[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3373376.3378526acmconferencesArticle/Chapter ViewAbstractPublication PagesasplosConference Proceedingsconference-collections
research-article
Public Access

Exploring Branch Predictors for Constructing Transient Execution Trojans

Published: 13 March 2020 Publication History

Abstract

Transient execution is one of the most critical features used in CPUs to achieve high performance. Recent Spectre attacks demonstrated how this feature can be manipulated to force applications to reveal sensitive data. The industry quickly responded with a series of software and hardware mitigations among which microcode patches are the most prevalent and trusted. In this paper, we argue that currently deployed protections still leave room for constructing attacks. We do so by presenting transient trojans, software modules that conceal their malicious activity within transient execution mode. They appear completely benign, pass static and dynamic analysis checks, but reveal sensitive data when triggered. To construct these trojans, we perform a detailed analysis of the attack surface currently present in today's systems with respect to the recommended mitigation techniques. We reverse engineer branch predictors in several recent x86_64 processors which allows us to uncover previously unknown exploitation techniques. Using these techniques, we construct three types of transient trojans and demonstrate their stealthiness and practicality.

References

[1]
2017. Intel® 64 and IA32 Architectures Performance Monitoring Events. https://software.intel.com/sites/default/files/managed/8b/6e/ 335279_performance_monitoring_events_guide.pdf.
[2]
2018. AMD. Software techniques for managing speculation on AMD processors.
[3]
2018. Detecting Spectre vulnerability exploits with static analysis.
[4]
2018. Intel Analysis of Speculative Execution Side Channels. https://newsroom.intel.com/wp-content/uploads/sites/11/2018/ 01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf.
[5]
2018. LWN.net: Finding Spectre vulnerabilities with smatch. https: //lwn.net/Articles/752408/.
[6]
2019. Intel® 64 and IA-32 Architectures Optimization reference Manual. https://software.intel.com/sites/default/files/managed/9e/bc/ 64-ia-32-architectures-optimization-manual.pdf.
[7]
2019. Wikichip:Skylake(client)-Microarchitectures-Intel. https://en. wikichip.org/wiki/intel/microarchitectures/skylake_(client).
[8]
Nael Abu-Ghazaleh, Dmitry Ponomarev, and Dmitry Evtyushkin. 2019. How the spectre and meltdown hacks really worked. IEEE Spectrum 56, 3 (2019), 42--49.
[9]
Murugappan Alagappan, Jeyavijayan Rajendran, Milo Doroslovaki, and Guru Venkataramani. 2017. DFS covert channels on multi-core platforms. In 2017 IFIP/IEEE International Conference on Very Large Scale Integration (VLSI-SoC). IEEE, 1--6.
[10]
Eran Altshuler, Oded Lempel, Robert Valentine, and Nicolas Kacevas. 2007. Preventing a read of a next sequential chunk in branch prediction of a subject chunk. US Patent 7,174,444.
[11]
Nadav Amit, Fred Jacobs, and Michael Wei. 2019. JumpSwitches: Restoring the Performance of Indirect Branches In the Era of Spectre. In 2019 {USENIX} Annual Technical Conference ({USENIX} {ATC} 19). 285--300.
[12]
Marco Angelini, Graziano Blasilli, Pietro Borrello, Emilio Coppa, Daniele Cono D'Elia, Serena Ferracci, Simone Lenti, and Giuseppe Santucci. 2018. ROPMate: Visually Assisting the Creation of ROPbased Exploits. In 2018 IEEE Symposium on Visualization for Cyber Security (VizSec'18).
[13]
Roberto Baldoni, Emilio Coppa, Daniele Cono D'elia, Camil Demetrescu, and Irene Finocchi. 2018. A survey of symbolic execution techniques. ACM Computing Surveys (CSUR) 51, 3 (2018), 50.
[14]
Thomas Bourgeat, Ilia Lebedev, Andrew Wright, Sizhuo Zhang, and Srinivas Devadas. 2019. MI6: Secure enclaves in a speculative out-oforder processor. (2019), 42--56.
[15]
Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin Von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A systematic evaluation of transient execution attacks and defenses. (2019), 249--266.
[16]
Po-Yung Chang, Eric Hao, Tse-Yu Yeh, and Yale Patt. 1996. Branch classification: a new mechanism for improving branch predictor performance. International Journal of Parallel Programming 24, 2 (1996), 133--158.
[17]
G. Chen, S. Chen, Y. Xiao, Y. Zhang, Z. Lin, and T. H. Lai. 2019. SgxPectre: Stealing Intel Secrets from SGX Enclaves Via Speculative Execution. (June 2019), 142--157. https://doi.org/10.1109/EuroSP.2019.00020
[18]
Jie Chen and Guru Venkataramani. 2014. Cc-hunter: Uncovering covert timing channels on shared processor hardware. In 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture. IEEE, 216--228.
[19]
Sanchuan Chen, Fangfei Liu, Zeyu Mi, Yinqian Zhang, Ruby B Lee, Haibo Chen, and XiaoFeng Wang. 2018. Leveraging Hardware Transactional Memory for Cache Side-Channel Defenses. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security. ACM, 601--608.
[20]
James Clause, Wanchun Li, and Alessandro Orso. 2007. Dytan: a generic dynamic taint analysis framework. In Proceedings of the 2007 international symposium on Software testing and analysis. ACM, 196-- 206.
