



# Modeling, Derivation, and Automated Analysis of Branch Predictor Security Vulnerabilities

Quancheng Wang, Ming Tang, Ke Xu, Han Wang

Wuhan University

2024 IEEE International Symposium on High-Performance Computer Architecture (HPCA) Session 3B: Side-Channel & Microarchitecture Edinburgh, March 2-6, 2024

# **Background: Evolution of BP Attacks**

# Attacks and CVEs against branch predictors are proliferating Manual search for branch predictor attacks is not exhaustive





# **Background: Evolution of BP Attacks**





### A trustworthy tool is essential for exploring all branch predictor attacks!





#### HPCA 2024

defense

### **Background: Insufficient Security Evaluation**

The defense is **secure** 

because it can prevent

#### $\succ$ Weak security evaluation of many defenses



Speculated Load



#### HPCA 2024

### **Background: Insufficient Security Evaluation**

#### > Weak security evaluation of many defenses



### A comprehensive security evaluation is imperative for defense solutions!



5



### **Threat Model**

### Attacker and victim

Attacker: App, OS, VM, etc.
Victim: App, OS, VM, TEE, etc.

### ≻Attacker's goal



Inferring secret data based on branch instruction execution time differences or transient execution due to misprediction

### ➢Attack types

➤Timing-based attacks: side channels, covert channels





### **Threat Model**

### Attacker and victim

Attacker: App, OS, VM, etc.Victim: App, OS, VM, TEE, etc.

### ≻Attacker's goal



Inferring secret data based on branch instruction execution time differences or transient execution due to misprediction

### ➢Attack types

>Transient-based attacks: speculative attacks



7





#### > How to model branch predictors for security evaluation



### Modeling: Three-Step Attack Model



#### >Insights from microarchitectural attacks against branch predictors

>All existing branch predictor attacks include three steps





### **Modeling: Possible Branch Predictor States**

#### > Modeling 19 states of security-critical branch predictor entry E





#### > Modeling 19 states of security-critical branch predictor entry E



11



### **Modeling: Possible Branch Predictor States**

#### > Modeling 19 states of security-critical branch predictor entry E





#### > Possible branch operations related to prior 19 target entry states



**Entry States** 

**Branch Operations** 

**Branch** Type



#### >A or V indicates no operation on the target branch predictor entry





#### $>A_{cc}$ denotes the observation of the covert channel in transient attacks





#### > We finally model 53 possible operations in the three-step attack model





### **Framework: Branch Predictor Simulator**



>We implement a branch predictor simulator to explore all attacks

 $A_{pc} \rightarrow V_{val} \rightarrow V_{val}$ 

 $V_{pc} \rightarrow V_{val} \rightarrow V_{val}$  $A_{his} \rightarrow V_{val} \rightarrow V_{val}$ 





### **Framework: Branch Predictor Simulator**



#### > We perform an enumerative analysis of each three-step combination



### **Framework: Branch Predictor Simulator**



#### > We reduce redundancies and finally derive 156 valid attack patterns





### Framework: Summary of Derived Attacks

#### $\succ$ Summary of derived 156 attack patterns

▶ 28 PHT attacks, 116 BTB attacks and 12 RSB attacks > 67 known attacks and 89 novel attacks

| Branch Predictor | Known<br>Attacks | Novel<br>Attacks | Total<br>Attacks |
|------------------|------------------|------------------|------------------|
| PHT              | 12               | 16               | 28               |
| BTB (ind)        | 20               | 36               | 56               |
| BTB (call)       | 15               | 15               | 30               |
| BTB (ret)        | 15               | 15               | 30               |
| RSB              | 5                | 7                | 12               |
| Total            | 67               | 89               | 156              |

