当前位置:
X-MOL 学术
›
arXiv.cs.AR
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
A Lightweight Isolation Mechanism for Secure Branch Predictors
arXiv - CS - Hardware Architecture Pub Date : 2020-05-17 , DOI: arxiv-2005.08183 Lutan Zhao, Peinan Li, Rui Hou, Michael C. Huang, Jiazhen Li, Lixin Zhang, Xuehai Qian, Dan Meng
arXiv - CS - Hardware Architecture Pub Date : 2020-05-17 , DOI: arxiv-2005.08183 Lutan Zhao, Peinan Li, Rui Hou, Michael C. Huang, Jiazhen Li, Lixin Zhang, Xuehai Qian, Dan Meng
Recently exposed vulnerabilities reveal the necessity to improve the security
of branch predictors. Branch predictors record history about the execution of
different programs, and such information from different processes are stored in
the same structure and thus accessible to each other. This leaves the attackers
with the opportunities for malicious training and malicious perception. Instead
of flush-based or physical isolation of hardware resources, we want to achieve
isolation of the content in these hardware tables with some lightweight
processing using randomization as follows. (1) Content encoding. We propose to
use hardware-based thread-private random numbers to encode the contents of the
branch predictor tables (both direction and destination histories) which we
call XOR-BP. Specifically, the data is encoded by XOR operation with the key
before written in the table and decoded after read from the table. Such a
mechanism obfuscates the information adding difficulties to cross-process or
cross-privilege level analysis and perception. It achieves a similar effect of
logical isolation but adds little in terms of space or time overheads. (2)
Index encoding. We propose a randomized index mechanism of the branch predictor
(Noisy-XOR-BP). Similar to the XOR-BP, another thread-private random number is
used together with the branch instruction address as the input to compute the
index of the branch predictor. This randomized indexing mechanism disrupts the
correspondence between the branch instruction address and the branch predictor
entry, thus increases the noise for malicious perception attacks. Our analyses
using an FPGA-based RISC-V processor prototype and additional auxiliary
simulations suggest that the proposed mechanisms incur a very small performance
cost while providing strong protection.
中文翻译:
安全分支预测器的轻量级隔离机制
最近暴露的漏洞表明有必要提高分支预测器的安全性。分支预测器记录有关不同程序执行的历史记录,来自不同进程的这些信息存储在相同的结构中,因此可以相互访问。这给攻击者留下了进行恶意训练和恶意感知的机会。我们希望通过一些使用随机化的轻量级处理来实现这些硬件表中内容的隔离,而不是基于刷新或物理隔离硬件资源,如下所示。(1) 内容编码。我们建议使用基于硬件的线程私有随机数来编码我们称之为 XOR-BP 的分支预测表(包括方向和目的地历史)的内容。具体来说,数据在写入表之前通过与密钥的异或运算进行编码,从表中读取后进行解码。这种机制混淆了信息,给跨进程或跨特权级别的分析和感知增加了困难。它实现了类似的逻辑隔离效果,但在空间或时间开销方面几乎没有增加。(2) 索引编码。我们提出了分支预测器的随机索引机制(Noisy-XOR-BP)。与 XOR-BP 类似,另一个线程私有的随机数与分支指令地址一起作为输入来计算分支预测器的索引。这种随机索引机制破坏了分支指令地址和分支预测器条目之间的对应关系,从而增加了恶意感知攻击的噪声。
更新日期:2020-05-20
中文翻译:
安全分支预测器的轻量级隔离机制
最近暴露的漏洞表明有必要提高分支预测器的安全性。分支预测器记录有关不同程序执行的历史记录,来自不同进程的这些信息存储在相同的结构中,因此可以相互访问。这给攻击者留下了进行恶意训练和恶意感知的机会。我们希望通过一些使用随机化的轻量级处理来实现这些硬件表中内容的隔离,而不是基于刷新或物理隔离硬件资源,如下所示。(1) 内容编码。我们建议使用基于硬件的线程私有随机数来编码我们称之为 XOR-BP 的分支预测表(包括方向和目的地历史)的内容。具体来说,数据在写入表之前通过与密钥的异或运算进行编码,从表中读取后进行解码。这种机制混淆了信息,给跨进程或跨特权级别的分析和感知增加了困难。它实现了类似的逻辑隔离效果,但在空间或时间开销方面几乎没有增加。(2) 索引编码。我们提出了分支预测器的随机索引机制(Noisy-XOR-BP)。与 XOR-BP 类似,另一个线程私有的随机数与分支指令地址一起作为输入来计算分支预测器的索引。这种随机索引机制破坏了分支指令地址和分支预测器条目之间的对应关系,从而增加了恶意感知攻击的噪声。
京公网安备 11010802027423号