Abstract
Since the Spectre and Meltdown disclosure in 2018, the list of new transient execution vulnerabilities that abuse the shared nature of microarchitectural resources on CPU cores has been growing rapidly. In response, vendors keep deploying “spot” (per-variant) mitigations, which have become increasingly costly when combined against all the attacks—especially on older-generation processors. Indeed, some are so expensive that system administrators may not deploy them at all. Worse still, spot mitigations can only address known (N-day) attacks as they do not tackle the underlying problem: different security domains that run simultaneously on the same physical CPU cores and share their microarchitectural resources.
In this paper, we propose Quarantine, a principled, software-only approach to mitigate transient execution attacks by eliminating sharing of microarchitectural resources. Quarantine decouples privileged and unprivileged execution and physically isolates different security domains on different CPU cores. We apply Quarantine to the Linux/KVM boundary and show it offers the system and its users blanket protection against malicous VMs and (unikernel) applications. Quarantine mitigates 24 out of the 27 known transient execution attacks on Intel CPUs and provides strong security guarantees against future attacks. On LMbench, Quarantine incurs a geomean overhead of 11.2%, much lower than the default configuration of spot mitigations on Linux distros such as Ubuntu (even though the spot mitigations offer only partial protection).
In this paper, we propose Quarantine, a principled, software-only approach to mitigate transient execution attacks by eliminating sharing of microarchitectural resources. Quarantine decouples privileged and unprivileged execution and physically isolates different security domains on different CPU cores. We apply Quarantine to the Linux/KVM boundary and show it offers the system and its users blanket protection against malicous VMs and (unikernel) applications. Quarantine mitigates 24 out of the 27 known transient execution attacks on Intel CPUs and provides strong security guarantees against future attacks. On LMbench, Quarantine incurs a geomean overhead of 11.2%, much lower than the default configuration of spot mitigations on Linux distros such as Ubuntu (even though the spot mitigations offer only partial protection).
| Original language | English |
|---|---|
| Title of host publication | RAID '23 |
| Subtitle of host publication | Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses |
| Publisher | Association for Computing Machinery (ACM) |
| Pages | 207–221 |
| Number of pages | 15 |
| ISBN (Electronic) | 9798400707650 |
| DOIs | |
| Publication status | Published - 16 Oct 2023 |
| Event | RAID 2023: 26th International Symposium on Research in Attacks, Intrusions and Defenses - Hong Kong Polytechnic University, Hong Kong, Hong Kong Duration: 16 Oct 2023 → 18 Oct 2023 |
Publication series
| Name | RAID: Research in Attacks, Intrusions and Defenses |
|---|
Conference
| Conference | RAID 2023 |
|---|---|
| Abbreviated title | RAID 2023 |
| Country/Territory | Hong Kong |
| City | Hong Kong |
| Period | 16/10/23 → 18/10/23 |
Bibliographical note
Acknowledgements:We thank the anonymous reviewers for their feedback. This work was supported by Intel Corporation through the “Allocamelus” project, the Dutch Science Organization (NWO) through project “Intersect”, and VMWare through an “Early Career Faculty” award. SBA Research (SBA-K1) funded this work within the framework of COMET–Competence Centers for Excellent Technologies by the Austrian Federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology (BMK), the Austrian Federal Ministry of Labour and Economy (BMDW), and the federal state of Vienna, managed by the The Austrian Research Promotion Agency (FFG).
Keywords
- Operating systems
- Transient execution attacks