ORCID ID
https://orcid.org/0009-0008-0526-5821
Date Awarded
2024
Document Type
Dissertation
Degree Name
Doctor of Philosophy (Ph.D.)
Department
Computer Science
Advisor
Dmitry DE Evtyushkin
Committee Member
Antonio AI Iglesias
Committee Member
Bin BR Ren
Committee Member
Robert RL Lewis
Committee Member
Stephen SH Herwig
Abstract
Modern microprocessors utilize branch prediction and speculative execution to enhance instruction throughput. Instead of stalling the pipeline and waiting for branch targets to be computed, the CPU consults branch predictors for a possible destination and performs speculative execution. These microarchitectural techniques improve the efficiency of instruction pipelining and out-of-order execution, enabling higher performance and better resource utilization. Despite their widespread adoption, the potential security implications of branch misprediction and transient execution have not drawn much attention until recently. Around early 2018, the discovery of Spectre attacks exposed critical vulnerabilities in CPUs, undermining both software and hardware isolation and confidentiality. These attacks exploit the side effects of speculative execution stemming from branch predictions. By manipulating branch predictors to generate incorrect predictions, an attacker can trigger speculative execution to bypass bound checks or operate on arbitrary memory space. Consequently, such exploits can access sensitive data during speculative execution and then exfiltrate the information through various microarchitectural side channels. Spectre and its variants pose a significant security threat that is challenging to mitigate, and existing defenses often come with substantial performance overheads. This dissertation tackles the threat from two perspectives. We first enhance the understanding of exploitable hardware primitives by introducing new transient trojan attacks. Second, we propose secure microarchitecture designs without compromising performance. We first challenge the perception that the triggers and effects of transient execution attacks are fully understood and that the existing protections leave no room for any attack to occur. We present transient trojans, software modules that conceal malicious activity within transient execution mode. These trojans appear entirely benign, pass static and dynamic analysis checks, but reveal sensitive data when triggered. To construct these trojans, we conducted a comprehensive analysis of the current attack surface in light of recommended mitigation techniques. We uncovered new exploitation techniques through reverse-engineering branch predictors in a selection of recent x86_64 processors. Leveraging these findings, we design three types of transient trojans, showcasing their ability to evade detection and their effectiveness. Second, we present the secret token branch predictor unit (STBPU), a secure BPU design to defend against collision-based speculative execution attacks and BPU side channels with minimal performance impact. Securing branch predictors is challenging, as techniques like partitioning or flushing the BPU only partially mitigate collision-based exploits. Moreover, such mitigations compromise branch prediction accuracy, leading to overall CPU performance degradation. STBPU resolves these challenges by customizing BPU data representations for each software entity that requires isolation. Furthermore, STBPU monitors related hardware events and preemptively adjusts BPU data representations.
DOI
https://dx.doi.org/10.21220/s2-wf6j-dd94
Rights
© The Author
Recommended Citation
Zhang, Tao, "Exploring Transient Execution Vulnerabilities, Side-Channel Attacks, And Defenses" (2024). Dissertations, Theses, and Masters Projects. William & Mary. Paper 1717521757.
https://dx.doi.org/10.21220/s2-wf6j-dd94