摘要
分支预测器是现代处理器的重要微架构组件,它可有效缓解流水线的控制流冒险问题,提升处理器性能.然而,尽管分支预测器的设计越发先进,设计细节也不被处理器厂商公开,但基于分支预测器的分支预测机制存在的安全问题仍不断被研究人员曝光.利用分支预测机制,攻击者能构建侧信道或隐藏通道,从而绕过软硬件的安全边界检查.在著名的Spectre攻击中,分支预测器还被用来构建瞬态执行窗口,这打破了被错误预测并执行的指令对软件程序员完全透明的错误安全假设.Spectre攻击曝光后,分支预测的安全问题越来越受到重视,相关的攻击变种与防御措施成为学术界和工业界共同关注的课题.本文从分支预测器的设计角度出发,从已公开和被研究人员逆向工程出的分支预测器设计中总结了分支预测器的工作机制,然后按分支预测器填充方式、分支预测器索引方式和分支预测利用过程等特征对现有的分支预测攻击进行归纳和整理,并总结了这些攻击的攻击模型,包括攻击场景与攻击链.随后,本文结合Intel、AMD和ARM等主流商用处理器的典型微体系结构,从攻击模型深入分析了各分支预测攻击的关联性、创新点和可行性,并提出一种评价分支预测类瞬态执行攻击可行性的理论方法.最后,本文讨论了分支预测攻击未来的研究趋势、相关的防御策略以及安全分支预测器设计等诸多问题.
With the increasing demand for computer performance,many optimization techniques are adopted in modern processors.The branch predictors become significantly important components of computer micro-architecture for their efficiency to cope with the control hazards in pipeline.Although the design of the branch predictors has become more and more sophisticated and the details have not been disclosed by the vendors,their vulnerabilities have begun to expose.Using relevant mechanism of the branch predictors,attackers can construct side channels or covert channels to bypass the check on security boundary of software and hardware.Spectre,the notorious speculative execution attack,exploits the branch predictor to construct a transient execution window and then exploits cache side channels to access the secret data of the victim.It disproves the security assumption that the mis-predicted instructions are completely transparent to the software programmers.With the exposure of Spectre attack,the security of branch predictors aroused wild attention,many related attack variants and defense measures have been proposed.Some variants apply Spectre in a specific attack scenario,such as NetSpectre aiming at breaking other virtual machine and SGXPectre aiming at breaking into SGX.Others exploit different microarchitectural side channels during transient execution,such as SpectreRewind and SMoTherSpectre which measure the difference of time consumption on specific execution port.To better understand how these attacks exploit the branch prediction,we summarize the principles of branch predictor through the published and reverse engineered branch predictor design from the perspective of branch predictor design,and then classify the existing speculative execution attacks according to their filling and indexing methods,as well as the utilization process.Furthermore,we extract the attack models of these attacks,including 8 attack scenarios and 2 attack chains.The attack scenarios include cross-process,cross-domain,cross-TEE,cross-VM,cross-hypervisor,cross-HT and cross-sandbox.The attack chains,consisting the side channel attack chain and the transient execution attack chain,can be merged into a model with 3 or 4 steps,including filling predictors,triggering branch instructions and exploiting the result of prediction.We use the attack model to describe the existing branch prediction attacks such as branch prediction side channels,branch prediction covert channels and transient execution attacks with or without branch prediction side channels.Furthermore,we analyse the relevance,innovativeness and feasibility of branch prediction attacks on modern processors such as Intel,AMD and ARM.Specifically,we present a theoretical method to evaluate the feasibility of transient execution attacks.Lastly,based on our analysis,we believe that automatically analysis of predictor security and secure predictor design will become the main research aspects in branch prediction security.
作者
刘畅
杨毅
李昊儒
邱朋飞
吕勇强
王海霞
鞠大鹏
汪东升
LIU Chang;YANG Yi;LI Hao-Ru;QIU Peng-Fei;LYU Yong-Qiang;WANG Hai-Xia;JU Da-Peng;WANG Dong-Sheng(Department of Computer Science and Technology,Tsinghua University,Beijing 100084;Ministry of Education Key Laboratory of Trustworthy Distributed Computing and Service,Beijing University of Posts and Telecommunications,Beijing 100867;Beijing National Research Center for Information Science and Technology,Tsinghua University,Beijing 100084)
出处
《计算机学报》
EI
CAS
CSCD
北大核心
2022年第12期2475-2509,共35页
Chinese Journal of Computers
基金
国家重点研发计划(2021YFB3100902)
国家自然科学基金(62072263)资助。
关键词
分支预测
处理器安全
计算机微体系结构
侧信道
瞬态执行
branch prediction
processor security
computer microarchitecture
side channel
transient execution