[21]
Jonas Depoix and Philipp Altmeyer. 2018. Detecting Spectre Attacks by identifying Cache Side-Channel Attacks using Machine Learning. Advanced Microkernel Operating Systems (2018), 75.
[22]
Goran Doychev, Boris Köpf, Laurent Mauborgne, and Jan Reineke. 2015. Cacheaudit: A tool for the static analysis of cache side channels. ACM Transactions on Information and System Security (TISSEC) 18, 1 (2015), 4.
[23]
Dmitry Evtyushkin and Dmitry Ponomarev. 2016. Covert channels through random number generator: Mechanisms, capacity estimation and mitigations. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, 843--857.
[24]
Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2016. Jump over ASLR: Attacking Branch Predictors to Bypass ASLR. In The 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO-49). IEEE Press, Piscataway, NJ, USA, Article 40, 13 pages. http://dl.acm.org/citation.cfm?id=3195638.3195686
[25]
Dmitry Evtyushkin, Ryan Riley, Nael CSE Abu-Ghazaleh, Dmitry Ponomarev, et al. 2018. Branchscope: A new side-channel attack on directional branch predictor. In ACM SIGPLAN Notices, Vol. 53. ACM, 693--707.
[26]
Andrew Ferraiuolo, Mark Zhao, Andrew C Myers, and G Edward Suh. 2018. HyperFlow: A processor architecture for nonmalleable, timing-safe information flow security. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1583--1600.
[27]
Gordon Fraser, FranzWotawa, and Paul E Ammann. 2009. Testing with model checkers: a survey. Software Testing, Verification and Reliability 19, 3 (2009), 215--261.
[28]
GCC. 2020. 6.39 Attribute Syntax. https://gcc.gnu.org/onlinedocs/gcc/ Attribute-Syntax.html.
[29]
Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. 2018. A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. Journal of Cryptographic Engineering 8, 1 (2018), 1--27.
[30]
Qian Ge, Yuval Yarom, Frank Li, and Gernot Heiser. 2016. Your Processor Leaks Information-and There's Nothing You Can Do About It. arXiv preprint arXiv:1612.04474 (2016).
[31]
Abraham Gonzalez, Ben Korpan, Ed Younis, and Jerry Zhao. 2018. Spectrum: Classifying, Replicating and Mitigating Spectre Attacks on a Speculating RISC-V Microarchitecture. (2018).
[32]
Michael Gschwind. 2009. Polymorphic branch predictor and method with selectable mode of prediction. US Patent 7,523,298.
[33]
Marco Guarnieri, Boris Köpf, José F Morales, Jan Reineke, and Andrés Sánchez. 2018. SPECTECTOR: Principled Detection of Speculative Information Flows. arXiv preprint arXiv:1812.08639 (2018).
[34]
Andrei Homescu, Michael Stewart, Per Larsen, Stefan Brunthaler, and Michael Franz. 2012. Microgadgets: size doesmatter in turing-complete return-oriented programming. In Proceedings of the 6th USENIX conference on Offensive Technologies. USENIX Association, 7--7.
[35]
Jann Horn. 2018. Reading privileged memory with a side-channel. Project Zero (January 2018). https://googleprojectzero.blogspot.com/ 2018/01/reading-privileged-memory-with-side.html.
[36]
Bradley D Hoyt, Glenn J Hinton, David B Papworth, Ashwani K Gupta, Michael A Fetterman, Subramanian Natarajan, Sunil Shenoy, and Reynold V D'sa. 1996. Method and apparatus for implementing a set-associative branch target buffer. US Patent 5,574,871.
[37]
Casen Hunger, Mikhail Kazdagli, Ankit Rawat, Alex Dimakis, Sriram Vishwanath, and Mohit Tiwari. 2015. Understanding contention-based channels and using them for defense. In 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA). IEEE, 639--650.
[38]
Intel. 2018. Retpoline: A Branch Target Injection Mitigation. (2018). reference no. 337131-003.
[39]
Intel. 2018. Speculative Execution Side Channel Mitigations. (2018). reference no. 336996-003.
[40]
David Kanter. 2010. Intel's Sandy Bridge Microarchitecture. https: //www.realworldtech.com/sandy-bridge/4/. (2010).
[41]
Khaled N Khasawneh, Esmaeil Mohammadian Koruyeh, Chengyu Song, Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2019. Safespec: Banishing the spectre of a meltdown with leakage-free speculation. (2019), 1--6.
[42]
S Karen Khatamifard, Longfei Wang, Amitabh Das, Selcuk Kose, and Ulya R Karpuzcu. 2019. POWERT Channels: A Novel Class of Covert Communication Exploiting Power Management Vulnerabilities. In Proceedings of the 25th IEEE International Symposium on High-Performance Computer Architecture.
[43]
Jonathan Khazam. 2001. Method and apparatus for performing power management by suppressing the speculative execution of instructions within a pipelined microprocessor. US Patent 6,282,663.
[44]
Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, and Joel Emer. 2018. DAWG: A defense against cache timing attacks in speculative execution processors. In 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). IEEE, 974--987.
[45]
Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative Buffer Overflows: Attacks and Defenses. CoRR abs/1807.03757 (2018). arXiv:1807.03757 http://arxiv.org/abs/1807.03757
[46]
Paul Kocher. 2018. Spectre Mitigations in Microsoft's C/C++ Compiler. Retrieved August 3 (2018), 2018.
[47]
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In 40th IEEE Symposium on Security and Privacy (S&P'19).
[48]
