More Web Proxy on the site http://driver.im/

research-article

Public Access

Exploring Branch Predictors for Constructing Transient Execution Trojans

Authors:

Kenneth Koltermann,

Dmitry EvtyushkinAuthors Info & Claims

ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 667 - 682

https://doi.org/10.1145/3373376.3378526

Published: 13 March 2020 Publication History

Abstract

Transient execution is one of the most critical features used in CPUs to achieve high performance. Recent Spectre attacks demonstrated how this feature can be manipulated to force applications to reveal sensitive data. The industry quickly responded with a series of software and hardware mitigations among which microcode patches are the most prevalent and trusted. In this paper, we argue that currently deployed protections still leave room for constructing attacks. We do so by presenting transient trojans, software modules that conceal their malicious activity within transient execution mode. They appear completely benign, pass static and dynamic analysis checks, but reveal sensitive data when triggered. To construct these trojans, we perform a detailed analysis of the attack surface currently present in today's systems with respect to the recommended mitigation techniques. We reverse engineer branch predictors in several recent x86_64 processors which allows us to uncover previously unknown exploitation techniques. Using these techniques, we construct three types of transient trojans and demonstrate their stealthiness and practicality.

References

[1]

2017. Intel® 64 and IA32 Architectures Performance Monitoring Events. https://software.intel.com/sites/default/files/managed/8b/6e/ 335279_performance_monitoring_events_guide.pdf.

[2]

2018. AMD. Software techniques for managing speculation on AMD processors.

[3]

2018. Detecting Spectre vulnerability exploits with static analysis.

[4]

2018. Intel Analysis of Speculative Execution Side Channels. https://newsroom.intel.com/wp-content/uploads/sites/11/2018/ 01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf.

[5]

2018. LWN.net: Finding Spectre vulnerabilities with smatch. https: //lwn.net/Articles/752408/.

[6]

2019. Intel® 64 and IA-32 Architectures Optimization reference Manual. https://software.intel.com/sites/default/files/managed/9e/bc/ 64-ia-32-architectures-optimization-manual.pdf.

[7]

2019. Wikichip:Skylake(client)-Microarchitectures-Intel. https://en. wikichip.org/wiki/intel/microarchitectures/skylake_(client).

[8]

Nael Abu-Ghazaleh, Dmitry Ponomarev, and Dmitry Evtyushkin. 2019. How the spectre and meltdown hacks really worked. IEEE Spectrum 56, 3 (2019), 42--49.

Digital Library

[9]

Murugappan Alagappan, Jeyavijayan Rajendran, Milo Doroslovaki, and Guru Venkataramani. 2017. DFS covert channels on multi-core platforms. In 2017 IFIP/IEEE International Conference on Very Large Scale Integration (VLSI-SoC). IEEE, 1--6.

[10]

Eran Altshuler, Oded Lempel, Robert Valentine, and Nicolas Kacevas. 2007. Preventing a read of a next sequential chunk in branch prediction of a subject chunk. US Patent 7,174,444.

[11]

Nadav Amit, Fred Jacobs, and Michael Wei. 2019. JumpSwitches: Restoring the Performance of Indirect Branches In the Era of Spectre. In 2019 {USENIX} Annual Technical Conference ({USENIX} {ATC} 19). 285--300.

[12]

Marco Angelini, Graziano Blasilli, Pietro Borrello, Emilio Coppa, Daniele Cono D'Elia, Serena Ferracci, Simone Lenti, and Giuseppe Santucci. 2018. ROPMate: Visually Assisting the Creation of ROPbased Exploits. In 2018 IEEE Symposium on Visualization for Cyber Security (VizSec'18).

[13]

Roberto Baldoni, Emilio Coppa, Daniele Cono D'elia, Camil Demetrescu, and Irene Finocchi. 2018. A survey of symbolic execution techniques. ACM Computing Surveys (CSUR) 51, 3 (2018), 50.

Digital Library

[14]

Thomas Bourgeat, Ilia Lebedev, Andrew Wright, Sizhuo Zhang, and Srinivas Devadas. 2019. MI6: Secure enclaves in a speculative out-oforder processor. (2019), 42--56.

[15]

Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin Von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A systematic evaluation of transient execution attacks and defenses. (2019), 249--266.

