Understanding and Mitigating Covert Channels Through Branch Predictors

Authors:
Dmitry Evtyushkin

State University of New York at Binghamton

State University of New York at Binghamton
View Profile

,
Dmitry Ponomarev

State University of New York at Binghamton

State University of New York at Binghamton
View Profile

,
Nael Abu-Ghazaleh

University of California, Riverside

University of California, Riverside
View Profile

ACM Transactions on Architecture and Code Optimization Volume 13 Issue 1Article No.: 10pp 1–23https://doi.org/10.1145/2870636

Published:07 March 2016Publication History

ACM Transactions on Architecture and Code Optimization

Abstract

Covert channels through shared processor resources provide secret communication between two malicious processes: the trojan and the spy. In this article, we classify, analyze, and compare covert channels through dynamic branch prediction units in modern processors. Through experiments on a real hardware platform, we compare contention-based channel and the channel that is based on exploiting the branch predictor’s residual state. We analyze these channels in SMT and single-threaded environments under both clean and noisy conditions. Our results show that the residual state-based channel provides a cleaner signal and is effective even in noisy execution environments with another application sharing the same physical core with the trojan and the spy. We also estimate the capacity of the branch predictor covert channels and describe a software-only mitigation technique that is based on randomizing the state of the predictor tables on context switches. We show that this protection eliminates all covert channels through the branch prediction unit with minimal impact on performance.

References

O. Aciicmez, K. Koc, and J. Seifert. 2007a. On the power of simple branch prediction analysis. In Proceedings of the Symposium on Information, Computer, and Communication Security (ASIACCS’07). IEEE, Los Alamitos, CA. Google ScholarDigital Library
O. Aciicmez, K. Koc, and J. Seifert. 2007b. Predicting secret keys via branch prediction. In Proceedings of the Cryptographers’ Track at the RSA Conference. Google ScholarDigital Library
Aslan Askarov, Danfeng Zhang, and Andrew C. Myers. 2010. Predictive black-box mitigation of timing channels. In Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, New York, NY, 297--307. Google ScholarDigital Library
J. Chen and G. Venkataramani. 2014. CC-hunter: Uncovering covert timing channels on shared processor hardware. In Proceedings of the 47th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO-47). ACM, New York, NY, 216--228. Google ScholarDigital Library
M. Co and K. Skadron. 2001. The effects of context switching on branch predictor performance. In Proceedings of the 2001 IEEE International Symposium for Performance Analysis of Systems and Software.Google Scholar
L. Domnitser, A. Jaleel, J. Loew, N. Abu-Ghazaleh, and D. Ponomarev. 2012. Non-monopolizable caches: Low-complexity mitigation of cache side-channel attacks. ACM Transactions on Architecture and Code Optimization 8, 4, Article No. 35. Google ScholarDigital Library
Jesse Elwell, Ryan Riley, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2014. A non-inclusive memory permissions architecture for protection against cross-layer attacks. In Proceedings of the 2014 IEEE International Symposium on High Performance Computer Architecture (HPCA’14). IEEE, Los Alamitos, CA.Google ScholarCross Ref
Jesse Elwell, Ryan Riley, Nael Abu-Ghazaleh, Dmitry Ponomarev, and Iliano Cervesato. 2015. Rethinking memory permissions for protection against cross-layer attacks. ACM Transactions on Architecture and Code Optimization 12, 4, Article No. 56. Google ScholarDigital Library
Marius Evers, Po-Yung Chang, and Yale N. Patt. 1996. Using hybrid branch predictors to improve branch prediction accuracy in the presence of context switches. ACM SIGARCH Computer Architecture News 24, 3--11. Google ScholarDigital Library
Dmitry Evtyushkin, Jesse Elwell, Meltem Ozsoy, Dmitry Ponomarev, Nael Abu Ghazaleh, and Ryan Riley. 2014. Iso-x: A flexible architecture for hardware-managed isolated execution. In Proceedings of the 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO-47). IEEE, Los Alamitos, CA, 190--202. Google ScholarDigital Library
Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2015. Covert channels through branch predictors: A feasibility study. In Proceedings of the 4th Workshop on Hardware and Architectural Support for Security and Privacy. ACM, New York, NY, 5. Google ScholarDigital Library
Virgil D. Gligor. 1993. A Guide to Understanding Covert Channel Analysis of Trusted Systems. National Computer Security Center.Google Scholar
Mordechai Guri, Matan Monitz, Yisroel Mirski, and Yuval Elovici. 2015. BitWhisper: Covert signaling channel between air-gapped computers using thermal manipulations. arXiv:1503.07919.Google Scholar
Richard W. Hamming. 1950. Error detecting and error correcting codes. Bell System Technical Journal 29, 2, 147--160.Google ScholarCross Ref
O. Hofmann, S. Kim, A. Dunn, M. Lee, and E. Witchel. 2013. InkTag: Secure applications on an untrusted operating system. In Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’13). 265--278. Google ScholarDigital Library
Wei-Ming Hu. 1992. Lattice scheduling and covert channels. In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE, Los Alamitos, CA, 52--61. Google ScholarDigital Library
Casen Hunger, Mikhail Kazdagli, Ankit Rawat, Alex Dimakis, Sriram Vishwanath, and Mohit Tiwari. 2015. Understanding contention-based channels and using them for defense. In Proceedings of the 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA’15). IEEE, Los Alamitos, CA, 639--650.Google ScholarCross Ref
Intel. 2010. Intel 64 and IA-32 Architectures Software Developer Manual. Available at http://www.intel.comGoogle Scholar
Alexey Kopytov. 2004. SysBench: A System Performance Benchmark. https://github.com/akopytov/sysbench.Google Scholar
Scott McFarling. 1993. Combining Branch Predictors. Technical Report TN-36. Digital Western Research Laboratory.Google Scholar
F. McKeen, I. Alexandrovich, A. Berenzon, C. Rozas, H. Shafi, V. Shanbhogue, and U. Svagaonkar. 2013. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP’13). Article No. 10. Google ScholarDigital Library
J. Oberg, S. Meiklejohn, T. Sherwood, and R. Castner. 2014. Leveraging gate-level properties to identify hardware timing channels. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 33, 9, 1288--1301.Google ScholarCross Ref
Matt Ramsay, Chris Feucht, and Mikko H. Lipasti. 2003. Exploring efficient SMT branch predictor design. In Proceedings of the Workshop on Complexity-Effective Design, in Conjunction with ISCA.Google Scholar
Ashay Rane, Calvin Lin, and Mohit Tiwari. 2015. Raccoon: Closing digital side-channels through obfuscated execution. In Proceedings of the 24th USENIX Security Symposium (USENIX Security’15). 431--446. Google ScholarDigital Library
T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. 2009. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY. Google ScholarDigital Library
B. Saltaformaggio, D. Xu, and X. Zhang. 2013. BusMonitor: A hypervisor-based solution for memory bus covert channels. In Proceedings of the 2013 European Workshop on System Security (EUROSEC’13).Google Scholar
M. Tiwari, H. Wassel, B. Mazloom, S. Mysore, F. Chong, and T. Sherwood. 2009. Complete information flow tracking from the gates up. In Proceedings of the 14th International Conference on Architectureal Support for Programming Languages and Operating Systems (ASPLOS XIV). ACM, New York, NY, 109--120. Google ScholarDigital Library
Y. Wang, A. Ferraiuolo, and E. Suh. 2014a. Timing channel protection for a shared memory controller. In Proceedings of the International Symposium on High Performance Computer Architecture. IEEE, Los Alamitos, CA.Google Scholar
Yao Wang, Andrew Ferraiuolo, and G. Edward Suh. 2014b. Timing channel protection for a shared memory controller. In Proceedings of the 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA’14). IEEE, Los Alamitos, CA, 225--236.Google Scholar
Z. Wang and R. Lee. 2006. Covert and side channels due to processor architecture. In Proceedings of the Annual Computer Security Applications Conference. IEEE, Los Alamitos, CA. Google ScholarDigital Library
John C. Wray. 1991. An analysis of covert timing channels. In Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE, Los Alamitos, CA, 2--7.Google ScholarCross Ref
Z. Wu and H. Wang. 2012. Whispers in the hyper-space: High-speed covert channel attacks in the cloud. In Proceedings of the 21st USENIX Security Symposium. 9. Google ScholarDigital Library
Yuanzhong Xu, Weidong Cui, and Marcus Peinado. 2015. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In Proceedings of the 2015 36th IEEE Symposium on Security and Privacy (S&P’’15). 640--656. Google ScholarDigital Library
Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. 2009. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy (S&P’’09). IEEE, Los Alamitos, CA, 79--93. Google ScholarDigital Library
Yinqian Zhang, Ari Juels, Alina Oprea, and Michael K. Reiter. 2011. Homealone: Co-residency detection in the cloud via side-channel analysis. In Proceedings of the 32nd 2011 IEEE Symposium on Security and Privacy (S&P’’11). 313--328. Google ScholarDigital Library

