Branch Prediction Attack on Blinded Scalar Multiplication

Bhattacharya, Sarani; Maurice, Clémentine; Bhasin, Shivam; Mukhopadhyay, Debdeep

doi:10.1109/tc.2019.2958611

Cited by 12 publications

(8 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The feedforward loop of the PUF circuit is shown in Figure 6, and its quantity has a significant impact on the stability and ML attack resistance of the PUF circuit. The relationship between the number of feedforward circuits NumFF (only consider the original APUF) and the number of interval switch units NumSU is shown in Equation (6).…”

Section: The Confidentiality Protection Modulementioning

confidence: 99%

A Hardware Security Protection Method for Conditional Branches of Embedded Systems

Hao,

Xu,

Qin

et al. 2024

Preprint

View full text Add to dashboard Cite

The branch prediction units (BPUs) generally have security vulnerabilities, which can be used by attackers to obtain the execution status, jump directions, and jump address of conditional branches, and the existing protection methods cannot defend against these attacks. Therefore, this article proposes a hardware security protection method for conditional branches of embedded systems. This method calculates the number of updates to the branch target buffer (BTB). When it exceeds the threshold, BTB is locked to prevent attackers from analyzing the execution status of branches based on the time difference of whether BTB is updated. Moreover, the hybrid physical unclonable function (PUF) circuit is designed to provide confidentiality protection for the jump directions, jump addresses, and their indexes, preventing attackers from stealing these critical data. If these mechanism fails and attackers successfully tamper with conditional branches, this paper proposes a control flow integrity (CFI) protection mechanism based on branch labels to timely detect tampering with instruction codes, jump addresses, and jump directions. The proposed method is implemented and tested on FPGA. The experimental results show that this method can achieve fine-grained security protection for conditional branches, with about 5.4% resource overhead and less than 5.5% performance overhead.

show abstract

Section: The Confidentiality Protection Modulementioning

confidence: 99%

A Hardware Security Protection Method for Conditional Branches of Embedded Systems

Hao,

Xu,

Qin

et al. 2024

Preprint

View full text Add to dashboard Cite

show abstract

“…Uzelac et al [31] proposed a methodology to reverseengineer branch predictors. Bhattacharya et al [1] reconstructed the branch direction predictors of Intel CPUs from Nehalem to Broadwell and showed their consistency with 2bit (Nehalem) or 3-bit saturating counters. This insight led to a side-channel attack on blinded scalar multiplication.…”

Section: Reverse Engineering Of Other Componentsmentioning

confidence: 99%

Characterizing Prefetchers using CacheObserver

Didier

Maurice

Geimer

et al. 2022

2022 IEEE 34th International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD)

Self Cite

View full text Add to dashboard Cite

Hardware prefetchers are mostly undocumented micro-architectural components of the cache hierarchy, with performance and security implications. Intel CPUs feature four named prefetchers whose behaviors are generally unknown. We build CacheObserver, a generic framework to study prefetchers on Intel CPUs and the first to use the Flush+Flush primitive, unlike previous studies using Flush+Reload. We apply this framework to characterize the L2 Stream prefetcher on the Intel Whiskey and Coffee Lake micro-architectures and uncover the behavior of the L2 Stream prefetcher upon the first few accesses in a page. We also uncover interactions at the L2 level between the Stream and the Adjacent Cache Line prefetchers.

show abstract

“…This structure is used as a base predictor to predict the direction of conditional branches. Previous studies [7], [18], [25], [85] indicated presence of mechanism similar to gshare [83] with two modes of addressing: the simple 1-level mode where virtual address of branch is used to find a PHT entry, and a more complex 2-level mode where the branch virtual address is hashed with global history register (GHR) enabling accurate prediction complex patterns. RSB is used to predict return instructions.…”

Section: B Bpu Baseline Modelmentioning

confidence: 99%

STBPU: A Reasonably Secure Branch Prediction Unit

Zhang¹,

Lesch²,

Koltermann³

et al. 2021

Preprint

View full text Add to dashboard Cite

Modern processors have suffered a deluge of dangerous side channel and speculative execution attacks that exploit vulnerabilities rooted in branch predictor units (BPU). Many such attacks exploit the shared use of the BPU between unrelated processes, which allows malicious processes to retrieve sensitive data or enable speculative execution attacks. Attacks that exploit collisions between different branch instructions inside the BPU are among the most dangerous. Various protections and mitigations are proposed such as CPU microcode updates, secured cache designs, fencing mechanisms, invisible speculations. While some effectively mitigate speculative execution attacks, they overlook BPU as an attack vector, leaving BPU prone to malicious collisions and resulting critical penalty such as advanced micro-op cache attacks. Furthermore, some mitigations severely hamper the accuracy of the BPU resulting in increased CPU performance overhead. To address these, we present the secret token branch predictor unit (STBPU), a branch predictor design that mitigates collision-based speculative execution attacks and BPU side channel whilst incurring little to no performance overhead. STBPU achieves this by customizing inside data representations for each software entity requiring isolation. To prevent more advanced attacks, STBPU monitors hardware events and preemptively changes how STBPU data is stored and interpreted.

show abstract

Branch Prediction Attack on Blinded Scalar Multiplication

Cited by 12 publications

References 30 publications

A Hardware Security Protection Method for Conditional Branches of Embedded Systems

A Hardware Security Protection Method for Conditional Branches of Embedded Systems

Characterizing Prefetchers using CacheObserver

STBPU: A Reasonably Secure Branch Prediction Unit

Contact Info

Product

Resources

About