ORCID ID

https://orcid.org/0009-0008-0526-5821

Date Awarded

2024

Document Type

Dissertation

Degree Name

Doctor of Philosophy (Ph.D.)

Department

Computer Science

Advisor

Dmitry DE Evtyushkin

Committee Member

Antonio AI Iglesias

Committee Member

Bin BR Ren

Committee Member

Robert RL Lewis

Committee Member

Stephen SH Herwig

Abstract

Modern microprocessors utilize branch prediction and speculative execution to enhance instruction throughput. Instead of stalling the pipeline and waiting for branch targets to be computed, the CPU consults branch predictors for a possible destination and performs speculative execution. These microarchitectural techniques improve the efficiency of instruction pipelining and out-of-order execution, enabling higher performance and better resource utilization. Despite their widespread adoption, the potential security implications of branch misprediction and transient execution have not drawn much attention until recently. Around early 2018, the discovery of Spectre attacks exposed critical vulnerabilities in CPUs, undermining both software and hardware isolation and confidentiality. These attacks exploit the side effects of speculative execution stemming from branch predictions. By manipulating branch predictors to generate incorrect predictions, an attacker can trigger speculative execution to bypass bound checks or operate on arbitrary memory space. Consequently, such exploits can access sensitive data during speculative execution and then exfiltrate the information through various microarchitectural side channels. Spectre and its variants pose a significant security threat that is challenging to mitigate, and existing defenses often come with substantial performance overheads. This dissertation tackles the threat from two perspectives. We first enhance the understanding of exploitable hardware primitives by introducing new transient trojan attacks. Second, we propose secure microarchitecture designs without compromising performance. We first challenge the perception that the triggers and effects of transient execution attacks are fully understood and that the existing protections leave no room for any attack to occur. We present transient trojans, software modules that conceal malicious activity within transient execution mode. These trojans appear entirely benign, pass static and dynamic analysis checks, but reveal sensitive data when triggered. To construct these trojans, we conducted a comprehensive analysis of the current attack surface in light of recommended mitigation techniques. We uncovered new exploitation techniques through reverse-engineering branch predictors in a selection of recent x86_64 processors. Leveraging these findings, we design three types of transient trojans, showcasing their ability to evade detection and their effectiveness. Second, we present the secret token branch predictor unit (STBPU), a secure BPU design to defend against collision-based speculative execution attacks and BPU side channels with minimal performance impact. Securing branch predictors is challenging, as techniques like partitioning or flushing the BPU only partially mitigate collision-based exploits. Moreover, such mitigations compromise branch prediction accuracy, leading to overall CPU performance degradation. STBPU resolves these challenges by customizing BPU data representations for each software entity that requires isolation. Furthermore, STBPU monitors related hardware events and preemptively adjusts BPU data representations.

DOI

https://dx.doi.org/10.21220/s2-wf6j-dd94

Rights

© The Author

Download

Share Feedback

Share

COinS