Dijkstra's Pipe: Timing-Secure Processors by Design
Lead Research Organisation:
University of Edinburgh
Department Name: Sch of Informatics
Abstract
Society relies on microprocessors, from mobile phones to datacentres. The microprocessor industry, however, is facing a security crisis. The recently discovered speculation-based timing-channel vulnerabilities, such as Spectre, allows for a malicious actor running code on a system -- e.g., JavaScript adverts within a browser -- to potentially steal secrets and break down barriers.
The culprit in this case is sophisticated hardware speculation techniques, which allow for instructions (such as those conditionally dependent on branches) to be tentatively executed even before it is known whether they can execute. Such techniques have been the bread-and-butter of high-performance processors, and it is unlikely that companies can afford to do away with them.
How does one design a microprocessor that provably guarantees security against such timing-channel vulnerabilities without compromising performance?
In this project, we propose a new way of designing processors that are guaranteed to be timing-secure by design. Our approach is based on a new foundational specification, called a timing influence model that specifies how speculative instructions are allowed to impact other instructions. We will build on this foundation by investigating a methodology and a tool flow wherein the designer expresses their microarchitectural design while our tool automatically verifies the said design against the timing influence model, and estimates its performance via cycle-accurate simulation.
If successful, our secure-by-construction methodology will not only help address the security crisis faced by today's processors, it also has the potential to reduce costs by reforming processor design entirely.
The culprit in this case is sophisticated hardware speculation techniques, which allow for instructions (such as those conditionally dependent on branches) to be tentatively executed even before it is known whether they can execute. Such techniques have been the bread-and-butter of high-performance processors, and it is unlikely that companies can afford to do away with them.
How does one design a microprocessor that provably guarantees security against such timing-channel vulnerabilities without compromising performance?
In this project, we propose a new way of designing processors that are guaranteed to be timing-secure by design. Our approach is based on a new foundational specification, called a timing influence model that specifies how speculative instructions are allowed to impact other instructions. We will build on this foundation by investigating a methodology and a tool flow wherein the designer expresses their microarchitectural design while our tool automatically verifies the said design against the timing influence model, and estimates its performance via cycle-accurate simulation.
If successful, our secure-by-construction methodology will not only help address the security crisis faced by today's processors, it also has the potential to reduce costs by reforming processor design entirely.
Publications
Ainsworth S
(2021)
GhostMinion: A Strictness-Ordered Cache System for Spectre Mitigation
Ainsworth S
(2021)
GhostMinion: A Strictness-Ordered Cache System for Spectre Mitigation
Goens A
(2023)
Compound Memory Models
in Proceedings of the ACM on Programming Languages
KÅ“hler T
(2024)
Guided Equality Saturation
in Proceedings of the ACM on Programming Languages
Oswald N
(2023)
HeteroGen: Automatic Synthesis of Heterogeneous Cache Coherence Protocols
in IEEE Micro
| Description | This research improves microprocessor design, security, and efficiency in several ways: 1. Multicore Pipeline Design Automation -- The PipeGen contribution automates the creation of processor pipelines that correctly enforce memory rules, reducing manual effort and design errors. 2. Optimizing Program Rewriting -- We developed a new guided rewriting method that improves automated program transformation by incorporating human input at key points, making complex optimisations faster and more scalable. 3. Enhancing Security Against Speculative Execution Attacks -- Through Strictness Ordering and GhostMinion, we provide a new way to block security vulnerabilities like Spectre while maintaining high performance. 4. Memory Management in Heterogeneous Systems -- We put forward a formal compound memory model that ensures different processor types (CPUs, GPUs, etc.) work together smoothly without breaking existing software expectations. 5. Cache Coherence for Diverse Processors -- Our HeteroGen tool automates the creation of memory-sharing protocols across different processor architectures, ensuring correctness while maintaining performance. These contributions automate complex tasks, improve security, and ensure efficient, reliable computing in increasingly diverse and powerful processor architectures. |
| Exploitation Route | There are a number of possible research avenues that are worth exploring starting from the work conducted in this project. For instance, - The automation techniques for processor design and memory management could be integrated into commercial chip design software, helping hardware companies streamline development and ensure correctness. - The security solutions developed here may inform future processor architectures, guiding manufacturers toward safer speculative execution techniques and reducing vulnerability to side-channel attacks. - The guided rewriting approach could be incorporated into compilers and formal verification tools, improving the automation of software optimisation and theorem proving. - Further research can extend automated hardware design to new architectures and improve software-hardware integration in other technologies like AI accelerators. |
| Sectors | Digital/Communication/Information Technologies (including Software) |
| Description | School visit (Duke) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Postgraduate students |
| Results and Impact | About 20 people attended my talk which sparked questions and discussions afterwards and the group hired a Phd student in the area who is collaborating with us. |
| Year(s) Of Engagement Activity | 2022 |
| Description | School visit (EPFL) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Postgraduate students |
| Results and Impact | About 20 people attended my talk which sparked questions and discussions afterwards. |
| Year(s) Of Engagement Activity | 2021 |