Index Terms

Understanding and Mitigating Covert Channels Through Branch Predictors
1. Computer systems organization
  1. Architectures
2. Security and privacy
  1. Security in hardware
  2. Systems security

Recommendations

Covert channels through branch predictors: a feasibility study
HASP '15: Proceedings of the Fourth Workshop on Hardware and Architectural Support for Security and Privacy

Covert channels through shared processor resources provide secret communication between malicious processes. In this paper, we introduce a new mechanism for covert communication using the processor branch prediction unit. Specifically, we demonstrate ...
Read More
Exploring Branch Predictors for Constructing Transient Execution Trojans
ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems

Transient execution is one of the most critical features used in CPUs to achieve high performance. Recent Spectre attacks demonstrated how this feature can be manipulated to force applications to reveal sensitive data. The industry quickly responded ...
Read More
Branch classification: a new mechanism for improving branch predictor performance
MICRO 27: Proceedings of the 27th annual international symposium on Microarchitecture

There is wide agreement that one of the most important impediments to the performance of current and future pipelined superscalar processors is the presence of conditional branches in the instruction stream. Speculative execution seems to be one ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Architecture and Code Optimization Volume 13, Issue 1
April 2016
347 pages
ISSN:1544-3566
EISSN:1544-3973
DOI:10.1145/2899032
Editor:
Koen De Bosschere
Ghent University
Issue’s Table of Contents
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 7 March 2016
- Revised: 1 December 2015
- Accepted: 1 December 2015
- Received: 1 October 2015
Published in taco Volume 13, Issue 1

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Security
branch predictor
covert channel
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 54
  Total Citations
  View Citations
- 786
  Total Downloads
- Downloads (Last 12 months)124
- Downloads (Last 6 weeks)22
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Understanding and Mitigating Covert Channels Through Branch Predictors

ACM Transactions on Architecture and Code Optimization

Abstract

References

Cited By

Index Terms

Recommendations

Covert channels through branch predictors: a feasibility study

Exploring Branch Predictors for Constructing Transient Execution Trojans

Branch classification: a new mechanism for improving branch predictor performance