ProSpeCT: Provably Secure Speculation for the Constant-Time Policy (Extended version)

Abstract

ProSpeCT is a generic formal processor model designed to provide provably secure speculative execution specifically for programs adhering to the constant-time policy. It guarantees security by tracking secret data within the pipeline and preventing its influence on the microarchitectural state, thereby mitigating all known Spectre and Load Value Injection (LVI) attacks. A prototype implementation on a RISC-V processor confirms that enabling this security feature incurs no performance overhead for compliant constant-time binaries.

Report

Key Highlights

• Formal Security Model: ProSpeCT provides a formal processor model ensuring provably secure speculation for constant-time programs.
• Comprehensive Mitigation: The model guarantees that speculative and out-of-order execution introduce no microarchitectural leaks, protecting against all known Spectre-class attacks, including Load Value Injection (LVI).
• Mechanism: Security is achieved by actively tracking secrets (sensitive data) within the processor pipeline and ensuring they cannot influence microarchitectural state during speculation.
• Low Overhead: A prototype implementation on RISC-V demonstrated low impact on hardware cost, minimal required software changes, and crucially, zero performance overhead for compliant constant-time code.

Technical Details

• Methodology: The core technical innovation is the dynamic tracking and taint-marking of data considered 'secret' as it moves through the pipeline stages.
• Security Policy: If a speculative instruction relies on secret data, ProSpeCT ensures that this operation does not result in a state change observable through microarchitectural channels (like cache access patterns).
• Generalization: The formalization is highly generalized, covering a broad class of speculation mechanisms, which allows it to secure a wider array of processor designs than previous, more narrowly defined security approaches.
• Implementation Target: The security policy was implemented and tested on a prototype RISC-V processor architecture.
• Evaluation Metric: The evaluation focused on hardware cost, necessary software modifications, and most importantly, runtime performance, finding that the cost of enabling provable security for compliant code is negligible.

Implications

• Cryptographic Assurance: This work provides a fundamental, formally verified solution to the problem of running cryptographic software (which is highly dependent on the constant-time policy) securely on modern, high-performance speculative processors.
• Security by Design: ProSpeCT shifts the burden of mitigating speculation attacks from complex, often incomplete, software patches back to the hardware design, offering a security-by-design approach.
• RISC-V Advancement: Demonstrating this capability on RISC-V is significant, as it shows that open-source hardware architectures can integrate state-of-the-art, formally verified security primitives crucial for high-security applications, potentially boosting RISC-V adoption in sensitive domains.
• Performance vs. Security Trade-off: The key finding that compliant constant-time code suffers no performance degradation eliminates the traditional trade-off between processor performance (speculation) and absolute security against timing side-channels.