CSE539 SpeCHERI Presentation

Step-by-Step Tutorial: Investigating the Effectiveness of Cherry in Mitigating Speculative Attacks

Background Information on Speculative Attacks:

1. Understanding Speculative Attacks:
   • Speculative attacks are possible due to speculative executions that optimize performance by predicting and executing instructions before they are needed.
   • These optimizations can have unintended side effects, such as leaving traces in caches or other microarchitecture structures, allowing unauthorized access to sensitive data by attackers.
   • Examples of speculative attacks include Spectre and Meltdown.

Investigating Cherry's Effectiveness:

2. Introduction to Cherry:

   • Cherry stands for Capability Hardware Enhanced RISC Instructions, extending CPU capabilities with pointers containing actual information like bounds.
   • These pointers can limit out-of-bound access checks automatically by hardware, preventing unauthorized access.

3. Hypothesis:

   • The hypothesis is that Cherry can prevent out-of-bound reads and mitigate speculative attacks effectively.
   • Cherry can automatically perform access checks to stop out-of-bound access during speculative executions.

4. Conceptual Workflow:

   • The security is loaded and built by the attacker during the access phase.
   • If Cherry detects a security breach, it should trigger actions like program termination to prevent unauthorized access.

Running Example of Cherry in Action:

5. Testing Cherry with a Running Example:

   • A demonstration is shown where Cherry prevents speculative attacks by limiting access to a buffer within specified bounds.
   • The capabilities of Cherry are used to prevent out-of-bound reads during speculative executions.

6. Cherry's Role in Mitigating Attacks:

   • Cherry's capabilities are tested to see if they can effectively prevent speculative attacks by limiting unauthorized memory access during speculative executions.

Detailed Testing Procedure:

7. Testing Procedure:

   • Utilize a Cherry demonstrator on the M1 CPU to test Cherry's effectiveness in preventing speculative attacks.
   • Design a step-by-step plan to test Cherry's capabilities in mitigating speculative attacks.

8. Step One: Finding a Working Attack on ARM:

   • Look for speculative attacks that work on ARM architecture, focusing on Spectre V1 and Spectre V4.
   • Compile a working proof of concept with Cherry enabled to test its effectiveness.

9. Step Two: Compiling with Capability Support:

   • Enable capabilities in the code to compile executables with capabilities for testing.
   • Run the compiled executables to observe if capabilities prevent speculative attacks effectively.

10. Step Three: Observing and Analyzing Results:

    • Check if the capabilities successfully prevent speculative attacks during the test phase.
    • Analyze the results to understand the effectiveness of Cherry in mitigating speculative attacks.

11. Future Steps and Investigations:

    • Explore the hybrid capabilities mode to allow capabilities and pointers to coexist.
    • Rewrite proof of concepts to test if Cherry can prevent speculative attacks effectively in hybrid mode.
    • Conduct further experiments to understand Cherry's capabilities in preventing speculative attacks.

By following these steps, you can understand and test the effectiveness of Cherry in mitigating speculative attacks on ARM architecture.