#### **DESIGN, AUTOMATION & TEST IN EUROPE**

01 - 05 February 2021 · virtual conference

The European Event for Electronic System Design & Test

### **Microarchitectural Timing Channels and their** Prevention on an Open-Source 64-bit RISC-V Core

ETH Zurich

Nils Wistoff **Moritz Schneider** Frank K. Gürkaynak ETH Zurich Luca Benini **Gernot Heiser** 

**ETH** Zurich ETH Zurich and University of Bologna UNSW Sydney and Data61 CSIRO











## **Security Model**



















Hardware platform

CVA6 RV64GC core [2] on FPGA





 $N = 10^{6}$ 



 $N = 10^{6}$ 





*M* = 1667.3 mb





03 February 2021

## Software Mitigation: L1 D\$ Channel

Unmitigated

#### - 10-2 · 10<sup>-2</sup> Reduced Range Time (cycles) 87000 -85000 -Time (cycles) 92700 8000 Probability Probability l 10−3 - 10-3 Secret Secret $N = 10^{6}$ , M = 1667.3 mb, $M_{0} = 0.5$ mb $N = 10^{6}$ , M = 515.7 mb, $M_{0} = 1.1$ mb

### **Double L1 D\$ prime on context switch**

03 February 2021

## Software Mitigation: L1 D\$ Channel

#### Double L1 D\$ prime on context switch Unmitigated Still a channel! · 10<sup>-2</sup> Time (cycles) 87000 -85000 -(cycles) (cycles) 0556 Probability Probability L 10-3 We need hardware support! Secret Secret $N = 10^{6}$ , M = 1667.3 mb, $M_{0} = 0.5$ mb $N = 10^6$ , M = 515.7 mb, $M_0 = 1.1$ mb

03 February 2021

# Temporal Fence Instruction (fence.t)



### Unmitigated 88000 ↓ 10<sup>-2</sup> 86000 Time (cycles) 8500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 Probability - 10<sup>-3</sup> 80000 78000 0 32 128 160 192 224 256 64 96 Secret $N = 10^{6}$ , M = 1667.3 mb, $M_{0} = 0.5$ mb

### Flush targeted components on context switch



#### 03 February 2021

### 88000 ↓ 10<sup>-2</sup> 86000 Time (cycles) 8500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 500 - 10<sup>-3</sup> 80000 78000 0 32 128 160 192 224 256 64 96 Secret $N = 10^{6}$ , M = 1667.3 mb, $M_{0} = 0.5$ mb

### Unmitigated

Probability

### **Flush targeted components** on context switch



### Vulnerable 2<sup>nd</sup> Order State-Holding Components



### Vulnerable 2<sup>nd</sup> Order State-Holding Components



### All Channels are Closed!





### **Context Switch Latency**

| Unmitigated   |                 | D\$ Softw       | нพ               |                 |  |
|---------------|-----------------|-----------------|------------------|-----------------|--|
| Hot           | Cold            | Single Double   |                  | Flush           |  |
| 430<br>(±7.0) | 1,180<br>(±1.0) | 12,099<br>(±52) | 51,876<br>(±256) | 1,502<br>(±0.9) |  |
|               |                 |                 |                  | Ĵ               |  |
|               | 320 cvcles      | s overhea       | nd per cor       | ntext swit      |  |

Clk @1GHz, CS @1KHz: **+ 0.032%** 



### **Context Switch Latency**

| Unmitigated                                                                    |                 | D\$ Softw       | нw               |                 |  |  |  |  |
|--------------------------------------------------------------------------------|-----------------|-----------------|------------------|-----------------|--|--|--|--|
| Hot                                                                            | Cold            | Single          | Double           | Flush           |  |  |  |  |
| 430<br>(±7.0)                                                                  | 1,180<br>(±1.0) | 12,099<br>(±52) | 51,876<br>(±256) | 1,502<br>(±0.9) |  |  |  |  |
|                                                                                |                 |                 |                  |                 |  |  |  |  |
| 320 cycles overhead per context switch<br>Clk @1GHz, CS @1KHz: <b>+ 0.032%</b> |                 |                 |                  |                 |  |  |  |  |

### **Hardware Costs**



# Conclusion

- We measure timing channels on an in-order RISC-V core (CVA6)
- We show that SW alone cannot solve the problem!
- Solution: Enable OS to flush microarchitectural state
  - We propose a temporal fence (fence.t) instruction
  - Closes all evaluated channels at negligible costs
- Need to flush *all* µArch state with possible timing impact!
- Future work
  - Evaluate performance with *write-back* L1 D\$
  - Develop systematic approach to identify vulnerable  $\mu\text{Arch}$  state

### Sources

- [1] Qian Ge, Yuval Yarom, Tom Chothia, and Gernot Heiser: "Time Protection: The Missing OS Abstraction", EuroSys, 2019
- [2] Florian Zaruba and Luca Benini: "The Cost of Application-Class Processing: Energy and Performance Analysis of a Linux-Ready 1.7-GHz 64-Bit RISC-V Core in 22-nm FDSOI Technology", IEEE Trans. on VLSI Systems 27, 2019
- [3] Gerwin Klein, June Andronick, Kevin Elphistone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser: "Comprehensive Formal Verification of an OS Microkernel", ACM Trans. Comp. Syst. 32, 2014

#### **DESIGN, AUTOMATION & TEST IN EUROPE**

01 - 05 February 2021 · virtual conference

The European Event for Electronic System Design & Test

### **Microarchitectural Timing Channels and their** Prevention on an Open-Source 64-bit RISC-V Core

ETH Zurich

Nils Wistoff **Moritz Schneider** Frank K. Gürkaynak ETH Zurich Luca Benini **Gernot Heiser** 

**ETH** Zurich ETH Zurich and University of Bologna UNSW Sydney and Data61 CSIRO











# Temporal Fence Instruction (fence.t)

| 31           |  | 12    | 11 | 7       | 6 | 0 |
|--------------|--|-------|----|---------|---|---|
| select[19:0] |  | 00000 |    | 0001011 |   |   |
| 20           |  |       | 5  |         | 7 | 7 |

# Temporal Fence Instruction (fence.t)



### **Covert Channel**



