Covert channels through branch predictors: a feasibility study

Covert channels through shared processor resources provide secret communication between malicious processes. In this paper, we introduce a new mechanism for covert communication using the processor branch prediction unit. Specifically, we demonstrate how a trojan and a spy can manipulate the branch prediction tables in a way that creates high-capacity, robust and noise-resilient covert channel. We demonstrate this covert channel on a real hardware platform both in Simultaneous Multi-Threading (SMT) and single-threaded settings. We also discuss techniques for improving the channel quality and outline possible defenses to protect against this covert channel.

[1]  Nael B. Abu-Ghazaleh,et al.  Iso-X: A Flexible Architecture for Hardware-Managed Isolated Execution , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[2]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[3]  Daniel A. Jiménez,et al.  Fast Path-Based Neural Branch Prediction , 2003, MICRO.

[4]  Nael B. Abu-Ghazaleh,et al.  Non-monopolizable caches: Low-complexity mitigation of cache side channel attacks , 2012, TACO.

[5]  Steven Gianvecchio,et al.  Detecting covert timing channels: an entropy-based approach , 2007, CCS '07.

[6]  Guru Venkataramani,et al.  CC-Hunter: Uncovering Covert Timing Channels on Shared Processor Hardware , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[7]  Frederic T. Chong,et al.  Complete information flow tracking from the gates up , 2009, ASPLOS.

[8]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[9]  Jean-Pierre Seifert,et al.  On the power of simple branch prediction analysis , 2007, ASIACCS '07.

[10]  Chris Feucht,et al.  Exploring Efficient SMT Branch Predictor Design , 2003 .

[11]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[12]  Ryan Kastner,et al.  Leveraging Gate-Level Properties to Identify Hardware Timing Channels , 2014, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[13]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[14]  Emmett Witchel,et al.  InkTag: secure applications on an untrusted operating system , 2013, ASPLOS '13.

[15]  Zhenyu Wu,et al.  Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[16]  Yao Wang,et al.  Timing channel protection for a shared memory controller , 2014, HPCA.

[17]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[18]  Alexandros G. Dimakis,et al.  Understanding contention-based channels and using them for defense , 2015, 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA).

[19]  Kevin Skadron,et al.  The effects of context switching on branch predictor performance , 2001, 2001 IEEE International Symposium on Performance Analysis of Systems and Software. ISPASS..

[20]  X. Zhang,et al.  BusMonitor : A Hypervisor-Based Solution for Memory Bus Covert Channels , 2013 .

[21]  Y.N. Patt,et al.  Using Hybrid Branch Predictors to Improve Branch Prediction Accuracy in the Presence of Context Switches , 1996, 23rd Annual International Symposium on Computer Architecture (ISCA'96).

[22]  S. McFarling Combining Branch Predictors , 1993 .