One of the most prevalent source of side channel vulnerabilities is the secret-dependent behavior of conditional branches (SDBCB). The state-of-the-art solution relies on Constant-Time Expressions, which require high programming effort and incur high performance overheads. In this paper, we propose SeMPE, an approach that relies on architecture support to eliminate SDBCB without requiring much programming effort while incurring low performance overheads. The key idea is that when a secret-dependent branch is encountered, the SeMPE microarchitecture fetches, executes, and commits both paths of the branch, preventing the adversary from inferring secret values from the branching behavior of the program. To enable that, SeMPE relies on an architecture that is capable of safely executing both branch paths sequentially. Through microbenchmarks and an evaluation of a real-world library, we show that SeMPE incurs near ideal execution time overheads, which is the sum of the execution time of all branch paths of secret-dependent branches. SeMPE outperforms code generated by FaCT, a constant-time expression language, by up to a factor of 18x.

中文翻译：

---

SeMPE：用于移除条件分支侧通道的安全多路径执行架构

侧信道漏洞最普遍的来源之一是条件分支 (SDBCB) 的秘密相关行为。最先进的解决方案依赖于常量时间表达式，这需要大量的编程工作并会产生很高的性能开销。在本文中，我们提出了 SeMPE，这是一种依赖架构支持来消除 SDBCB 的方法，不需要太多的编程工作，同时会产生低性能开销。关键思想是，当遇到依赖于秘密的分支时，SeMPE 微架构获取、执行和提交分支的两条路径，防止对手从程序的分支行为中推断出秘密值。为了实现这一点，SeMPE 依赖于能够安全地依次执行两个分支路径的架构。通过微基准测试和对真实世界库的评估，我们表明 SeMPE 会产生接近理想的执行时间开销，这是秘密相关分支的所有分支路径的执行时间的总和。SeMPE 的性能比 FaCT（一种恒定时间表达式语言）生成的代码高 18 倍。