Execution context isolation is a key security requirement in personal computers, edge devices, and more importantly on multitenant computing environments such as the Cloud. It is vital that data belonging to one context (e.g., a process, enclave, or virtual machine) cannot be accessed or modified by another context without explicit permission, particularly in consideration of a remote adversary. However, the level of context isolation provided by today’s systems is not well aligned with the security needs of personal users, cloud providers, and customers of cloud computing services alike. Current hardware enforces isolation at the architectural level. However recent high-profile attacks demonstrated that isolation guarantees are weak at the microarchitectural-level. To make matters worse, a lot of the defenses against microarchitectural defenses aim to protect specific side-channels rather than providing a more comprehensive solution. In this paper we describe our recent and ongoing efforts in providing holistic defenses against microarchitectural attacks.
|