| Unit       | Step1            | Step2                  | Step3                                 | Category | Туре     | Attack | Step1         | Step2            | Step3                     | Category | Туре     | Attac |
|------------|------------------|------------------------|---------------------------------------|----------|----------|--------|---------------|------------------|---------------------------|----------|----------|-------|
| Ť.         | $V_{val}$        | $A_{pc}$               | $V_{val} (slow)$                      | EM       | TSCA/CCA | new    | $V_{val}$     | $V_{pc}$         | $V_{val} (slow)$          | IM       | TSCA/CCA | new   |
|            | $V_{val}$        | $A_{his}$              | $V_{val}$ (slow)                      | EM       | TSCA/CCA | new    | Vval          | Vhis             | $V_{val}$ (slow)          | IM       | TSCA/CCA | nev   |
|            | $A_{pc}$         | $V_{val}$              | $V_{val}$ (fast)                      | IH       | TSCA/CCA | (1)    | $A_{pc}$      | $V_{val}$        | $A_{pc}$ (slow)           | EM       | TSCA/CCA | (1)   |
|            | $A_{pc}$         | $V_{val}$              | $V_{pc}$ (slow)                       | IM       | TSCA/CCA | (1)    | $A_{pc}$      | $V_{val}$        | $A_{his}$ (slow)          | EM       | TSCA/CCA | (1)   |
|            | $A_{pc}$         | Vual                   | $V_{his}$ (slow)                      | IM       | TSCA/CCA | (1)    | Vnc           | Vval             | $V_{val}$ (fast)          | IH       | TSCA/CCA | nev   |
|            | $V_{pc}$         | V <sub>val</sub>       | $A_{pc}$ (slow)                       | EM       | TSCA/CCA | new    | $V_{pc}$      | V <sub>val</sub> | $V_{pc}$ (slow)           | IM       | TSCA/CCA | nev   |
|            | V                | V <sub>val</sub>       | $A_{his}$ (slow)                      | EM       | TSCA/CCA | new    | $V_{pc}$      | V <sub>val</sub> | $V_{his}$ (slow)          | IM       | TSCA/CCA | nev   |
| PHT        | $V_{pc}$         | Val                    | $V_{val}$ (fast)                      | IH       | TSCA/CCA | (2)    | Pc A          | Val              | $A_{pc}$ (slow)           | EM       | TSCA/CCA | (2)   |
|            | Ahis             | $V_{val}$              | Vval (Jast)                           | IM       |          | (2)    | Ahis          | $V_{val}$        |                           | EM       |          | (2)   |
|            | $A_{his}$        | Vval                   | $V_{pc}$ (slow)                       |          | TSCA/CCA |        | Ahis          | Vval             | $A_{his}$ (slow)          |          | TSCA/CCA |       |
|            | $A_{his}$        | $V_{val}$              | $V_{his}$ (slow)                      | IM       | TSCA/CCA | (2)    | $V_{his}$     | $V_{val}$        | $V_{val}$ (fast)          | IH       | TSCA/CCA | nev   |
|            | Vhis             | Vval                   | $A_{pc}$ (slow)                       | EM       | TSCA/CCA | new    | Vhis          | Vnal             | $V_{pc}$ (slow)           | IM       | TSCA/CCA | nev   |
|            | $V_{his}$        | $V_{val}$              | $A_{his} (slow)$                      | EM       | TSCA/CCA | new    | Vhis          | Vval             | $V_{his}$ (slow)          | IM       | TSCA/CCA | nev   |
|            | $A_{pc}$         | $V_{val}$              | $A_{cc}$ (fast)                       | EH       | TEA      | new    | $V_{pc}$      | Vval             | $A_{cc}$ (fast)           | EH       | TEA      | (3)   |
|            | Ahis             | $V_{val}$              | $A_{cc}$ (fast)                       | EH       | TEA      | new    | Vhis          | Vval             | $A_{cc}$ (fast)           | EH       | TEA      | (4)   |
|            | $A_{inv}$        | $V_{val}$              | $V_{val}$ (fast)                      | IH       | TSCA/CCA | (1)    | $V_{inv}$     | Vval             | $V_{val}$ (fast)          | IH       | TSCA/CCA | nev   |