[16]

Po-Yung Chang, Eric Hao, Tse-Yu Yeh, and Yale Patt. 1996. Branch classification: a new mechanism for improving branch predictor performance. International Journal of Parallel Programming 24, 2 (1996), 133--158.

Digital Library

[17]

G. Chen, S. Chen, Y. Xiao, Y. Zhang, Z. Lin, and T. H. Lai. 2019. SgxPectre: Stealing Intel Secrets from SGX Enclaves Via Speculative Execution. (June 2019), 142--157. https://doi.org/10.1109/EuroSP.2019.00020

[18]

Jie Chen and Guru Venkataramani. 2014. Cc-hunter: Uncovering covert timing channels on shared processor hardware. In 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture. IEEE, 216--228.

Digital Library

[19]

Sanchuan Chen, Fangfei Liu, Zeyu Mi, Yinqian Zhang, Ruby B Lee, Haibo Chen, and XiaoFeng Wang. 2018. Leveraging Hardware Transactional Memory for Cache Side-Channel Defenses. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security. ACM, 601--608.

Digital Library

[20]

James Clause, Wanchun Li, and Alessandro Orso. 2007. Dytan: a generic dynamic taint analysis framework. In Proceedings of the 2007 international symposium on Software testing and analysis. ACM, 196-- 206.

Digital Library

[21]

Jonas Depoix and Philipp Altmeyer. 2018. Detecting Spectre Attacks by identifying Cache Side-Channel Attacks using Machine Learning. Advanced Microkernel Operating Systems (2018), 75.

[22]

Goran Doychev, Boris Köpf, Laurent Mauborgne, and Jan Reineke. 2015. Cacheaudit: A tool for the static analysis of cache side channels. ACM Transactions on Information and System Security (TISSEC) 18, 1 (2015), 4.

Digital Library

[23]

Dmitry Evtyushkin and Dmitry Ponomarev. 2016. Covert channels through random number generator: Mechanisms, capacity estimation and mitigations. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, 843--857.

Digital Library

[24]

Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2016. Jump over ASLR: Attacking Branch Predictors to Bypass ASLR. In The 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO-49). IEEE Press, Piscataway, NJ, USA, Article 40, 13 pages. http://dl.acm.org/citation.cfm?id=3195638.3195686

Digital Library

[25]

Dmitry Evtyushkin, Ryan Riley, Nael CSE Abu-Ghazaleh, Dmitry Ponomarev, et al. 2018. Branchscope: A new side-channel attack on directional branch predictor. In ACM SIGPLAN Notices, Vol. 53. ACM, 693--707.

[26]

Andrew Ferraiuolo, Mark Zhao, Andrew C Myers, and G Edward Suh. 2018. HyperFlow: A processor architecture for nonmalleable, timing-safe information flow security. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1583--1600.

Digital Library

[27]

Gordon Fraser, FranzWotawa, and Paul E Ammann. 2009. Testing with model checkers: a survey. Software Testing, Verification and Reliability 19, 3 (2009), 215--261.

Digital Library

[28]

GCC. 2020. 6.39 Attribute Syntax. https://gcc.gnu.org/onlinedocs/gcc/ Attribute-Syntax.html.

[29]

Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. 2018. A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. Journal of Cryptographic Engineering 8, 1 (2018), 1--27.

[30]

Qian Ge, Yuval Yarom, Frank Li, and Gernot Heiser. 2016. Your Processor Leaks Information-and There's Nothing You Can Do About It. arXiv preprint arXiv:1612.04474 (2016).

[31]

Abraham Gonzalez, Ben Korpan, Ed Younis, and Jerry Zhao. 2018. Spectrum: Classifying, Replicating and Mitigating Spectre Attacks on a Speculating RISC-V Microarchitecture. (2018).

[32]

Michael Gschwind. 2009. Polymorphic branch predictor and method with selectable mode of prediction. US Patent 7,523,298.

[33]

Marco Guarnieri, Boris Köpf, José F Morales, Jan Reineke, and Andrés Sánchez. 2018. SPECTECTOR: Principled Detection of Speculative Information Flows. arXiv preprint arXiv:1812.08639 (2018).

[34]

Andrei Homescu, Michael Stewart, Per Larsen, Stefan Brunthaler, and Michael Franz. 2012. Microgadgets: size doesmatter in turing-complete return-oriented programming. In Proceedings of the 6th USENIX conference on Offensive Technologies. USENIX Association, 7--7.

