Future-proofing Trusted Execution Environments Against the Emerging Threats of Speculative Execution

Abstract

In pursuit for better performance, contemporary processor implementations have incorporated a number of optimization techniques, including both speculative and out-of-order execution. Unfortunately, it turns out that these implementations are riddled with micro-architectural flaws that are detrimental to the security boundaries imposed by the processor to isolate different execution environments from one another. In this dissertation we do not only explore the micro-architectural attacks that are consequently possible on these processors, but we also present various techniques that allow attackers to siphon out potentially sensitive information from numerous micro-architectural buffers. We call this class of attacks Micro-architectural Data Sampling (MDS) attacks. In response, vendors have attempted to mitigate them in a whack-a-mole fashion, addressing them one-by-one as they are reported, rather than mitigating them using a more fundamental and systematic approach to address them all at once.

The thesis of this dissertation argues that, in a world where such attacks are becoming more and more pervasive, the incremental approach of "spot" mitigations, currently practiced by both operating system vendors and CPU designers alike, is ineffective at adequately mitigating both current and future speculative- and transient-execution vulnerabilities, and that consequently these vulnerabilities jeopardize security-critical environments, such as TEEs and confidential cloud computing platforms. In order to address the limitations of this approach, this dissertation argues that such security-critical environments should employ remote attestation to guarantee a trusted status, as well as a seamless TCB recovery mechanism, without expecting any involvement from end users of such environments, to maintain that trusted status. Furthermore, users of these environments should expect future discoveries and disclosures of speculative- and transient-execution vulnerabilities. As such, they not only require a thorough understanding of what information can potentially be compromised, but they should also prepare a TCB recovery plan as well as push vendors to timely release mitigations to limit the impact of such vulnerabilities.