|            | Vval             | $A_{pc}$               | $V_{val}$ (slow)                      | EM       | TSCA/CCA | new    | Vval          | $V_{pc}$         | $V_{val}$ (slow)          | IM       | TSCA/CCA | nev   |
|            | Vval             | Ahis                   | $V_{val}$ (slow)                      | EM       | TSCA/CCA | new    | Vval          | Vhis             | $V_{val}$ (slow)          | IM       | TSCA/CCA | nev   |
|            | Vval             | Aalias                 | $V_{val}$ (slow)                      | EM       | TSCA/CCA | new    | Vval          | Valias           | $V_{val}$ (slow)          | IM       | TSCA/CCA | nev   |
|            | A                |                        | $V_{val}$ (stota)<br>$V_{val}$ (fast) | IH       | TSCA/CCA | (1)    |               | V alias          |                           | EM       | TSCA/CCA |       |
|            | $A_{pc}$         | Vval                   |                                       |          |          |        | $A_{pc}$      | $V_{val}$        | $A_{pc}$ (slow)           |          |          | (1)   |
|            | $A_{pc}$         | $V_{val}$              | $V_{pc}$ (slow)                       | IM       | TSCA/CCA | (1)    | $A_{pc}$      | $V_{val}$        | $A_{his}$ (slow)          | EM       | TSCA/CCA | (1)   |
|            | $A_{pc}$         | $V_{val}$              | $V_{his} (slow)$                      | IM       | TSCA/CCA | (1)    | $A_{pc}$      | Vval             | $A_{alias}$ (slow)        | EM       | TSCA/CCA | (1)   |
|            | $A_{pc}$         | $V_{val}$              | $V_{alias}$ (slow)                    | IM       | TSCA/CCA | (1)    | Vpc           | Vval             | $V_{val}$ (fast)          | IH       | TSCA/CCA | nev   |
|            | $V_{pc}$         | $V_{val}$              | $A_{pc}$ (slow)                       | EM       | TSCA/CCA | new    | $V_{pc}$      | Vval             | $V_{pc}$ (slow)           | IM       | TSCA/CCA | nev   |
|            | $V_{pc}$         | Vval                   | $A_{his}$ (slow)                      | EM       | TSCA/CCA | new    | $V_{pc}$      | Vval             | $V_{his}$ (slow)          | IM       | TSCA/CCA | nev   |
|            | $V_{pc}$         | $V_{val}$              | Aalias (slow)                         | EM       | TSCA/CCA | new    | $V_{pc}$      | $V_{val}$        | $V_{alias}$ (slow)        | IM       | TSCA/CCA | nev   |
|            | $A_{his}$        | $V_{val}$              | $V_{val}$ (fast)                      | IH       | TSCA/CCA | new    | $A_{his}$     | Vval             | $A_{pc}$ (slow)           | EM       | TSCA/CCA | nev   |
|            | Ahis             | Vval                   | $V_{pc}$ (slow)                       | IM       | TSCA/CCA | new    | $A_{his}$     | Vval             | Ahis (slow)               | EM       | TSCA/CCA | nev   |
| BTB        | Ahis             | Vval                   | $V_{his}$ (slow)                      | IM       | TSCA/CCA | new    | Ahis          | Vval             | A <sub>alias</sub> (slow) | EM       | TSCA/CCA | nev   |
| (ind)      | Ahis             | Vval                   | Valias (slow)                         | IM       | TSCA/CCA | new    | Vhis          | Vval             | V <sub>val</sub> (fast)   | IH       | TSCA/CCA | nev   |
| (ind)      |                  |                        |                                       | EM       | TSCA/CCA | new    |               |                  |                           | IM       | TSCA/CCA |       |
|            | $V_{his}$        | $V_{val}$              | $A_{pc}$ (slow)                       |          |          |        | $V_{his}$     | V <sub>val</sub> | $V_{pc}$ (slow)           |          |          | nev   |
|            | Vhis             | Vval                   | $A_{his}$ (slow)                      | EM       | TSCA/CCA | new    | $V_{his}$     | Vval             | $V_{his} (slow)$          | IM       | TSCA/CCA | nev   |
