Abstract
Covert channels through shared processor resources provide secret communication between two malicious processes: the trojan and the spy. In this article, we classify, analyze, and compare covert channels through dynamic branch prediction units in modern processors. Through experiments on a real hardware platform, we compare contention-based channel and the channel that is based on exploiting the branch predictor’s residual state. We analyze these channels in SMT and single-threaded environments under both clean and noisy conditions. Our results show that the residual state-based channel provides a cleaner signal and is effective even in noisy execution environments with another application sharing the same physical core with the trojan and the spy. We also estimate the capacity of the branch predictor covert channels and describe a software-only mitigation technique that is based on randomizing the state of the predictor tables on context switches. We show that this protection eliminates all covert channels through the branch prediction unit with minimal impact on performance.
- O. Aciicmez, K. Koc, and J. Seifert. 2007a. On the power of simple branch prediction analysis. In Proceedings of the Symposium on Information, Computer, and Communication Security (ASIACCS’07). IEEE, Los Alamitos, CA. Google ScholarDigital Library
- O. Aciicmez, K. Koc, and J. Seifert. 2007b. Predicting secret keys via branch prediction. In Proceedings of the Cryptographers’ Track at the RSA Conference. Google ScholarDigital Library
- Aslan Askarov, Danfeng Zhang, and Andrew C. Myers. 2010. Predictive black-box mitigation of timing channels. In Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, New York, NY, 297--307. Google ScholarDigital Library
- J. Chen and G. Venkataramani. 2014. CC-hunter: Uncovering covert timing channels on shared processor hardware. In Proceedings of the 47th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO-47). ACM, New York, NY, 216--228. Google ScholarDigital Library
- M. Co and K. Skadron. 2001. The effects of context switching on branch predictor performance. In Proceedings of the 2001 IEEE International Symposium for Performance Analysis of Systems and Software.Google Scholar
- L. Domnitser, A. Jaleel, J. Loew, N. Abu-Ghazaleh, and D. Ponomarev. 2012. Non-monopolizable caches: Low-complexity mitigation of cache side-channel attacks. ACM Transactions on Architecture and Code Optimization 8, 4, Article No. 35. Google ScholarDigital Library
- Jesse Elwell, Ryan Riley, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2014. A non-inclusive memory permissions architecture for protection against cross-layer attacks. In Proceedings of the 2014 IEEE International Symposium on High Performance Computer Architecture (HPCA’14). IEEE, Los Alamitos, CA.Google ScholarCross Ref
- Jesse Elwell, Ryan Riley, Nael Abu-Ghazaleh, Dmitry Ponomarev, and Iliano Cervesato. 2015. Rethinking memory permissions for protection against cross-layer attacks. ACM Transactions on Architecture and Code Optimization 12, 4, Article No. 56. Google ScholarDigital Library
- Marius Evers, Po-Yung Chang, and Yale N. Patt. 1996. Using hybrid branch predictors to improve branch prediction accuracy in the presence of context switches. ACM SIGARCH Computer Architecture News 24, 3--11. Google ScholarDigital Library
- Dmitry Evtyushkin, Jesse Elwell, Meltem Ozsoy, Dmitry Ponomarev, Nael Abu Ghazaleh, and Ryan Riley. 2014. Iso-x: A flexible architecture for hardware-managed isolated execution. In Proceedings of the 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO-47). IEEE, Los Alamitos, CA, 190--202. Google ScholarDigital Library
- Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2015. Covert channels through branch predictors: A feasibility study. In Proceedings of the 4th Workshop on Hardware and Architectural Support for Security and Privacy. ACM, New York, NY, 5. Google ScholarDigital Library
- Virgil D. Gligor. 1993. A Guide to Understanding Covert Channel Analysis of Trusted Systems. National Computer Security Center.Google Scholar
- Mordechai Guri, Matan Monitz, Yisroel Mirski, and Yuval Elovici. 2015. BitWhisper: Covert signaling channel between air-gapped computers using thermal manipulations. arXiv:1503.07919.Google Scholar
- Richard W. Hamming. 1950. Error detecting and error correcting codes. Bell System Technical Journal 29, 2, 147--160.Google ScholarCross Ref
- O. Hofmann, S. Kim, A. Dunn, M. Lee, and E. Witchel. 2013. InkTag: Secure applications on an untrusted operating system. In Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’13). 265--278. Google ScholarDigital Library
- Wei-Ming Hu. 1992. Lattice scheduling and covert channels. In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE, Los Alamitos, CA, 52--61. Google ScholarDigital Library
- Casen Hunger, Mikhail Kazdagli, Ankit Rawat, Alex Dimakis, Sriram Vishwanath, and Mohit Tiwari. 2015. Understanding contention-based channels and using them for defense. In Proceedings of the 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA’15). IEEE, Los Alamitos, CA, 639--650.Google ScholarCross Ref
