方面展现出卓越灵活性：对安全性需求较低的场景可关闭其特性以消除性能开销；启用时，仅通过硬件修改即可在线程粒度上提供针对瞬态执行攻击（包括Spectre-PHT和Spectre-BTB等所有通用读取工具）的强效保护，SPEC CPU2017基准测试套件的平均性能开销仅为3.6%。在此基础上，Okapi引入OkapiReset指令提供额外软件级安全支持。该指令可通过开发者手动插入或编译器扩展自动生成，实现完全安全推测并支持小于线程粒度的信任域。手动插入OkapiReset仅增加0.6%性能开销，而自动编译器扩展方法为加密库实现完全安全时带来23.1%开销。以约0.4%的硬件开销为代价，Okapi为先进处理器设计中的安全推测提供了高度可扩展且自适应的解决方案。