Position Paper: A case for exposing extra-architectural state in the ISA

The recent Meltdown and Spectre attacks took the community by surprise. Rather than exploiting an incorrect implementation of the ISA, these attacks leverage the undocumented implementation-specific speculation behavior of high-performance microarchitectures to affect the extra-architectural state of the machine (e.g., caches). Inspired by these novel speculation-based attacks, we argue it is time to rethink the traditional ISA layers. Programmers and security professionals need a framework to reason about the effects of speculation and other microarchitectural performance optimizations. We propose judiciously extending the ISA to include the extra-architectural state so that an ISA implementation either completely squashes all system state changes caused by mis-speculated instructions or the potential changes are rigorously documented. We hope this new framework will give architects and security researchers tools to reduce the likelihood of future surprise vulnerabilities.