Session 8A: Security and Protection ASPLOS’18, March 24–28, 2018, Williamsburg, VA, USA BranchScope: A New Side-Channel Attack on Directional Branch Predictor Dmitry Evtyushkin Ryan Riley College of William and Mary Carnegie Mellon University in Qatar [email protected] [email protected] Nael Abu-Ghazaleh Dmitry Ponomarev University of California Riverside Binghamton University [email protected] [email protected] Abstract Support for Programming Languages and Operating Systems (AS- We present BranchScope — a new side-channel attack where PLOS’18). ACM, New York, NY, USA, 15 pages. https://doi.org/10. the attacker infers the direction of an arbitrary conditional 1145/3173162.3173204 branch instruction in a victim program by manipulating the shared directional branch predictor. The directional compo- nent of the branch predictor stores the prediction on a given 1 Introduction branch (taken or not-taken) and is a different component Modern microprocessors rely on branch prediction units from the branch target buffer (BTB) attacked by previous (BPUs) to sustain uninterrupted instruction delivery to the work. BranchScope is the first fine-grained attack on the di- execution pipeline across conditional branches. When multi- rectional branch predictor, expanding our understanding of ple processes execute on the same physical core, they share the side channel vulnerability of the branch prediction unit. a single BPU. While attractive from utilization and complex- Our attack targets complex hybrid branch predictors with ity considerations, the sharing potentially opens the door unknown organization. We demonstrate how an attacker an attacker to manipulate the shared BPU state, create a can force these predictors to switch to a simple 1-level mode side-channel, and derive a direction or target of a branch to simplify the direction recovery. We carry out BranchScope instruction executed by a victim process. Such leakage can on several recent Intel CPUs and also demonstrate the attack compromise sensitive data. For example, when a branch in- against an SGX enclave. struction is conditioned on a bit of a secret key, the key CCS Concepts • Security and privacy → Side-channel bits are leaked directly. This occurs in implementations of analysis and countermeasures; Hardware reverse en- exponentiation algorithms [13, 32] and other key mathemat- gineering; ical operations [3] of modern cryptographic schemes. The attacker may also change the predictor state, changing its Keywords Branch Predictor, Attack, Side-channel, SGX, behavior in the victim. Microarchitecture Security, Timing Attacks, Performance On modern microprocessors, the BPU is composed of two Counters structures: the branch target buffer (BTB) and the directional predictor. Previous work has specifically targeted the BTB to ACM Reference Format: create side channels [1, 3, 21, 35]. In the BTB, the target of a Dmitry Evtyushkin, Ryan Riley, Nael Abu-Ghazaleh, and Dmitry conditional branch is updated only when the branch is taken; Ponomarev. 2018. BranchScope: A New Side-Channel Attack on this can be exploited to detect whether or not a particular Directional Branch Predictor. In Proceedings of 2018 Architectural victim branch is taken. The first attack in this area proposed several BTB-based attacks that are based on filling the BTB Permission to make digital or hard copies of all or part of this work for by the attacker, causing the eviction of entries belonging to personal or classroom use is granted without fee provided that copies the victim. By observing the timing of future accesses [3], are not made or distributed for profit or commercial advantage and that the attacker can infer new branches executed by the victim. copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must We describe those attacks and their limitations in the related be honored. Abstracting with credit is permitted. To copy otherwise, or work section. In other work [21], we recently proposed a republish, to post on servers or to redistribute to lists, requires prior specific side-channel attack on the BTB that creates BTB collisions permission and/or a fee. Request permissions from [email protected]. between the victim and the attacker processes, thus allowing ASPLOS’18, March 24–28, 2018, Williamsburg, VA, USA the attacker to discover the location of a particular victim’s © 2018 Copyright held by the owner/author(s). Publication rights licensed branch instruction in the address space, bypassing address to the Association for Computing Machinery. ACM ISBN ISBN 978-1-4503-4911-6/18/03...