- Intel. 2010. Intel 64 and IA-32 Architectures Software Developer Manual. Available at http://www.intel.comGoogle Scholar
- Alexey Kopytov. 2004. SysBench: A System Performance Benchmark. https://github.com/akopytov/sysbench.Google Scholar
- Scott McFarling. 1993. Combining Branch Predictors. Technical Report TN-36. Digital Western Research Laboratory.Google Scholar
- F. McKeen, I. Alexandrovich, A. Berenzon, C. Rozas, H. Shafi, V. Shanbhogue, and U. Svagaonkar. 2013. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP’13). Article No. 10. Google ScholarDigital Library
- J. Oberg, S. Meiklejohn, T. Sherwood, and R. Castner. 2014. Leveraging gate-level properties to identify hardware timing channels. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 33, 9, 1288--1301.Google ScholarCross Ref
- Matt Ramsay, Chris Feucht, and Mikko H. Lipasti. 2003. Exploring efficient SMT branch predictor design. In Proceedings of the Workshop on Complexity-Effective Design, in Conjunction with ISCA.Google Scholar
- Ashay Rane, Calvin Lin, and Mohit Tiwari. 2015. Raccoon: Closing digital side-channels through obfuscated execution. In Proceedings of the 24th USENIX Security Symposium (USENIX Security’15). 431--446. Google ScholarDigital Library
- T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. 2009. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY. Google ScholarDigital Library
- B. Saltaformaggio, D. Xu, and X. Zhang. 2013. BusMonitor: A hypervisor-based solution for memory bus covert channels. In Proceedings of the 2013 European Workshop on System Security (EUROSEC’13).Google Scholar
- M. Tiwari, H. Wassel, B. Mazloom, S. Mysore, F. Chong, and T. Sherwood. 2009. Complete information flow tracking from the gates up. In Proceedings of the 14th International Conference on Architectureal Support for Programming Languages and Operating Systems (ASPLOS XIV). ACM, New York, NY, 109--120. Google ScholarDigital Library
- Y. Wang, A. Ferraiuolo, and E. Suh. 2014a. Timing channel protection for a shared memory controller. In Proceedings of the International Symposium on High Performance Computer Architecture. IEEE, Los Alamitos, CA.Google Scholar
- Yao Wang, Andrew Ferraiuolo, and G. Edward Suh. 2014b. Timing channel protection for a shared memory controller. In Proceedings of the 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA’14). IEEE, Los Alamitos, CA, 225--236.Google Scholar
- Z. Wang and R. Lee. 2006. Covert and side channels due to processor architecture. In Proceedings of the Annual Computer Security Applications Conference. IEEE, Los Alamitos, CA. Google ScholarDigital Library
- John C. Wray. 1991. An analysis of covert timing channels. In Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE, Los Alamitos, CA, 2--7.Google ScholarCross Ref
- Z. Wu and H. Wang. 2012. Whispers in the hyper-space: High-speed covert channel attacks in the cloud. In Proceedings of the 21st USENIX Security Symposium. 9. Google ScholarDigital Library
- Yuanzhong Xu, Weidong Cui, and Marcus Peinado. 2015. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In Proceedings of the 2015 36th IEEE Symposium on Security and Privacy (S&P’’15). 640--656. Google ScholarDigital Library
- Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. 2009. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy (S&P’’09). IEEE, Los Alamitos, CA, 79--93. Google ScholarDigital Library
- Yinqian Zhang, Ari Juels, Alina Oprea, and Michael K. Reiter. 2011. Homealone: Co-residency detection in the cloud via side-channel analysis. In Proceedings of the 32nd 2011 IEEE Symposium on Security and Privacy (S&P’’11). 313--328. Google ScholarDigital Library
Index Terms
- Understanding and Mitigating Covert Channels Through Branch Predictors
Recommendations
Covert channels through branch predictors: a feasibility study
HASP '15: Proceedings of the Fourth Workshop on Hardware and Architectural Support for Security and PrivacyCovert channels through shared processor resources provide secret communication between malicious processes. In this paper, we introduce a new mechanism for covert communication using the processor branch prediction unit. Specifically, we demonstrate ...
Exploring Branch Predictors for Constructing Transient Execution Trojans
ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating SystemsTransient execution is one of the most critical features used in CPUs to achieve high performance. Recent Spectre attacks demonstrated how this feature can be manipulated to force applications to reveal sensitive data. The industry quickly responded ...
Branch classification: a new mechanism for improving branch predictor performance
MICRO 27: Proceedings of the 27th annual international symposium on MicroarchitectureThere is wide agreement that one of the most important impediments to the performance of current and future pipelined superscalar processors is the presence of conditional branches in the instruction stream. Speculative execution seems to be one ...
Comments