|            | Vhis             | $V_{val}$              | $A_{alias}$ (slow)                    | EM       | TSCA/CCA | new    | Vhis          | Vval             | $V_{alias}$ (slow)        | IM       | TSCA/CCA | nev   |
|            | Aalias           | $V_{val}$              | $V_{val}$ (fast)                      | IH       | TSCA/CCA | (1)    | Aalias        | $V_{val}$        | $A_{pc}$ (slow)           | EM       | TSCA/CCA | (1)   |
|            | $A_{alias}$      | $V_{val}$              | $V_{pc}$ (slow)                       | IM       | TSCA/CCA | (1)    | Aalias        | $V_{val}$        | $A_{his}$ (slow)          | EM       | TSCA/CCA | (1)   |
|            | $A_{alias}$      | Vval                   | $V_{his}$ (slow)                      | IM       | TSCA/CCA | (1)    | Aalias        | Vval             | A <sub>alias</sub> (slow) | EM       | TSCA/CCA | (1)   |
|            | Aalias           | $V_{val}$              | Valias (slow)                         | IM       | TSCA/CCA | (1)    | Valias        | Vval             | $V_{val}$ (fast)          | IH       | TSCA/CCA | nev   |
|            | Valias           | Vval                   | $A_{pc}$ (slow)                       | EM       | TSCA/CCA | new    | Valias        | Vval             | $V_{pc}$ (slow)           | IM       | TSCA/CCA | nev   |
|            | Valias           | Vval                   | $A_{his}$ (slow)                      | EM       | TSCA/CCA | new    | Valias        | Vval             | $V_{his}$ (slow)          | IM       | TSCA/CCA | nev   |
|            | Valias           | Vval                   | A <sub>alias</sub> (slow)             | EM       | TSCA/CCA | new    | Valias        | Vval             | Valias (slow)             | IM       | TSCA/CCA | nev   |
|            | Apc              | Vval                   | $A_{cc}$ (fast)                       | EH       | TEA      | (2)    | Vpc           | Vval             | $A_{cc}$ (fast)           | EH       | TEA      | (2)   |
|            |                  |                        |                                       | EH       | TEA      | (3)    | Vpc           |                  |                           | EH       | TEA      |       |
|            | Ahis             | Vval                   | $A_{cc}$ (fast)                       |          |          |        | Vhis          | Vval             | $A_{cc}$ (fast)           |          |          | nev   |
|            | Aalias           | $V_{val}$              | $A_{cc}$ (fast)                       | EH       | TEA      | (2)    | Valias        | $V_{val}$        | $A_{cc}$ (fast)           | EH       | TEA      | (2)   |
|            | $A_{inv}$        | $V_{val}$              | $V_{val} (fast)$                      | IH       | TSCA/CCA | (1)    | $V_{inv}$     | $V_{val}$        | $V_{val}$ (fast)          | IH       | TSCA/CCA | nev   |
|            | Vval             | $A_{pc}$               | $V_{val}$ (slow)                      | EM       | TSCA/CCA | new    | $V_{val}$     | $V_{pc}$         | $V_{val}$ (slow)          | IM       | TSCA/CCA | nev   |
|            | Vval             | Aalias                 | $V_{val}$ (slow)                      | EM       | TSCA/CCA | new    | Vval          | Valias           | $V_{val}$ (slow)          | IM       | TSCA/CCA | nev   |
|            | $A_{pc}$         | $V_{val}$              | $V_{val}$ (fast)                      | IH       | TSCA/CCA | (1)    | $A_{pc}$      | Vval             | $A_{pc}$ (slow)           | EM       | TSCA/CCA | (1)   |
|            | $A_{pc}$         | $V_{val}$              | $V_{pc}$ (slow)                       | IM       | TSCA/CCA | (1)    | Anc           | $V_{val}$        | $A_{alias}$ (slow)        | EM       | TSCA/CCA | (1)   |
