Analyzing and Mitigating the SSB Vulnerability in an MDP-Equipped RISC-V Processor
摘要
The accelerating growth in scale and complexity of modern processors has led to the constant identification of transient execution vulnerabilities (TEVs), predominantly found within x86-64 and ARM CPUs. The rise in adoption of the RISC-V architecture in recent years has coincided with a surge in TEV research of its implementations. Previous studies have showcased several TEV variants in RISC-V processors. However, the range of RISC-V processors employed as platforms for TEV research has been limited in diversity, and the Spectre variant Speculative Store Bypass (SSB) has not been evaluated in RISC-V processors that utilize a memory dependence predictor (MDP), a crucial feature of numerous out-of-order (OoO) processors across different instruction set architectures (ISAs) including RISC-V and others. In this paper, we begin by examining the SSB vulnerability in a 32-bit OoO MDP-equipped RISC-V processor, “RSD”, which is compact and efficient, possessing potential applications in alternative contexts in contrast to earlier research that concentrated on heavier 64-bit CPUs. Following this, we replicate the SSB attack gadget in RSD using the Verilator software simulator and a ZedBoard Zynq-7000 FPGA board. Subsequently, we utilize the Konata pipeline viewer to visualize and verify the results obtained, confirming that the SSB attack remains feasible with the partial defense offered by an MDP. Furthermore, we propose a lightweight and versatile hardware mitigation of SSB, named PseudoConflict. According to the evaluations through the RTL simulation and FPGA prototype experiment in terms of performance overhead and hardware resource utilization, the SSB attack can be effectively countered using the approach of PseudoConflict, even on a bare-metal processor with comparatively modest resources.