$15.00 space layout randomization. Lee et al. [35] built on that work https://doi.org/10.1145/3173162.3173204 by exploiting the BTB collisions to also discover the direction 693 Session 8A: Security and Protection ASPLOS’18, March 24–28, 2018, Williamsburg, VA, USA of the victim’s branch instructions. They demonstrated the community considers defenses against these attacks, the vul- attack in kernel space against Intel SGX enclaves. nerability outlined in BranchScope must also be addressed. In this paper, we propose a new micro-architectural side- In summary, the main contributions and the key results channel attack, which we call BranchScope, that targets the of this paper are: directional predictor as the source of information leakage. To the best of our knowledge, BranchScope is the first at- • We propose BranchScope — the first side-channel at- tack exploiting the directional predictor structure, showing tack explicitly targeted at extracting sensitive infor- that BPUs can be vulnerable even if the BTB is protected. mation through the directional branch predictor (as BranchScope works by forcing collisions between the attacker opposed to existing work targeting the Branch Target and selected victim branches and exploiting these collisions Buffer). BranchScope is not affected by defenses against to infer information about the victim branch. This attack BTB-based attacks. has new challenges not present in a BTB attack. In order to • We demonstrate that BranchScope works reliably and achieve collisions, we must overcome the unpredictability of efficiently from user space across three generations of the complex hybrid prediction mechanisms used in modern Intel processors in the presence of system noise, with CPUs. BranchScope overcomes this by generating branch an error rate of less than 1%. patterns that force the branch predictor to select the local • We show that BranchScope can be naturally extended one-level prediction even when complex multi-level predic- to attack SGX enclaves with even lower error rates tors are present in the processor. Second, after collisions than in traditional systems. are reliably created, the victim’s branch direction can be ro- • We describe both hardware and software countermea- bustly disclosed by an attacker executing a pair of branches sures to mitigate BranchScope, providing branch pre- with predefined outcomes, measuring the prediction accu- diction units that are secure to side channel attacks. racy of these branches, and correlating this information to the predictor state and thus to the direction of the victim’s branch. 2 Background: Branch Predictor Unit We demonstrate BranchScope on three recent Intel x86_64 Modern branch predictors [15, 31, 41, 43, 50] are typically processors — Sandy Bridge, Haswell and Skylake. To perform implemented as a composition of a simple one-level bimodal BranchScope, the attacker does not need to reverse-engineer predictor indexed directly by the program counter (we refer the details of the branch predictor operation, and only needs to it as the 1-level predictor [49]), and a gshare-style 2-level to perform simple manipulations with the prediction state predictor [57]. The gshare-like predictor exploits the obser- machines from the user space. We also demonstrate how vation that the branch outcome depends on the results of BranchScope can be extended to attack SGX enclaves even if recent branches, and not only on the address of the branch. A recently-proposed protections are implemented. We show selector table indexed by the branch address identifies which that BranchScope can be performed across hyperthreaded predictor is likely to perform better for a particular branch cores, advancing previously demonstrated BTB-based attacks based on the previous behavior of the predictors. This design which leaked information only between processes scheduled combines the best features of both component predictors. on the same virtual core [21]. This capability relaxes the Figure 1 illustrates one possible design of such a hybrid attacker’s process scheduling constraints, allowing a more predictor. The 1-level predictor stores its history in the form flexible attack. Finally, we describe countermeasures topre- of a 2-bit saturating counter in a pattern history table (PHT). vent the BranchScope attack in future systems. The gshare predictor has a more complex indexing scheme The recent Meltdown [36] and Spectre [34] attacks demon- that combines the program counter with the global history strated the vulnerability of speculative execution to side- register (GHR). The GHR records the outcomes of the last sev- channel attacks, directly impacting the security of current eral branches executed by the program. The branch history systems and leading to data exfiltration. Branch predictors information is also stored in the PHT using a 2-bit saturating are critical to these attacks
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages15 Page
-
File Size-