|            | $A_{pc}$         | Vval                   | $V_{alias}$ (slow)                    | IM       | TSCA/CCA | (1)    | Vac           | Vnat             | Vval (fast)               | IH       | TSCA/CCA | nev   |
| 1000000    | $V_{pc}$         | Vval                   | $A_{pc}$ (slow)                       | EM       | TSCA/CCA | new    | $V_{pc}^{pc}$ | V <sub>val</sub> | $V_{pc}$ (slow)           | IM       | TSCA/CCA | nev   |
| BTB        | $V_{pc}^{pc}$    | V <sub>val</sub>       | $A_{alias}$ (slow)                    | EM       | TSCA/CCA | new    | $V_{pc}^{pc}$ | V <sub>val</sub> | $V_{alias}$ (slow)        | IM       | TSCA/CCA | nev   |
| (call/ret) | A                | Vval                   | $V_{val}$ (fast)                      | IH       | TSCA/CCA | (1)    |               | V <sub>val</sub> | $A_{pc}$ (slow)           | EM       | TSCA/CCA | (1)   |
|            | Aalias           |                        | $V_{pc}$ (slow)                       | IM       | TSCA/CCA | (1)    | Aalias        |                  | A in (down)               | EM       | TSCA/CCA | (1)   |
|            | $A_{alias}$      | $V_{val}$              |                                       |          |          |        | Aalias        | $V_{val}$        | $A_{alias}$ (slow)        |          |          |       |
|            | Aalias           | V <sub>val</sub>       | $V_{alias}$ (slow)                    | IM       | TSCA/CCA | (1)    | Valias        | Vval             | $V_{val} (fast)$          | IH       | TSCA/CCA | nev   |
|            | Valias           | V <sub>val</sub>       | $A_{pc}$ (slow)                       | EM       | TSCA/CCA | new    | Valias        | Vval             | $V_{pc}$ (slow)           | IM       | TSCA/CCA | nev   |
|            | Valias           | $V_{val}$              | $A_{alias}$ (slow)                    | EM       | TSCA/CCA | new    | Valias        | Vval             | $V_{alias}$ (slow)        | IM       | TSCA/CCA | nev   |
|            | $A_{pc}$         | $V_{val}$              | $A_{cc}$ (fast)                       | EH       | TEA      | (2)    | $V_{pc}$      | Vval             | $A_{cc}$ (fast)           | EH       | TEA      | (2)   |
|            | $A_{alias}$      | $V_{val}$              | $A_{cc}$ (fast)                       | EH       | TEA      | (2)    | Valias        | $V_{val}$        | $A_{cc}$ (fast)           | EH       | TEA      | (2)   |
| 1          | Ainv             | Vval                   | $V_{val} (fast)$                      | IH       | TSCA/CCA | (1)    | Vinv          | Vval             | $V_{val}$ (fast)          | IH       | TSCA/CCA | nev   |
|            | Vval             | Aalias                 | Vval (slow)                           | EM       | TSCA/CCA | new    | Vval          | Valias           | $V_{val}$ (slow)          | IM       | TSCA/CCA | nev   |
| DCT        | Aalias           | Vval                   | Vval (fast)                           | IH       | TSCA/CCA | (1)    | Aalias        | Vval             | Aalias (slow)             | EM       | TSCA/CCA | (1)   |
| RSB        |                  | Vval                   | Valias (slow)                         | IM       | TSCA/CCA | (1)    | Valias        | Vval             | V <sub>val</sub> (fast)   | IH       | TSCA/CCA | nev   |
|            | Aalias           |                        |                                       | EM       | TSCA/CCA | new    |               |                  |                           | IM       | TSCA/CCA | nev   |
|            | Valias<br>Aalias | $V_{val}$<br>$V_{val}$ | $A_{alias} (slow)$<br>$A_{cc} (fast)$ |          |          |        | Valias        | Vval             | Valias (slow)             |          |          |       |
|            |                  |                        | Acc (Last)                            | EH       | TEA      | (2)    | Valias        | Vval             | $A_{cc}$ (fast)           | EH       | TEA      | nev   |

