Understanding and Mitigating Covert Channels Through Branch Predictors

Evtyushkin, Dmitry; Ponomarev, Dmitry; Abu-Ghazaleh, Nael

doi:10.1145/2870636

Cited by 65 publications

(25 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition to targeting cryptographic algorithms, side channels on the BPU can be used to perform other types of side-channel attacks, such as deriving kernel and userlevel ASLR offset [33], or covert channels [34], [35]. Recently, a side-channel attack on directional branch predictors was proposed [14].…”

Section: Microarchitectural Side-channel Attacksmentioning

confidence: 99%

Branch Prediction Attack on Blinded Scalar Multiplication

Bhattacharya¹,

Maurice²,

Bhasin³

et al. 2020

IEEE Trans. Comput.

View full text Add to dashboard Cite

In recent years, performance counters have been used as a side channel source to monitor branch mispredictions, in order to attack cryptographic algorithms. However, the literature considers blinding techniques as effective countermeasures against such attacks. In this work, we present the first template attack on the branch predictor. We target blinded scalar multiplications with a side-channel attack that uses branch misprediction traces. Since an accurate model of the branch predictor is a crucial element of our attack, we first reverse-engineer the branch predictor. Our attack proceeds with a first online acquisition step, followed by an offline template attack with a template building phase and a template matching phase. During the template matching phase, we use a strategy we call Deduce & Remove, to first infer the candidate values from templates based on a model of the branch predictor, and subsequently eliminate erroneous observations. This last step uses the properties of the target blinding technique to remove wrong guesses and thus naturally provides error correction in key retrieval. In the later part of the paper, we demonstrate a template attack on Curve1174 where the double-and-add always algorithm implementation is free from conditional branching on the secret scalar. In that case, we target the data-dependent branching based on the modular reduction operations of long integer multiplications. Such implementations still exist in open source software and can be vulnerable, even if top level safeguards like blinding are used. We provide experimental results on scalar splitting, scalar randomization, and point blinding to show that the secret scalar can be correctly recovered with high confidence. Finally, we conclude with recommendations on countermeasures to thwart such attacks.

show abstract

Section: Microarchitectural Side-channel Attacksmentioning

confidence: 99%

Branch Prediction Attack on Blinded Scalar Multiplication

Bhattacharya¹,

Maurice²,

Bhasin³

et al. 2020

IEEE Trans. Comput.

View full text Add to dashboard Cite

show abstract

“…Our BHB channel is the same as the residual state-based covert channel [Evtyushkin et al 2016], where the sender sends information by either taking or skiping a conditional jump instruction. The receiver measures the latency on a similar conditional jump instruction, sensing any speculative execution caused by the sender's history.…”

Section: Platform Cache Raw Full Flush Protectedmentioning

confidence: 99%

Time Protection

Yarom

Chothia

et al. 2019

Proceedings of the Fourteenth EuroSys Conference 2019

View full text Add to dashboard Cite

Where a licence is displayed above, please note the terms and conditions of the licence govern your use of this document. When citing, please reference the published version. Take down policy While the University of Birmingham exercises care and attention in making items available there are rare occasions when an item has been uploaded in error or has been deemed to be commercially or otherwise sensitive.

show abstract

“…Microarchitectural side-channel attacks. CPU sidechannel attacks [12,18,27,39,43,68,74] are well-studied, leading to defenses based on static or dynamic partitioning of caches [11,21,22,53,69], OS-and compiler-supported cache line locking [33,69], randomization of replacement [70] and fill [38] policies, timing noise injection [41], or managing traffic at the memory controller [59,67,76]. Covert Channels using shared GPU hardware [45] are a nascent area, including AES Key extraction using shared GPU hardware [24,25].…”

Section: Background and Related Workmentioning

confidence: 99%

Isolation and Beyond

Hunt

Jia

Miller

et al. 2019

Proceedings of the Workshop on Hot Topics in Operating Systems

View full text Add to dashboard Cite

System security has historically relied on hardware-provided isolation primitives. However, Meltdown [36] and Spectre [30] demonstrate that basic user/kernel isolation could be bypassed in every widely deployed ISA for decades; they are a caution to system designers who accept hardware isolation guarantees as an article of faith. Hardware isolation is fallible and should be considered fallible by software systems. We argue that future systems should broaden their view to adopt techniques that compensate for weaknesses in hardware isolation and should secure and optimize the communication among isolated components. Changing algorithms to be data oblivious, so that their externally observable behavior is independent of their (secret) input data is one such technique. Securing communication requires that the timing and size of messages be independent of secret data, but how best to achieve that independence so as to limit performance and energy overheads will vary from application to application. * CCS Concepts• Security and privacy → Systems security; Operating systems security;

show abstract

Understanding and Mitigating Covert Channels Through Branch Predictors

Cited by 65 publications

References 30 publications

Branch Prediction Attack on Blinded Scalar Multiplication

Branch Prediction Attack on Blinded Scalar Multiplication

Time Protection

Isolation and Beyond

Contact Info

Product

Resources

About