Systematic Prevention of On-Core Timing Channels by Full Temporal Partitioning

Abstract

This work addresses microarchitectural timing channels by proposing a systematic hardware defense mechanism based on full temporal partitioning. Leveraging the RISC-V ISA, the authors introduce a new temporal fence instruction, fence.t, which systematically clears vulnerable non-architectural core state during context switches. Implemented on the CVA6 core and seL4 microkernel, this ISA-supported solution effectively prevents leakage while imposing a minimal performance overhead of less than 1% and negligible hardware costs.

Report

Key Highlights

• Systematic Timing Channel Prevention: The paper provides a systematic solution for preventing microarchitectural timing channels that exploit timing variations in state-holding core components.
• RISC-V ISA Extension: A new temporal fence instruction, fence.t, is introduced and integrated into the RISC-V Instruction Set Architecture (ISA) to facilitate "time protection."
• Full Temporal Partitioning: The core mechanism involves clearing vulnerable microarchitectural state to guarantee a history-independent context-switch latency, thereby eliminating information leakage.
• Minimal Overhead: The most effective implementation approach—complete erasure of all non-architectural core components—results in a performance overhead of less than 1% and negligible hardware costs.
• Validation Platform: The solution was implemented and evaluated using the CVA6, an open-source, 64-bit RISC-V core, alongside an experimental version of the seL4 microkernel.

Technical Details

• Instruction: The proposed mechanism is the temporal fence instruction fence.t.
• Function: fence.t provides the necessary hardware support for "time protection" by clearing vulnerable microarchitectural state (components like caches or buffers) and ensuring context-switch latency is history-independent.
• Implementation Details: The authors discussed three implementation options for fence.t, finding that the complete erasure of all non-architectural core components offers the most effectiveness.
• Hardware and Software Testbed: The implementation was realized on CVA6 (an open-source, in-order, application class, 64-bit RISC-V core) and utilized within the context management of an experimental version of the seL4 microkernel.
• Performance Metric: The resulting performance overhead was measured to be less than 1%.

Implications

• Foundational Security for RISC-V: This work establishes a critical architectural primitive (fence.t) for securing high-assurance systems based on RISC-V, providing systematic protection against microarchitectural timing attacks directly in hardware.
• Standardized Security Mitigation: By defining the mechanism as an ISA extension, it moves security mitigation from ad-hoc software patches to a standardized, hardware-supported interface, which is crucial for scalable, verifiable security.
• Enabling Trustworthy Hardware: Achieving robust security with minimal performance penalties (under 1%) makes RISC-V cores practical for deployment in environments requiring strong isolation, such as embedded systems or secure cloud computing.
• Leveraging RISC-V Openness: The research demonstrates the inherent value of the extensible RISC-V ISA, allowing security researchers to rapidly introduce and evaluate necessary architectural features required for next-generation security defenses.