SIMF: Single-Instruction Multiple-Flush Mechanism for Processor Temporal Isolation

Abstract: Microarchitectural timing attacks are a type of information leakage attack, which exploit the time-shared microarchitectural components, such as caches, translation look-aside buffers (TLBs), branch prediction unit (BPU), and speculative execution, in modern processors to leak critical information from a victim process or thread. To mitigate such attacks, the mechanism for flushing the on-core state is extensively used by operating-system-level solutions, since on-core state is too expensive to partition. In these systems, the flushing operations are implemented in software (using cache maintenance instructions), which severely limit the efficiency of timing attack protection. To bridge this gap, we propose specialized hardware support, a single-instruction multiple-flush (SIMF) mechanism to flush the core-level state, which consists of L1 caches, BPU, TLBs, and register file. We demonstrate SIMF by implementing it as an ISA extension, i.e., flushx instruction, in scalar in-order RISC-V processor. The resultant processor is prototyped on Xilinx ZCU102 FPGA and validated with state-of-art seL4 microkernel, Linux kernel in multi-core scenarios, and a cache timing attack. Our evaluation shows that SIMF significantly alleviates the overhead of flushing by more than a factor of two in execution time and reduces dynamic instruction count by orders-of-magnitude.