Esmaeil Mohammadian Koruyeh, Khaled N. Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh. 2018. Spectre Returns! Speculation Attacks using the Return Stack Buffer. In 12th USENIX Workshop on Offensive Technologies (WOOT 18). USENIX Association, Baltimore,MD. https://www.usenix.org/conference/woot18/presentation/koruyeh
[49]
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher,Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium (USENIX Security 18).
[50]
Giorgi Maisuradze and Christian Rossow. 2018. Ret2Spec: Speculative Execution Using Return Stack Buffers. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). ACM, New York, NY, USA, 2109--2122. https://doi.org/10.1145/ 3243734.3243761
[51]
Andrea Mambretti, Matthias Neugschwandtner, Alessandro Sorniotti, Engin Kirda, William Robertson, and Anil Kurmus. 2018. Let's Not Speculate: Discovering and Analyzing Speculative Execution Attacks. IBM Technical Report (2018).
[52]
Clémentine Maurice, Christoph Neumann, Olivier Heen, and Aurélien Francillon. 2015. C5: cross-cores cache covert channel. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 46--64.
[53]
pakt. 2013. A Turing complete ROP compiler. https://github.com/pakt/ ropc.
[54]
Chris H Perleberg and Alan Jay Smith. 1993. Branch target buffer design and optimization. IEEE transactions on computers 42, 4 (1993), 396--412.
[55]
Andrew Prout, William Arcand, David Bestor, Bill Bergeron, Chansup Byun, Vijay Gadepally, Michael Houle, Matthew Hubbell, Michael Jones, Anna Klein, et al. 2018. Measuring the Impact of Spectre and Meltdown. (2018), 1--5.
[56]
Lihu Rappoport, Chen Koren, Franck Sala, Ilhyun Kim, Lior Libis, Ron Gabor, and Oded Lempel. 2013. Method and apparatus for pipeline inclusion and instruction restarts in a micro-op cache of a processor. US Patent 8,433,850.
[57]
Lihu Rappoport, Bob Valentine, Stephan Jourdan, Yoav Almog, Franck Sala, Amir Leibovitz, Ido Ouziel, and Ron Gabor. 2012. Efficient method and apparatus for employing a micro-op cache in a processor. US Patent 8,103,831.
[58]
Redhat. 2018. Controlling the Performance Impact of Microcode and Security Patches for CVE-2017--5754 CVE-2017--5715 and CVE-2017- 5753 using Red Hat Enterprise Linux Tunables. https://access.redhat. com/articles/3311301.
[59]
Elham Salimi and Narges Arastouie. 2011. Backdoor detection system using artificial neural network and genetic algorithm. In 2011 International Conference on Computational and Information Sciences. IEEE, 817--820.
[60]
Felix Schuster and Thorsten Holz. 2013. Towards reducing the attack surface of software backdoors. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 851--862.
[61]
Michael Schwarz, Martin Schwarzl, Moritz Lipp, Jon Masters, and Daniel Gruss. 2019. Netspectre: Read arbitrary memory over network. (2019), 279--299.
[62]
Hovav Shacham et al. 2007. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In ACM conference on Computer and communications security. New York? 552-- 561.
[63]
Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice-Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. In NDSS.
[64]
Nikolay A Simakov, Martins D Innus, Matthew D Jones, Joseph P White, Steven M Gallo, Robert L DeLeon, and Thomas R Furlani. 2018. Effect of Meltdown and Spectre Patches on the Performance of HPC Applications. arXiv preprint arXiv:1801.04329 (2018).
[65]
Baruch Solomon, Ronny Ronen, and Doron Orenstien. 2005. Power reduction for processor front-end by caching decoded instructions. US Patent 6,950,903.
[66]
Sam L Thomas, Flavio D Garcia, and Tom Chothia. 2017. HumIDIFy: a tool for hidden functionality detection in firmware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 279--300.
[67]
Paul Turner and Google Project Zero. 2018. Retpoline: a software construct for preventing branch-target-injection. Google Help (2018). https://support.google.com/faqs/answer/7625886
[68]
Pepe Vila, Boris Köpf, and José F Morales. 2019. Theory and practice of finding eviction sets. (2019), 39--54.
[69]
Jack Wampler, Ian Martiny, and Eric Wustrow. 2019. ExSpectre: Hiding Malware in Speculative Execution. In 26th Annual Network and Distributed System Security Symposium. NDSS-Symposium, San Diego, CA. https://www.ndss-symposium.org/ndss-paper/ exspectre-hiding-malware-in-speculative-execution/
[70]
GuanhuaWang, Sudipta Chattopadhyay, Ivan Gotovchits, Tulika Mitra, and Abhik Roychoudhury. 2019. oo7: Low-overhead Defense against Spectre attacks via Program Analysis. IEEE Transactions on Software Engineering (2019).
[71]
Chris Wysopal, Chris Eng, and Tyler Shields. 2010. Static detection of application backdoors. Datenschutz und Datensicherheit-DuD 34, 3 (2010), 149--155.
[72]
Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher Fletcher, and Josep Torrellas. 2018. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy. In 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). IEEE, 428--441.
[73]
Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, and Christopher W. Fletcher. 2019. Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data. In Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO '52). Association for Computing Machinery, New York, NY, USA, 954--968. https://doi.org/10.1145/3352460. 3358274

Cited By

View all
  • (2024)Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch PredictorProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651382(770-784)Online publication date: 27-Apr-2024
  • (2024) BTIDEC : A Novel Detection Scheme for CPU Security of Consumer Electronics IEEE Transactions on Consumer Electronics10.1109/TCE.2023.332362170:1(4515-4523)Online publication date: Feb-2024
  • (2024)Modeling, Derivation, and Automated Analysis of Branch Predictor Security Vulnerabilities2024 IEEE International Symposium on High-Performance Computer Architecture (HPCA)10.1109/HPCA57654.2024.00038(409-423)Online publication date: 2-Mar-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems
March 2020
1412 pages
ISBN:9781450371025
DOI:10.1145/3373376
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 March 2020

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. branch predictor
  2. covert channel
  3. microarchitecture security
  4. reverse-engineering
  5. side channel
  6. spectre attack
  7. trojan

Qualifiers

  • Research-article

Funding Sources

Conference

ASPLOS '20

Acceptance Rates

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)375
  • Downloads (Last 6 weeks)40
Reflects downloads up to 10 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch PredictorProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651382(770-784)Online publication date: 27-Apr-2024
  • (2024) BTIDEC : A Novel Detection Scheme for CPU Security of Consumer Electronics IEEE Transactions on Consumer Electronics10.1109/TCE.2023.332362170:1(4515-4523)Online publication date: Feb-2024
  • (2024)Modeling, Derivation, and Automated Analysis of Branch Predictor Security Vulnerabilities2024 IEEE International Symposium on High-Performance Computer Architecture (HPCA)10.1109/HPCA57654.2024.00038(409-423)Online publication date: 2-Mar-2024
  • (2023)BunnyHopProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620647(7321-7337)Online publication date: 9-Aug-2023
  • (2023)The gates of timeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620347(1955-1972)Online publication date: 9-Aug-2023
  • (2023)Half&Half: Demystifying Intel’s Directional Branch Predictors for Fast, Secure Partitioned Execution2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179415(1220-1237)Online publication date: May-2023
  • (2023)Half&Half: Demystifying Intel’s Directional Branch Predictors for Fast, Secure Partitioned Execution2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179309(1220-1237)Online publication date: May-2023
  • (2023)BeKnight: Guarding Against Information Leakage in Speculatively Updated Branch Predictors2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD)10.1109/ICCAD57390.2023.10323658(01-09)Online publication date: 28-Oct-2023
  • (2023)You Cannot Always Win the Race: Analyzing mitigations for branch target prediction attacks2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00046(671-686)Online publication date: Jul-2023
  • (2023)TALUS: Reinforcing TEE Confidentiality with Cryptographic CoprocessorsFinancial Cryptography and Data Security10.1007/978-3-031-47754-6_9(147-165)Online publication date: 1-Dec-2023
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media