SIMF: Single-Instruction Multiple-Flush Mechanism for Processor Temporal Isolation

Abstract

Microarchitectural timing attacks exploit shared on-core state components like caches and TLBs, which are traditionally mitigated inefficiently using software-based flushing instructions. This paper introduces SIMF (Single-Instruction Multiple-Flush), a specialized hardware mechanism implemented as the flushx ISA extension for RISC-V processors. SIMF atomically flushes L1 caches, TLBs, BPU, and the register file, significantly reducing the overhead of temporal isolation and mitigating such attacks. Evaluation shows SIMF reduces flushing execution time by more than a factor of two and decreases dynamic instruction count by orders of magnitude.

Report

Key Highlights

• Innovation: SIMF (Single-Instruction Multiple-Flush) is proposed as specialized hardware support to achieve processor temporal isolation against microarchitectural timing attacks.
• Problem Solved: Mitigates the inefficiency of current operating-system-level solutions that rely on slow software-implemented cache and core maintenance instructions.
• Mechanism: SIMF consolidates the flushing of multiple critical on-core states into a single, atomic instruction (flushx).
• Performance Gain: The mechanism significantly alleviates flushing overhead, reducing execution time by more than a factor of two and decreasing dynamic instruction count by orders-of-magnitude.
• Validation: The resultant processor was successfully prototyped on a Xilinx ZCU102 FPGA and validated using the seL4 microkernel and the Linux kernel in multi-core scenarios.

Technical Details

• Core Technology: Single-Instruction Multiple-Flush (SIMF).
• Implementation: Implemented as a custom ISA extension, specifically the flushx instruction.
• Target Architecture: Scalar in-order RISC-V processor.
• Flushed Components (Core-level State): L1 caches, Translation Look-aside Buffers (TLBs), Branch Prediction Unit (BPU), and the register file.
• Security Context: Designed primarily to counter information leakage attacks exploiting time-shared microarchitectural components (like those used in Spectre/Meltdown class attacks).

Implications

• Enhanced Security Primitives for RISC-V: SIMF demonstrates the feasibility of extending the open RISC-V ISA with high-performance security primitives tailored for mitigation techniques, improving hardware isolation guarantees.
• Faster Context Switching: By providing a fast, atomic hardware flush operation, SIMF drastically reduces the overhead associated with mandatory context switching necessary for temporal isolation, benefiting security-focused operating systems like seL4.
• Hardware vs. Software Mitigation: This work reinforces the shift towards providing dedicated hardware assistance for security functions that are prohibitively slow when handled purely in software, establishing a strong foundation for future processor designs prioritizing security performance.