Abstract
With the emergence and proliferation of microarchitectural attacks targeting branch predictors, the once-established security boundary in computer systems and architectures is facing unprecedented challenges. This paper introduces an innovative branch predictor modeling methodology that abstractly characterizes 19 states and 53 operations of branch predictors, aiming to assist hardware designers in addressing overlooked security concerns during the microarchitecture design phase. Building upon this modeling discipline, we develop a symbolic execution-based framework to analyze and derive potential vulnerabilities in branch predictors. This framework finally yields 156 valid three-step attack patterns against branch predictors, including 89 novel variants not discovered in previous work. Subsequently, we extend the framework to automatically generate a benchmark suite for assessing the practical feasibility of derived attacks in real-world scenarios. Evaluation across five commercial Intel processors underscores the substantial threat posed by branch predictor attacks, with 130 of the 156 derived attacks proving viable on at least one processor. Finally, we theoretically model and evaluate 12 secure designs related to branch predictors. The evaluation results demonstrate that existing secure branch predictors can offer better security guarantees than secure speculation schemes, indicating that secure branch predictor designs are promising solutions to maintain the confidentiality and integrity of computer systems.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call