Efficiently Mitigating Transient Execution Attacks Using the Unmapped Speculation Contract

Explore a 20-minute conference talk from OSDI '20 that presents Ward, a novel kernel design addressing the performance penalties associated with mitigating transient execution side-channel attacks like Meltdown and Spectre. Learn about the unmapped speculation contract and how it enables many system calls to execute without mitigation overhead. Discover how Ward's separate kernel page table for each process improves performance compared to standard designs with mitigations, ranging from a few percent to several factors depending on the hardware generation and system call. Gain insights into the implementation in the sv6 research kernel, related defense strategies, and open questions in the field of transient execution attack mitigation.

Syllabus

Intro
Transient execution attacks risk leaking information Linux maintains security using software mitigations
Software mitigations are expensive
Goal: faster mitigations
Transient execution attack example
Typical mitigation approach
Ward has a different approach
Our observation: Unmapped Speculation Contract (USC)
USC is a good hardware-software contract
Split kernel to leverage USC
Syscalls start executing in the Q-domain
World switches use two stacks
Redesigning the kernel to avoid switches
Allocating memory without world switches
Implementation
Ward does better on LEBench
Related Work: Spectrum of defenses
Open question: what is the best way to mitigate attacks?
Conclusion