fence.t.s: Closing Timing Channels in High-Performance Out-of-Order Cores through ISA-Supported Temporal Partitioning
Nils Wistoff, Gernot Heiser, Luca Benini
TL;DR
This work tackles microarchitectural timing channels by extending the fence.t time-protection primitive to complex out-of-order cores via a software-supported temporal fence, fence.t.s. It identifies mixed-state and reusability challenges in fence.t and addresses them by splitting the workflow into discrete instructions and saving architectural state on a stack, implemented on the OpenC910 core with a new ff.clr instruction. Security analysis using a channel-bench framework shows that fence.t.s can completely mitigate on-core timing channels with an average overhead of around $1.0\%$ and minimal hardware costs. The results demonstrate that commercial, high-performance RISC-V cores can enforce temporal isolation efficiently, enabling safer sharing of security domains without significant performance or area penalties.
Abstract
Microarchitectural timing channels exploit information leakage between security domains that should be isolated, bypassing the operating system's security boundaries. These channels result from contention for shared microarchitectural state. In the RISC-V instruction set, the temporal fence instruction (fence.t) was proposed to close timing channels by providing an operating system with the means to temporally partition microarchitectural state inexpensively in simple in-order cores. This work explores challenges with fence.t in superscalar out-of-order cores featuring large and pervasive microarchitectural state. To overcome these challenges, we propose a novel SW-supported temporal fence (fence.t.s), which reuses existing mechanisms and supports advanced microarchitectural features, enabling full timing channel protection of an exemplary out-of-order core (OpenC910) at negligible hardware costs and a minimal performance impact of 1.0 %.