Using Intel® Compilers to Mitigate Speculative Execution Side-Channel Issues

Introduction

Side channel methods are techniques that may allow an attacker to obtain secret or privileged information through observing the system that they would not normally be able to access, such as measuring microarchitectural properties about the system. For background information relevant to this article, refer to the overview in Intel Analysis of Speculative Execution Side Channels. This article describes Intel® C++ Compiler support and Intel® Fortran Compiler support for speculative execution side channel mitigations.

Mitigating Bounds Check Bypass (Spectre Variant 1)

Please read Intel's Analysis of Speculative Execution Side Channels for details, exploit conditions, and mitigations for the exploit known as bounds check bypass (Spectre variant 1).

One mitigation for Spectre variant 1 is through use of the LFENCE instruction. The LFENCE instruction does not execute until all prior instructions have completed locally, and no later instruction begins execution until LFENCE completes. _mm_lfence() is a compiler intrinsic or assembler inline that issues an LFENCE instruction and also ensures that compiler optimizations do not move memory references across that boundary. Inserting an LFENCE between a bounds check condition and memory loads helps ensure that the loads do not occur until the bounds check condition has actually been completed.

Use the following options to get automatic mitigation for Spectre variant 1 from Intel C++ and Fortran compilers: 

Intel® C++/Fortran 
Compiler versions
Linux or macOSWindows
18.0.3 or newer-mconditional-branch=keep
-mconditional-branch=pattern-report
-mconditional-branch=pattern-fix
/Qconditional-branch=keep
/Qconditional-branch=pattern-report
/Qconditional-branch=pattern-fix

The Intel C++ Compiler and Intel Fortran Compiler both allow programmers to insert LFENCE instructions, which can be used to help mitigate bounds check bypass (Spectre variant 1).

LFENCE in C/C++

You can insert LFENCE instructions in a C/C++ program as shown in the example below:

#include <intrin.h>
#pragma intrinsic(_mm_lfence)

    if (user_value >= LIMIT)
    {
        return STATUS_INSUFFICIENT_RESOURCES;
    }
    else
    {    
        _mm_lfence();	/* manually inserted by developer */
        x = table[user_value];
        node = entry[x];
    }

LFENCE in Fortran

You can insert an LFENCE instruction in Fortran applications as shown in the example below.
Implement the following subroutine, which calls _mm_lfence() intrinsics:

Interface 
        subroutine for_lfence() bind (C, name = "_mm_lfence") 
            !DIR$ attributes known_intrinsic, default :: for_lfence
        end subroutine for_lfence
    end interface
 
    if (untrusted_index_from_user .le. iarr1%length) then
        call for_lfence()
        ival = iarr1%data(untrusted_index_from_user)
        index2 = (IAND(ival,1)*z'100') + z'200'    
        if(index2 .le. iarr2%length) 
            ival2 = iarr2%data(index2)
    endif

The LFENCE intrinsic is supported in the following Intel compilers:

  • Intel C++ Compiler 8.0 and later for Windows*, Linux*, and macOS*
  • Intel Fortran Compiler 14.0 and later for Windows, Linux and macOS in order to apply the intrinsic using the above method

Mitigating Branch Target Injection (Spectre Variant 2)

Intel's whitepaper on Retpoline: A Branch Target Injection Mitigation discusses the details, exploit conditions, and mitigations for the exploit known as branch target injection (Spectre variant 2). While there are a number of possible mitigation techniques for this side channel method, the mitigation technique described in that document is known as retpoline, which is a technique employed by the Intel® C++ and Fortran compilers.

The Intel C++ and Fortran compilers have command line options “-mindirect-branch=CHOICE” & “-mfunction-return=CHOICE” support just like gcc as documented at https://gcc.gnu.org/onlinedocs/gcc/x86-Options.html.

The compiler options implemented are below in the corresponding compiler versions:

Intel® C++/Fortran Compiler versionsLinux or macOSWindows
18.0.3 or newer-mfunction-return={keep,thunk-inline,
                                     thunk-extern,thunk}  
-mindirect-branch={keep,thunk-inline,
                                    thunk-extern,thunk}
-mindirect-branch-register
/Qfunction-return:{keep,thunk-inline,
                                  thunk-extern,thunk}
/Qindirect-branch:{keep,thunk-inline,
                                  thunk-extern,thunk}
/Qindirect-branch-register
18.0.2 or newer-mindirect-branch=thunk-inline
-mindirect-branch=thunk-extern
/Qindirect-branch:thunk-inline
/Qindirect-branch=thunk-extern
17.0.7 or newer
16.0.8 or newer
-mfunction-return={keep,thunk-inline, thunk-extern,thunk}
-mindirect-branch={keep,thunk-inline, thunk-extern,thunk}
-mindirect-branch-register
/Qfunction-return:{keep,thunk-inline, thunk-extern,thunk}
/Qindirect-branch:{keep,thunk-inline, thunk-extern,thunk}
/Qindirect-branch-register

Refer to the Intel Compilers - Supported compiler versions for the list of supported Intel Compilers.

How to Obtain the Latest Intel® C++ Compiler and Intel® Fortran Compiler

The Intel® C++ Compiler is distributed as part of the Intel® Parallel Studio XE and Intel® System Studio tool suites. The Intel® Fortran Compiler is distributed as part of Intel® Parallel Studio XE. You can download these from Intel Registration Center when available:

  1. Intel® Parallel Studio XE 2018 update 2 or later
  2. Intel® Parallel Studio XE 2017 update 7 or newer
  3. Intel® Parallel Studio XE 2016 update 5 or newer
  4. Intel® System Studio 2018 update 1 or later

Refer to the Intel Compilers - Supported compiler versions for the list of supported Intel Compilers.

Conclusion and Further Reading

Visit the Intel Press Room for the latest updates regarding the Spectre and Meltdown issues, and Intel’s Side Channel Security Support website for additional software-specific, up-to-date information. You can find more detailed explanations of Speculative Execution Side-Channel Mitigations and Intel’s Mitigation Overview for Potential Side-Channel Cache Exploits in Linux* on our Side-Channel Security Support website.

Refer to our support site for support options if you experience any issues.

Intel continues to work on improving Intel® Software Development Products for the identified security issues. We will continue to revise this article with Intel® C++ Compiler and Intel Fortran Compiler product updates as they become available.

Disclaimers

Intel technologies' features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel® products specifications and roadmaps.

Intel provides these materials as-is, with no express or implied warranties.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.

Copyright © [2018], Intel Corporation. All rights reserved.

For more complete information about compiler optimizations, see our Optimization Notice.