[35]

Jann Horn. 2018. Reading privileged memory with a side-channel. Project Zero (January 2018). https://googleprojectzero.blogspot.com/ 2018/01/reading-privileged-memory-with-side.html.

[36]

Bradley D Hoyt, Glenn J Hinton, David B Papworth, Ashwani K Gupta, Michael A Fetterman, Subramanian Natarajan, Sunil Shenoy, and Reynold V D'sa. 1996. Method and apparatus for implementing a set-associative branch target buffer. US Patent 5,574,871.

[37]

Casen Hunger, Mikhail Kazdagli, Ankit Rawat, Alex Dimakis, Sriram Vishwanath, and Mohit Tiwari. 2015. Understanding contention-based channels and using them for defense. In 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA). IEEE, 639--650.

[38]

Intel. 2018. Retpoline: A Branch Target Injection Mitigation. (2018). reference no. 337131-003.

[39]

Intel. 2018. Speculative Execution Side Channel Mitigations. (2018). reference no. 336996-003.

[40]

David Kanter. 2010. Intel's Sandy Bridge Microarchitecture. https: //www.realworldtech.com/sandy-bridge/4/. (2010).

[41]

Khaled N Khasawneh, Esmaeil Mohammadian Koruyeh, Chengyu Song, Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2019. Safespec: Banishing the spectre of a meltdown with leakage-free speculation. (2019), 1--6.

[42]

S Karen Khatamifard, Longfei Wang, Amitabh Das, Selcuk Kose, and Ulya R Karpuzcu. 2019. POWERT Channels: A Novel Class of Covert Communication Exploiting Power Management Vulnerabilities. In Proceedings of the 25th IEEE International Symposium on High-Performance Computer Architecture.

[43]

Jonathan Khazam. 2001. Method and apparatus for performing power management by suppressing the speculative execution of instructions within a pipelined microprocessor. US Patent 6,282,663.

[44]

Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, and Joel Emer. 2018. DAWG: A defense against cache timing attacks in speculative execution processors. In 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). IEEE, 974--987.

Digital Library

[45]

Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative Buffer Overflows: Attacks and Defenses. CoRR abs/1807.03757 (2018). arXiv:1807.03757 http://arxiv.org/abs/1807.03757

[46]

Paul Kocher. 2018. Spectre Mitigations in Microsoft's C/C++ Compiler. Retrieved August 3 (2018), 2018.

[47]

Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In 40th IEEE Symposium on Security and Privacy (S&P'19).

[48]

Esmaeil Mohammadian Koruyeh, Khaled N. Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh. 2018. Spectre Returns! Speculation Attacks using the Return Stack Buffer. In 12th USENIX Workshop on Offensive Technologies (WOOT 18). USENIX Association, Baltimore,MD. https://www.usenix.org/conference/woot18/presentation/koruyeh

Digital Library

[49]

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher,Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium (USENIX Security 18).

Digital Library

[50]

Giorgi Maisuradze and Christian Rossow. 2018. Ret2Spec: Speculative Execution Using Return Stack Buffers. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). ACM, New York, NY, USA, 2109--2122. https://doi.org/10.1145/ 3243734.3243761

Digital Library

[51]

Andrea Mambretti, Matthias Neugschwandtner, Alessandro Sorniotti, Engin Kirda, William Robertson, and Anil Kurmus. 2018. Let's Not Speculate: Discovering and Analyzing Speculative Execution Attacks. IBM Technical Report (2018).

[52]

Clémentine Maurice, Christoph Neumann, Olivier Heen, and Aurélien Francillon. 2015. C5: cross-cores cache covert channel. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 46--64.

Digital Library

[53]

pakt. 2013. A Turing complete ROP compiler. https://github.com/pakt/ ropc.

[54]

Chris H Perleberg and Alan Jay Smith. 1993. Branch target buffer design and optimization. IEEE transactions on computers 42, 4 (1993), 396--412.

Digital Library

[55]

Andrew Prout, William Arcand, David Bestor, Bill Bergeron, Chansup Byun, Vijay Gadepally, Michael Houle, Matthew Hubbell, Michael Jones, Anna Klein, et al. 2018. Measuring the Impact of Spectre and Meltdown. (2018), 1--5.

