Table of Contents
Fetching ...

SPOILER-GUARD: Gating Latency Effects of Memory Accesses through Randomized Dependency Prediction

Gayathri Subramanian, Girinath P, Nitya Ranganathan, Kamakoti Veezhinathan, Gopalakrishnan Srinivasan

TL;DR

The paper addresses transient-execution leakage arising from false dependencies due to partial address aliasing in speculative memory dependencies. It introduces SPOILER-GUARD, which obfuscates dependency resolution by dynamically randomizing the partial physical address bits used for load–store comparisons and tagging misspeculated stores to prevent repeated replays, with remasking triggered on misspeculation. Hardware changes include a larger 12-bit partial-address field, SAB tagging, and an LSQ remasking controller, implemented and evaluated in gem5 with SPEC2017 benchmarks, achieving misspeculation reduction to $0.0004\%$ and notable FP/INT speedups ($2.87\%$ and $2.12\%$, respectively) at minimal area, power, and timing overhead ($0.064~\mathrm{mm}^2$, $5.863~\mathrm{mW}$, $69~\mathrm{ps}$). Storage overhead is quantified as +53 bits per SAB entry with under $0.2\%$ area impact. The work demonstrates a practical, security-focused mitigation suitable for modern Intel Core-like microarchitectures and suggests avenues for extending the approach to other speculative attacks.

Abstract

Modern microprocessors depend on speculative execution, creating vulnerabilities that enable transient execution attacks. Prior defenses target speculative data leakage but overlook false dependencies from partial address aliasing, where repeated squash and reissue events increase the load-store latency, which is exploited by the SPOILER attack. We present SPOILER-GUARD, a hardware defense that obfuscates speculative dependency resolution by dynamically randomizing the physical address bits used for load-store comparisons and tagging store entries to prevent latency-amplifying misspeculations. Implemented in gem5 and evaluated with SPEC 2017, SPOILER-GUARD reduces misspeculation to 0.0004 percent and improves integer and floating-point performance by 2.12 and 2.87 percent. HDL synthesis with Synopsys Design Compiler at 14 nm node demonstrates minimal overheads - 69 ps latency in critical path, 0.064 square millimeter in area, and 5.863 mW in power.

SPOILER-GUARD: Gating Latency Effects of Memory Accesses through Randomized Dependency Prediction

TL;DR

The paper addresses transient-execution leakage arising from false dependencies due to partial address aliasing in speculative memory dependencies. It introduces SPOILER-GUARD, which obfuscates dependency resolution by dynamically randomizing the partial physical address bits used for load–store comparisons and tagging misspeculated stores to prevent repeated replays, with remasking triggered on misspeculation. Hardware changes include a larger 12-bit partial-address field, SAB tagging, and an LSQ remasking controller, implemented and evaluated in gem5 with SPEC2017 benchmarks, achieving misspeculation reduction to and notable FP/INT speedups ( and , respectively) at minimal area, power, and timing overhead (, , ). Storage overhead is quantified as +53 bits per SAB entry with under area impact. The work demonstrates a practical, security-focused mitigation suitable for modern Intel Core-like microarchitectures and suggests avenues for extending the approach to other speculative attacks.

Abstract

Modern microprocessors depend on speculative execution, creating vulnerabilities that enable transient execution attacks. Prior defenses target speculative data leakage but overlook false dependencies from partial address aliasing, where repeated squash and reissue events increase the load-store latency, which is exploited by the SPOILER attack. We present SPOILER-GUARD, a hardware defense that obfuscates speculative dependency resolution by dynamically randomizing the physical address bits used for load-store comparisons and tagging store entries to prevent latency-amplifying misspeculations. Implemented in gem5 and evaluated with SPEC 2017, SPOILER-GUARD reduces misspeculation to 0.0004 percent and improves integer and floating-point performance by 2.12 and 2.87 percent. HDL synthesis with Synopsys Design Compiler at 14 nm node demonstrates minimal overheads - 69 ps latency in critical path, 0.064 square millimeter in area, and 5.863 mW in power.
Paper Structure (9 sections, 3 figures)

This paper contains 9 sections, 3 figures.

Figures (3)

  • Figure 1: Overview of the proposed SPOILER-GUARD defense.
  • Figure 2: Average latency of the speculatively issued malicious load for M1, M2, and M3 configurations.
  • Figure 3: Speedup achieved by SPOILER-GUARD for SPEC2017 integer and floating-point benchmark suite.