New speculation-based attacks that affect large numbers of modern systems are disclosed regularly. Currently, CPU vendors regularly fall back to heavy-handed mitigations like using barriers or enforcing strict programming guidelines resulting in significant performance overhead. What is missing is a solution that allows for efficient mitigation and is flexible enough to address both current and future speculation vulnerabilities, without additional hardware changes. In this work, we present SpecControl, a novel hardware/software co-design, that enables new levels of security while reducing the performance overhead that has been demonstrated by state-of-the-art methodologies. SpecControl introduces a communication interface that allows compilers and application developers to inform the hardware about true branch dependencies, confidential control-flow instructions, and fine-grained instruction constraints in order to apply restrictions only when necessary. We evaluate SpecControl against known speculative execution attacks and in addition, present a new speculative fetch attack variant on the Pattern History Table (PHT) in branch predictors that shows how similar previously reported vulnerabilities are more dangerous by enabling unprivileged attacks, especially with the state-of-the-art branch predictors. SpecControl provides stronger security guarantees compared to the existing defenses while reducing the performance overhead of two state-of-the-art defenses from 51% and 43% to just 23%.

翻译：影响大量现代系统的新型基于推测的攻击正不断被披露。目前，CPU厂商通常采取如插入屏障或强制执行严格编程规范等粗暴的缓解措施，导致显著性能开销。当前亟需一种既能高效缓解攻击、又足够灵活以应对当前及未来推测漏洞，且无需额外硬件变更的解决方案。本研究提出SpecControl——一种新型硬件/软件协同设计方法，在实现更高安全等级的同时，将现有最先进方案造成的性能开销降至最低。SpecControl引入通信接口，使编译器与应用开发者能向硬件传递真实分支依赖关系、机密控制流指令及细粒度指令约束，从而仅在必要时施加限制。我们基于已知的推测执行攻击对SpecControl进行了评估，此外还提出一种针对分支预测器中模式历史表（PHT）的新型推测取指攻击变体，揭示了此前报道的类似漏洞如何因允许非特权攻击（尤其是在使用最先进分支预测器的情况下）而更具危险性。相较于现有防御机制，SpecControl提供了更强的安全保障，同时将两种最先进防御方案分别造成的51%和43%性能开销降低至仅23%。