ARM处理器分支预测漏洞分析测评及新漏洞发现

Evaluation of Branch Prediction Vulnerability and New Vulnerability Discovery on ARM Processors

针对ARM处理器上的分支预测漏洞研究不全面、不深入等问题,提出了一种分支预测漏洞测评方法。通过对分支预测漏洞的攻击过程进行研究,提炼了分支预测漏洞的6步骤攻击模型。根据分支预测漏洞攻击利用的微体系结构和针对的地址空间,将现有的分支预测漏洞分成9种类型。基于攻击模型和分类方法构建了ARM处理器上的分支预测漏洞测评方法。在主流的3种ARMv8架构处理器上对9种分支预测漏洞进行了测评,测评内容包括是否受漏洞影响、防御方法是否有效和新漏洞的发掘。实验结果表明,部分ARM处理器完全不受分支预测漏洞攻击影响,部分处理器只受5到6种分支预测漏洞影响。在防御方法方面,尚未存在一种防御方法能防御所有的分支预测漏洞,但可以通过不同防御方法的组合来构建完善的防御体系。在测评过程中,发现了一种ARM架构独有的预测执行漏洞——顺序预测漏洞,此漏洞能够泄露同一进程空间的任意数据。

Because of the lack of research about branch prediction vulnerability on ARM processor,a branch prediction vulnerability evaluation method is proposed to evaluate ARM processor security.Studying the attack process of branch prediction vulnerability,a six-step attack model of branch prediction vulnerability is extracted.According to the difference of microarchitecture and address space used by branch prediction vulnerabilities,the existing branch prediction vulnerabilities are divided into nine types.Based on the attack model and classification method,a branch prediction vulnerability evaluation method is designed.Nine kinds of branch prediction vulnerabilities are evaluated on three mainstream ARMv8 architecture processors.The evaluation content includes the influence of vulnerabilities,the effectiveness of defense methods,and the discovery of new vulnerabilities.The results show that some ARM processors are not affected by branch prediction vulnerabilities at all,while the others are only affected by 5 or 6 branch prediction vulnerabilities.In terms of defense methods,there is not a single defense method that can prevent all branch prediction vulnerabilities,but a perfect defense system can be constructed via combination of different defense methods.During the evaluation process,a prediction execution vulnerability unique on ARM architecture,the sequential prediction vulnerability,is also found,which can expose arbitrary data in the same process space.