Speculative loading of memory, called hardware prefetching, is common in modern CPUs and may cause microarchitectural side-channel vulnerabilities. As prior work has shown, prefetching can be exploited to bypass process isolation and leak secrets. However, to this date, no effective and efficient countermeasure has been presented that secures software on affected systems. Often, disabling prefetching permanently is considered the only reasonable defense, despite the significant performance penalties this entails. In this work, we propose PreFence, a fine-grained and scheduling-aware defense against prefetching-based attacks for any platform where the prefetcher can be disabled. PreFence extends the process scheduler to be aware of security requirements of individual processes and to manage the prefetcher's state to protect against malicious parallel processes, even on SMT-enabled platforms. This allows us to efficiently disable the prefetcher only during security-critical operations, with a single system call. Library and application developers can protect their code with minimal changes, and users can protect entire legacy applications using a wrapper program. We implement our countermeasure for an x86_64 and an ARM processor. We evaluate PreFence on two attacks from prior work and find that it reliably stops prefetch leakage with low performance overhead (less than 3%) on the vulnerable functions. In addition, we observe that PreFence causes only negligible performance impact when no security-relevant code is executed. Finally, we evaluate the performance of a real-world web-server application that uses PreFence to protect security-critical code for HTTPS handling. Compared to disabling the prefetcher permanently, we find that our countermeasure allows the application to significantly benefit from the prefetcher (running up to 15.8% (Intel) and 7.2% (ARM) faster on average), while at the same time achieving the same security.
IEEE European Symposium on Security and Privacy (EuroS&P)
2025-06-30
2025-04-14