[56]

Lihu Rappoport, Chen Koren, Franck Sala, Ilhyun Kim, Lior Libis, Ron Gabor, and Oded Lempel. 2013. Method and apparatus for pipeline inclusion and instruction restarts in a micro-op cache of a processor. US Patent 8,433,850.

[57]

Lihu Rappoport, Bob Valentine, Stephan Jourdan, Yoav Almog, Franck Sala, Amir Leibovitz, Ido Ouziel, and Ron Gabor. 2012. Efficient method and apparatus for employing a micro-op cache in a processor. US Patent 8,103,831.

[58]

Redhat. 2018. Controlling the Performance Impact of Microcode and Security Patches for CVE-2017--5754 CVE-2017--5715 and CVE-2017- 5753 using Red Hat Enterprise Linux Tunables. https://access.redhat. com/articles/3311301.

[59]

Elham Salimi and Narges Arastouie. 2011. Backdoor detection system using artificial neural network and genetic algorithm. In 2011 International Conference on Computational and Information Sciences. IEEE, 817--820.

Digital Library

[60]

Felix Schuster and Thorsten Holz. 2013. Towards reducing the attack surface of software backdoors. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 851--862.

Digital Library

[61]

Michael Schwarz, Martin Schwarzl, Moritz Lipp, Jon Masters, and Daniel Gruss. 2019. Netspectre: Read arbitrary memory over network. (2019), 279--299.

[62]

Hovav Shacham et al. 2007. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In ACM conference on Computer and communications security. New York? 552-- 561.

[63]

Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice-Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. In NDSS.

[64]

Nikolay A Simakov, Martins D Innus, Matthew D Jones, Joseph P White, Steven M Gallo, Robert L DeLeon, and Thomas R Furlani. 2018. Effect of Meltdown and Spectre Patches on the Performance of HPC Applications. arXiv preprint arXiv:1801.04329 (2018).

[65]

Baruch Solomon, Ronny Ronen, and Doron Orenstien. 2005. Power reduction for processor front-end by caching decoded instructions. US Patent 6,950,903.

[66]

Sam L Thomas, Flavio D Garcia, and Tom Chothia. 2017. HumIDIFy: a tool for hidden functionality detection in firmware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 279--300.

[67]

Paul Turner and Google Project Zero. 2018. Retpoline: a software construct for preventing branch-target-injection. Google Help (2018). https://support.google.com/faqs/answer/7625886

[68]

Pepe Vila, Boris Köpf, and José F Morales. 2019. Theory and practice of finding eviction sets. (2019), 39--54.

[69]

Jack Wampler, Ian Martiny, and Eric Wustrow. 2019. ExSpectre: Hiding Malware in Speculative Execution. In 26th Annual Network and Distributed System Security Symposium. NDSS-Symposium, San Diego, CA. https://www.ndss-symposium.org/ndss-paper/ exspectre-hiding-malware-in-speculative-execution/

[70]

GuanhuaWang, Sudipta Chattopadhyay, Ivan Gotovchits, Tulika Mitra, and Abhik Roychoudhury. 2019. oo7: Low-overhead Defense against Spectre attacks via Program Analysis. IEEE Transactions on Software Engineering (2019).

[71]

Chris Wysopal, Chris Eng, and Tyler Shields. 2010. Static detection of application backdoors. Datenschutz und Datensicherheit-DuD 34, 3 (2010), 149--155.

[72]

Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher Fletcher, and Josep Torrellas. 2018. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy. In 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). IEEE, 428--441.

[73]

Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, and Christopher W. Fletcher. 2019. Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data. In Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO '52). Association for Computing Machinery, New York, NY, USA, 954--968. https://doi.org/10.1145/3352460. 3358274

Cited By

Fabian XPatrignani MGuarnieri MBackes M(2025)Do You Even Lift? Strengthening Compiler Security Guarantees against Spectre AttacksProceedings of the ACM on Programming Languages10.1145/37048679:POPL(893-922)Online publication date: 9-Jan-2025
https://dl.acm.org/doi/10.1145/3704867
Yavarzadeh HAgarwal AChristman MGarman CGenkin DKwong AMoghimi DStefan DTaram KTullsen DTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch PredictorProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651382(770-784)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651382
Dong RCui BSun YYang J(2024) BTIDEC : A Novel Detection Scheme for CPU Security of Consumer Electronics IEEE Transactions on Consumer Electronics10.1109/TCE.2023.332362170:1(4515-4523)Online publication date: Feb-2024
https://doi.org/10.1109/TCE.2023.3323621
Show More Cited By

