Exploiting Security Dependence for Conditional Speculation Against Spectre Attacks

Zhao, Lutan; Li, Peinan; Hou, Rui; Huang, Michael C.; Liu, Peng; Zhang, Lixin; Meng, Dan

doi:10.1109/tc.2020.2997555

Cited by 3 publications

(6 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Ref. [ 16 ] proposed a software protection method (Conditional Speculation) that limited the execution of memory instructions, which could resist attacks based on Spectre vulnerabilities. However, this method cannot prevent attackers from stealing branch information or monitoring the CFI.…”

Section: Discussionmentioning

confidence: 99%

“…Members of our lab have previously proposed various hardware security protection methods for embedded systems [ 11 , 12 , 13 , 14 , 15 ], but when applied, it was found that attackers could still exploit the vulnerabilities of BPUs to perform attacks. Therefore, we began to refer to existing methods [ 16 , 17 , 18 , 19 , 20 ].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Hardware Security Protection Method for Conditional Branches of Embedded Systems

Hao,

Xu,

Qin

et al. 2024

Micromachines

View full text Add to dashboard Cite

The branch prediction units (BPUs) generally have security vulnerabilities, which can be used by attackers to tamper with the branches, and the existing protection methods cannot defend against these attacks. Therefore, this article proposes a hardware security protection method for conditional branches of embedded systems. This method calculates the number of branch target buffer (BTB) updates every 80 clock cycles. If the number exceeds the set threshold, the BTB will be locked and prevent any process from tampering with the BTB entries, thereby resisting branch prediction analysis (BPA) attacks. Moreover, to prevent attackers from stealing the critical information of branches, the method designs the hybrid arbiter physical unclonable function (APUF) circuit to encrypt and decrypt the directions, addresses, and indexes of branches. This circuit combines the advantages of double APUF and Feed-Forward APUF, which can enhance the randomness of output response and resist machine learning attacks. If attackers still successfully tamper with the branches and disrupt the control flow integrity (CFI), this method detects tampering with the instruction codes, jump addresses, and jump directions in a timely manner through dynamic and static label comparison. The proposed method is implemented and tested on FPGA. The experimental results show that this method can achieve fine-grained security protection for conditional branches, with about 5.4% resource overhead and less than 5.5% performance overhead.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

A Hardware Security Protection Method for Conditional Branches of Embedded Systems

Hao,

Xu,

Qin

et al. 2024

Micromachines

View full text Add to dashboard Cite

show abstract

“…Ref. [15] proposed a software protection method (Conditional Speculation) that limited the execution of memory instructions, which could resist attacks based on Spectre vulnerabilities. However, this method cannot prevent attackers from stealing branch information or monitor the CFI.…”

Section: Comparison With Other Security Protection Methodsmentioning

confidence: 99%

“…Although the resource overhead of this method is low, it is difficult to balance the protection capability and performance overhead due to the simple mechanism of identifying spy processes. Conditional Speculation [15,23] dynamically identified dangerous access instructions by implementing different filtering mechanisms, but had a high performance overhead for some test programs. BRB [24] prevented malicious data injected by attackers from being used by assigning separate branch history tables (BHTs) to different programs, but had a high resource overhead and could not provide the effective protection for the shared parts.…”

Section: Prevent Obtaining the Execution Status Of Branchesmentioning

confidence: 99%

“…Members of our lab have previously proposed various hardware security protection methods for embedded systems [11][12][13][14], but when applied, it was found that attackers could still exploit the vulnerabilities of BPUs to perform attacks. Inspired by existing research [15][16][17][18], we started to focus 2 on the security of the jump directions and jump addresses of branches. We tried to restrict the target address of the jump instruction to be the starting address of a basic block (BB).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Hardware Security Protection Method for Conditional Branches of Embedded Systems

Hao,

Xu,

Qin

et al. 2024

Preprint

View full text Add to dashboard Cite

The branch prediction units (BPUs) generally have security vulnerabilities, which can be used by attackers to obtain the execution status, jump directions, and jump address of conditional branches, and the existing protection methods cannot defend against these attacks. Therefore, this article proposes a hardware security protection method for conditional branches of embedded systems. This method calculates the number of updates to the branch target buffer (BTB). When it exceeds the threshold, BTB is locked to prevent attackers from analyzing the execution status of branches based on the time difference of whether BTB is updated. Moreover, the hybrid physical unclonable function (PUF) circuit is designed to provide confidentiality protection for the jump directions, jump addresses, and their indexes, preventing attackers from stealing these critical data. If these mechanism fails and attackers successfully tamper with conditional branches, this paper proposes a control flow integrity (CFI) protection mechanism based on branch labels to timely detect tampering with instruction codes, jump addresses, and jump directions. The proposed method is implemented and tested on FPGA. The experimental results show that this method can achieve fine-grained security protection for conditional branches, with about 5.4% resource overhead and less than 5.5% performance overhead.

show abstract

Let's Prevent Spectre Attacks in the Docker Containers Too

Khan

Kumbhar

Shamsi

2022

2022 International Conference on Frontiers of Information Technology (FIT)

View full text Add to dashboard Cite

Exploiting Security Dependence for Conditional Speculation Against Spectre Attacks

Cited by 3 publications

References 30 publications

A Hardware Security Protection Method for Conditional Branches of Embedded Systems

A Hardware Security Protection Method for Conditional Branches of Embedded Systems

A Hardware Security Protection Method for Conditional Branches of Embedded Systems

Let's Prevent Spectre Attacks in the Docker Containers Too

Contact Info

Product

Resources

About