SCSGuardian: A Practical Hardware Defense Against Speculative Cache Side-Channel Attacks

Download PDF
Open Webpage

Xiaoyu Cheng, Fei Tong, Zhe Zhou, Fang Jiang, Hongyu Wang, Guang Cheng, Yuxing Mao

Published: 2025, Last Modified: 08 Nov 2025IEEE Trans. Inf. Forensics Secur. 2025EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: Speculative execution introduces serious security vulnerabilities, particularly in the form of speculative cache side-channel (SCS) attacks, which exploit the states of the cache system to leak sensitive data from a victim’s memory space. Existing hardware defense solutions against SCS attacks remain limited in effectively addressing these threats in real-world scenarios due to their significant overhead and/or inadequate security. Therefore, this paper proposes SCSGuardian, a practical hardware defense framework against SCS attacks. SCSGuardian addresses two key issues in defending against SCS attacks, i.e., when to initiate and lift protection for unsafe speculative memory access micro-operations ( $\mu $ ops), and what the scope of such $\mu $ ops that require protection is. On the above basis, a low-overhead method is proposed for tracking unsafe speculative memory access $\mu $ ops based on various speculation windows within processors and attack principles of SCS attacks. Tailored hardware $\mu $ op-delaying strategies are then proposed, which delay unsafe speculative memory access $\mu $ ops at different stages of the memory access pipeline based on their impact on various states of the cache system. These strategies efficiently protect cache system components from SCS attacks while avoiding unnecessary delays on memory access $\mu $ ops, ensuring comprehensive security with optimized performance. SCSGuardian has been implemented in two versions, i.e., v1 and v2, targeting single-core and multi-core processors, respectively. SCSGuardian v1 and v2 defend against the SCS attacks with negligible hardware resource overheads of only 0.111 % and 0.268 %, respectively. Moreover, on SPEC2017, SCSGuardian v1 exhibits performance overheads of only 4.62% and 3.82%, and v2 only 5.97% and 5.47%, both in the RISC-V core-based FPGA prototype experiment and the x86 out-of-order CPU model-based Gem5 simulation, respectively.