Index Terms

Exploring Branch Predictors for Constructing Transient Execution Trojans
1. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures
      1. Malicious design modifications
      2. Side-channel analysis and countermeasures
    2. Hardware reverse engineering

Recommendations

BranchScope: A New Side-Channel Attack on Directional Branch Predictor
ASPLOS '18

We present BranchScope - a new side-channel attack where the attacker infers the direction of an arbitrary conditional branch instruction in a victim program by manipulating the shared directional branch predictor. The directional component of the ...
Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD) - Android's Malware Attack, Stealthiness and Defense: An Improvement
FIT '11: Proceedings of the 2011 Frontiers of Information Technology

In this work, we have studied Android Architecture from a security point of view. We have studied various defense mechanisms that are present in current Android Platform or are recently proposed. We took inspiration from Sound comber--a recent Android ...
Understanding and Mitigating Covert Channels Through Branch Predictors

Covert channels through shared processor resources provide secret communication between two malicious processes: the trojan and the spy. In this article, we classify, analyze, and compare covert channels through dynamic branch prediction units in modern ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems

March 2020

1412 pages

ISBN:9781450371025

DOI:10.1145/3373376

General Chair:
James Larus
EPFL
,
Program Chairs:
Luis Ceze
University of Washington
,
Karin Strauss
Microsoft

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 March 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ASPLOS '20

Sponsor:

ASPLOS '20: Architectural Support for Programming Languages and Operating Systems

March 16 - 20, 2020

Lausanne, Switzerland

Acceptance Rates

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
1,440
Total Downloads

Downloads (Last 12 months)339
Downloads (Last 6 weeks)19

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Fabian XPatrignani MGuarnieri MBackes M(2025)Do You Even Lift? Strengthening Compiler Security Guarantees against Spectre AttacksProceedings of the ACM on Programming Languages10.1145/37048679:POPL(893-922)Online publication date: 9-Jan-2025
https://dl.acm.org/doi/10.1145/3704867
Yavarzadeh HAgarwal AChristman MGarman CGenkin DKwong AMoghimi DStefan DTaram KTullsen DTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch PredictorProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651382(770-784)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651382
Dong RCui BSun YYang J(2024) BTIDEC : A Novel Detection Scheme for CPU Security of Consumer Electronics IEEE Transactions on Consumer Electronics10.1109/TCE.2023.332362170:1(4515-4523)Online publication date: Feb-2024
https://doi.org/10.1109/TCE.2023.3323621
Wang QTang MXu KWang H(2024)Modeling, Derivation, and Automated Analysis of Branch Predictor Security Vulnerabilities2024 IEEE International Symposium on High-Performance Computer Architecture (HPCA)10.1109/HPCA57654.2024.00038(409-423)Online publication date: 2-Mar-2024
https://doi.org/10.1109/HPCA57654.2024.00038
Zhang ZTao MO'Connell SChuengsatiansup CGenkin DYarom YCalandrino JTroncoso C(2023)BunnyHopProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620647(7321-7337)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620647
Katzman DKosasih WChuengsatiansup CRonen EYarom YCalandrino JTroncoso C(2023)The gates of timeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620347(1955-1972)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620347
Yavarzadeh HTaram MNarayan SStefan DTullsen D(2023)Half&Half: Demystifying Intel’s Directional Branch Predictors for Fast, Secure Partitioned Execution2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179415(1220-1237)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179415
Yavarzadeh HTaram MNarayan SStefan DTullsen D(2023)Half&Half: Demystifying Intel’s Directional Branch Predictors for Fast, Secure Partitioned Execution2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179309(1220-1237)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179309
Islam Chowdhuryy MZhang ZYao F(2023)BeKnight: Guarding Against Information Leakage in Speculatively Updated Branch Predictors2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD)10.1109/ICCAD57390.2023.10323658(01-09)Online publication date: 28-Oct-2023
https://doi.org/10.1109/ICCAD57390.2023.10323658
Milburn ASun KKawakami H(2023)You Cannot Always Win the Race: Analyzing mitigations for branch target prediction attacks2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00046(671-686)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00046
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten