Hardware isolation primitives such as secure enclaves aim to protect sensitive programs, but remain vulnerable to transient execution attacks. Complete microarchitectural isolation is not a satisfactory defense mechanism as it leaves out public shared memory, critical for usability and application performance. Conversely, hardware-software co-designs for secure speculation can counter these attacks but are not yet practical, since they make assumptions on the speculation modes, the exposed microarchitectural state, and the software, which are all hard to support for the entire software stack. This paper advocates for processors to incorporate microarchitectural isolation primitives and mechanisms for controlled speculation, enabling different execution modes. These modes can restrict what is exposed to an attacker, effectively balancing performance and program-analysis complexity. We introduce two mechanisms to securely share memory between an enclave and an untrusted OS in an out-of-order processor. We show that our two modes are complementary, achieving speculative non-interference with a reasonable performance impact, while requiring minimal code annotation and simple program analysis doable by hand. Our prototype, Citadel, is a multicore processor running on an FPGA, booting untrusted Linux, and supporting comprehensive enclave capabilities, such as shared memory, and remote attestation. To our knowledge, Citadel is the first end-to-end enclave platform to run secure applications, such as cryptographic libraries or small private inference workloads, on a speculative out-of-order multicore processor while protecting against a significant class of side-channel attacks.

翻译：摘要：硬件隔离原语（如安全飞地）旨在保护敏感程序，但仍易受瞬态执行攻击。完全微架构隔离并非理想的防御机制，因为它排除了对可用性和应用性能至关重要的公共共享内存。相反，针对安全推测的硬件-软件协同设计可以反击此类攻击，但尚不实用，因为它们对推测模式、暴露的微架构状态以及软件均做出假设，而这些假设难以在整个软件栈中得到支持。本文主张处理器应集成微架构隔离原语和受控推测机制，支持不同执行模式。这些模式可以限制暴露给攻击者的内容，从而有效平衡性能与程序分析复杂度。我们提出了两种机制，用于在乱序处理器中实现飞地与不可信操作系统之间的安全内存共享。研究表明，这两种模式具有互补性：在实现推测非干扰的同时，对性能影响合理，且仅需最少的代码注释和可人工完成的简单程序分析。我们的原型系统Citadel是一款运行在FPGA上的多核处理器，可引导不可信Linux系统，并支持全面的飞地功能（如共享内存和远程认证）。据我们所知，Citadel是首个能够在推测性乱序多核处理器上运行安全应用程序（如加密库或小型私有推理工作负载）的端到端飞地平台，并能抵御一类重要的侧信道攻击。