BranchScope

We present BranchScope - a new side-channel attack where the attacker infers the direction of an arbitrary conditional branch instruction in a victim program by manipulating the shared directional branch predictor. The directional component of the branch predictor stores the prediction on a given branch (taken or not-taken) and is a different component from the branch target buffer (BTB) attacked by previous work. BranchScope is the first fine-grained attack on the directional branch predictor, expanding our understanding of the side channel vulnerability of the branch prediction unit. Our attack targets complex hybrid branch predictors with unknown organization. We demonstrate how an attacker can force these predictors to switch to a simple 1-level mode to simplify the direction recovery. We carry out BranchScope on several recent Intel CPUs and also demonstrate the attack against an SGX enclave.

[1]  Billy Bob Brumley,et al.  Amplifying side channels through performance degradation , 2016, ACSAC.

[2]  Y.N. Patt,et al.  Using Hybrid Branch Predictors to Improve Branch Prediction Accuracy in the Presence of Context Switches , 1996, 23rd Annual International Symposium on Computer Architecture (ISCA'96).

[3]  Mehmet Kayaalp,et al.  A high-resolution side-channel attack on last-level cache , 2016, 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[4]  Stefan Mangard,et al.  KASLR is Dead: Long Live KASLR , 2017, ESSoS.

[5]  J. Quisquater,et al.  A Practical Implementation of the Timing Attack , 1998, CARDIS.

[6]  Tanja Lange,et al.  Sliding Right into Disaster: Left-to-Right Sliding Windows Leak , 2017, CHES.

[7]  Stefan Mangard,et al.  Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR , 2016, CCS.

[8]  A. Seznec,et al.  Trading Conflict And Capacity Aliasing In Conditional Branch Predictors , 1997, Conference Proceedings. The 24th Annual International Symposium on Computer Architecture.

[9]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[10]  N PattYale,et al.  The agree predictor , 1997 .

[11]  Nael B. Abu-Ghazaleh,et al.  Non-monopolizable caches: Low-complexity mitigation of cache side channel attacks , 2012, TACO.

[12]  Dmitry V. Ponomarev,et al.  Covert Channels through Random Number Generator: Mechanisms, Capacity Estimation and Mitigations , 2016, CCS.

[13]  Gorazd Kandus,et al.  Feeling Secure vs. Being Secure the Mobile Phone User Case , 2011, ICGS3/e-Democracy.

[14]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[15]  Johannes Götzfried,et al.  Cache Attacks on Intel SGX , 2017, EUROSEC.

[16]  Taesoo Kim,et al.  Breaking Kernel Address Space Layout Randomization with Intel TSX , 2016, CCS.

[17]  Aurélien Francillon,et al.  C5: Cross-Cores Cache Covert Channel , 2015, DIMVA.

[18]  Nael B. Abu-Ghazaleh,et al.  Covert channels through branch predictors: a feasibility study , 2015, HASP@ISCA.

[19]  Nael B. Abu-Ghazaleh,et al.  Understanding and Mitigating Covert Channels Through Branch Predictors , 2016, ACM Trans. Archit. Code Optim..

[20]  Johannes Winter,et al.  Trusted computing building blocks for embedded linux-based ARM trustzone platforms , 2008, STC '08.

[21]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[22]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[23]  Ryan Riley,et al.  Flexible Hardware-Managed Isolated Execution: Architecture, Software Support and Applications , 2016, IEEE Transactions on Dependable and Secure Computing.