Branchboozle: a side-channel within a hidden pattern history table of modern branch prediction units

We present Branchboozle, a side-channel that can be configured on top of a hidden Pattern History Table (PHT) now found in modern Branch Prediction Units (BPUs). In a similar fashion to known BranchScope attacks, Branchboozle works by closely monitoring the directional predictions issued by the BPU, i.e., whether a branch is predicted Taken or Non-Taken. However, our attack exclusively focuses on analyzing the predictions issued by a secondary, mostly-undocumented 3-bit PHT, whereas BranchScope attacks manipulate the predictions issued by a textbook-like 2-bit PHT. This work describes how Branchboozle can configure an extremely robust covert-channel among independent processes that works even across the physical threads of an execution core with Simultaneous Multi-Threading technology. Additionally, we demonstrate that branches protected by Intel's Software Guard eXtensions are also vulnerable to our attack setting. Finally, we illustrate how Branchboozle can potentiate transient execution attacks dependent on branch direction misprediction, i.e., Spectre Variant 1.

[1]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[2]  Stefan Mangard,et al.  Malware Guard Extension: Using SGX to Conceal Cache Attacks , 2017, DIMVA.

[3]  Alan Jay Smith,et al.  Branch Prediction Strategies and Branch Target Buffer Design , 1995, Computer.

[4]  Stefan Mangard,et al.  KASLR is Dead: Long Live KASLR , 2017, ESSoS.

[5]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[6]  Nael B. Abu-Ghazaleh,et al.  Jump over ASLR: Attacking branch predictors to bypass ASLR , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[7]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[8]  Nael B. Abu-Ghazaleh,et al.  Covert channels through branch predictors: a feasibility study , 2015, HASP@ISCA.

[9]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[10]  Jian Zhai,et al.  Bluethunder: A 2-level Directional Predictor Based Side-Channel Attack against SGX , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[11]  Carl A. Waldspurger,et al.  Speculative Buffer Overflows: Attacks and Defenses , 2018, ArXiv.

[12]  S. McFarling Combining Branch Predictors , 1993 .

[13]  Johannes Götzfried,et al.  Cache Attacks on Intel SGX , 2017, EUROSEC.

[14]  Jean-Pierre Seifert,et al.  On the power of simple branch prediction analysis , 2007, ASIACCS '07.

[15]  Frank Piessens,et al.  SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control , 2017, SysTEX@SOSP.

[16]  Gorka Irazoqui Apecechea,et al.  CacheZoom: How SGX Amplifies The Power of Cache Attacks , 2017, CHES.

[17]  David A. Patterson,et al.  Computer Architecture: A Quantitative Approach , 1969 .

[18]  Nael B. Abu-Ghazaleh,et al.  BranchScope: A New Side-Channel Attack on Directional Branch Predictor , 2018, ASPLOS.

[19]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).