Evaluation Code for Speculative Privacy Tracking (SPT)

March 26, 2022 · View on GitHub

Rutvik Choudhary, Jiyong Yu, Chris Fletcher, Adam Morrison

UIUC, USA       Tel Aviv University, Israel

DOI

Intro

This is the code we used to do the evaluations for our MICRO 2021 paper: Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy.

Citation

@inproceedings{SPT2021,
  title = {Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy},
  author = {Rutvik Choudhary and Jiyong Yu and Christopher W. Fletcher and Adam Morrison},
  booktitle = {Proceedings of the 54th Annual IEEE/ACM International Symposium on Microarchitecture},
  year = {2021},
}

Cloning

cd to wherever you want your copy of the repo to live. Then run

git clone https://github.com/FPSG-UIUC/SPT.git

From now on, we will use $SPT to refer to the filepath of your local copy of the repo

Building

Requirements

ToolVersionNotes
Ubuntu16.04:warning: Unfortunately the repo doesn't appear to run correctly when tested on Ubuntu 20.04 (and we haven't tested Ubuntu 18). We suggest using Docker as described below.
Python2.7This is needed to build the repo. You won't invoke this manually.
Python3.5+You will manually invoke this to run the helper script.
SCons2.5.1:warning: SCons versions 3 and beyond will use Python 3 under the hood and will cause build failures, so make sure you use this version! It can't be found with Anaconda, but it can be found with pip.
g++5.3.1This version is default installed when apt install g++ is run on Ubuntu 16.04

There might be one or two extra dependencies that aren't already on your machine, but the gem5 build scripts will let you know what is missing, and from there it's just a matter of apt install.

Using Docker

In order to make the build process easier, we have published a Docker image to DockerHub that you can run SPT in. The advantage of using Docker is that it has all the necessary dependencies to build and run SPT including the correct OS!

Within the container, this git repo has already been cloned and resides at /home/SPT. Note that the Docker image might not be the most up-to-date version of SPT, so it's a good idea to do a git pull after starting up a Docker container.

To get this image locally run docker pull rutvikc/spt. After it finishes, when you run docker images you should see an image called rutvikc/spt.

This is not intended to be a Docker tutorial, so we will leave out any further details.

Build Command

cd into $SPT and run

scons build/X86_MESI_Two_Level/gem5.fast -j <num cores>

Running

Running the gem5 executable directly is a bit complicated since there are some legacy command-line options from previous projects. Thus it is highly recommended that you use the helper script run_spt.py. You need to run it with Python version 3.5 or later!

Note: If you want to see the actual command that is run, gem5 prints it near the start.

Note: Our helper script targets syscall emulation mode for gem5. For full system mode, you're on your own unfortunately.

Configuration Options for Helper Script

ParameterValuesDescriptionRequirements/Restrictions
--executableFilesystem PathThe executable you want to run with gem5Required
--enable-sptn/aEnables SPT's protection mechanism (if this is left out then then you have the UnsafeBaseline)Not required
--threat-modelspectre, futuristicWhich threat model to simulate under (see paper for details)Required if --enable-spt is specified
--untaint-methodnone, fwd, bwd, idealWhat type of untaint propagation to allow (see paper for details)Required if --enable-spt is specified
--enable-shadow-l1n/aEnables the shadow L1 (aka taint tracking through the L1 cache)Cannot be specified if --enable-shadow-mem was specified
--enable-shadow-memn/aEnables shadow memory (aka taint tracking through all of memory)Cannot be specified if --enable-shadow-l1 was specified

Miscellaneous Options for Helper Script

ParameterValuesDescriptionRequirements/Restrictions
--track-instsn/aIf this is specified, then gem5 will output detailed taint tracking information. This is recommended if you wish to observe the flow of taint/untaint through your program. Note that a lot of output will be produced!Can only be specified if --enable-spt is specified
--output-dirFilesystem PathThis is the directory where the output stats.txt file will be generated. Note that whatever directory you specify here will be created. If unspecified, then it will create a directory m5out in $SPT and put stats.txt there.Not required

Running Configurations from the Paper

Listed below are the configurations that we evaluated in our paper and the corresponding parameters to run_spt.py. We have omitted the following parameters in the table since their values are user-dependent:

  • --executable
  • --threat-model
  • --track-insts
Configuration from PaperParameters
SecureBaseline--enable-spt --untaint-method=none
Fwd, NoShadowL1--enable-spt --untaint-method=fwd
Bwd, NoShadowL1--enable-spt --untaint-method=bwd
Bwd, ShadowL1--enable-spt --untaint-method=bwd --enable-shadow-l1
Bwd, ShadowMem--enable-spt --untaint-method=bwd --enable-shadow-mem
Ideal, ShadowMem--enable-spt --untaint-method=ideal --enable-shadow-mem

To run the InsecureBaseline, provide only the --executable parameter.

Getting the Results

When gem5 is run, it will create a file called stats.txt in the directory you specified with --output-dir. If you didn't specify --output-dir then stats.txt will be in $SPT/m5out.

In this file are many statistics, though the one of most interest will be numCycles, which specifies how many cycles the program took to execute. There many other statistics provided by gem5 that have comments next to them briefly describing what they are.

On top of the statistics provided by gem5, we provide some custom statistics as well:

StatisticDescription
TotalUntaintsEvery time a register goes from tainted to untainted
VPUntaintsSecret-dependent operand register untainted because a transmit reached the visibility point
FwdUntaintsRegister untainted because of forward untaint propagation
BwdUntaintsRegister untainted because of backward untaint propagation
SL1UntaintsLoad destination register untainted because of the shadow L1
DelayedSL1UntaintsLoad destination register untainted because of the shadow L1 (but had to wait until STLPublic was true)
STLFwdUntaintsLoad destination register untainted because of store-to-load forwarding
STLBwdUntaintsStore source register untainted because of store-to-load forwarding
DelayedSTLFwdUntaintsLoad destination register untainted because of store-to-load forwarding (but had to wait until STLPublic was true)
DelayedSTLBwdUntaintsStore source register untainted because of store-to-load forwarding (but had to wait until STLPublic was true)
SL1UntaintedHitA hit in the shadow L1 that returns untainted data
SL1TaintedHitA hit in the shadow L1 that returns tainted data
DelayedSL1UntaintedHitA hit in the shadow L1 that returns untainted data (but had to wait until STLPublic was true)
DelayedSL1TaintedHitA hit in the shadow L1 that returns tainted data (but had to wait until STLPublic was true)
SL1MissA miss in the shadow L1 (which always returns tainted data)
DelayedSL1MissA miss in the shadow L1 (which always returns tainted data, had to wait until STLPublic was true)

For more details/explanation on these events, see our paper.

Browsing the Code

If you want to look for our specific additions, a good string to search for is Rutvik, SPT. That should indicate where most of the changes are. There may be some others that can be seen, but these locations will serve as a good starting point.