BTB: (1) Predicting Keys 1 – 3; (2) Spectre V2 [40]; (3) BHI [5].
 RSB: (1) Predicting Keys [13]; (2) Spectre V5 [42], [45].

### Framework: Extensibility of Our Modeling



#### Case study 1: modeling of TAGE branch predictor

>TAGE is widely deployed in popular open-source processors

≻e.g., XiangShan



### Framework: Viability of Novel Attacks



#### $\succ$ Case study 2: evaluation of two novel PHT attacks

- > A  $V_{pc}$ -based attack variant and a  $V_{his}$ -based attack variant
- Transmission of random "0" and "1" bits repeated 1,000,000 times
- >Leakage of sensitive information with a substantial bandwidth on Intel processors

| Number | Attack Pattern                                       | Processor            | <b>Timing Resolution</b> | Capacity   |
|--------|------------------------------------------------------|----------------------|--------------------------|------------|
| #10    |                                                      | Intel Core i5-1135G7 | 92 vs 108 cycles         | 865.7 Kbps |
| #10    | $V_{pc} \rightarrow V_{val} \rightarrow V_{val}$     | Intel Core i7-12700  | 69 vs 83 cycles          | 925.5 Kbps |
| #20    |                                                      | Intel Core i5-1135G7 | 91 vs 114 cycles         | 690.7 Kbps |
| #20    | V <sub>his</sub> →V <sub>val</sub> →V <sub>val</sub> | Intel Core i7-12700  | 67 vs 83 cycles          | 734.1 Kbps |

### **Framework: Practicality of Novel Attacks**



### $\succ$ Case study 3: recovery of LSB in OpenSSL with a novel BTB variant

➢ EVP\_EncryptUpdate() in libcrypto library of OpenSSL 1.1.1b is vulnerable (CCS'19)➢ We demonstrate the practicality of a novel variant exploiting the same vulnerability➢ We implement the PoC of #31 ( $V_{val} \rightarrow A_{pc} \rightarrow V_{val}$ ) to recover the LSB of the first bytes



#### Recovering LSB in OpenSSL on Intel Core i7-12700

### **Analysis: Modeling Typical Secure Designs**



#### >Our framework is applicable to evaluating secure designs (as instances)

> We model 8 secure branch predictors and 4 secure speculation schemes

| Secure BP            | Remaining Ops | Reference     |
|----------------------|---------------|---------------|
| Lock-Based BTB       | 25/53         | TrustCom 2014 |
| MI6                  | 33/53         | MICRO 2019    |
| BRB                  | 33/53         | HPCA 2019     |
| Two-Level Encryption | 22/53         | TACO 2020     |
| Noisy-XOR-BP         | 22/53         | DAC 2021      |
| PSC                  | 31/53         | JCST 2021     |
| LS-BP                | 22/53         | ASP-DAC 2022  |
| НуВР                 | 16/53         | HPCA 2022     |

We conduct a comprehensive analysis of **remaining operations** in our model for each secure branch predictor

| Secure Speculation | Blocked Ops                                      | Reference   |  |
|--------------------|--------------------------------------------------|-------------|--|
| DAWG               | A <sub>cc</sub> for cache<br>(different domains) | MICRO 2018  |  |
| CSF-LFENCE         | V <sub>val</sub> for PHT                         | ASPLOS 2019 |  |
| STT                | V <sub>val</sub> for PHT                         | MICRO 2019  |  |
| InvisiSpec         | $A_{cc}$ for cache                               | MICRO 2018  |  |

We select **four representative hardware-based defenses** against speculative attacks that introduce low-performance overhead

We perform a thorough analysis of **blocked operations** for each secure speculation scheme

### **Analysis: Overview of Secure BP Evaluation**



#### $\succ$ Secure branch predictor evaluation for all 156 three-step attacks

- PSC and HyBP are the most effective secure branch predictors for mitigating PHT and BTB security vulnerabilities under ideal circumstances
- > The best-performing HyBP can shield about 79% of the attack patterns
- > The worst-performing MI6 and BRB can only cover about 16% of the attack patterns

| Secure BP            | PHT   | BTB (ind) | BTB (call) | BTB (ret) | RSB  | Total   |
|----------------------|-------|-----------|------------|-----------|------|---------|
| Lock-Based BTB       | 28/28 | 19/56     | 11/30      | 11/30     | 5/12 | 74/156  |
| MI6                  | 10/28 | 56/56     | 30/30      | 30/30     | 5/12 | 131/156 |
| BRB                  | 10/28 | 56/56     | 30/30      | 30/30     | 5/12 | 131/156 |
| Two-Level Encryption | 18/28 | 12/56     | 2/30       | 2/30      | 5/12 | 39/156  |
| Noisy-XOR-BP         | 18/28 | 12/56     | 2/30       | 2/30      | 5/12 | 39/156  |
| PSC (ideal)          | 0/28  | 56/56     | 30/30      | 30/30     | 5/12 | 121/156 |
| LS-BP                | 18/28 | 12/56     | 2/30       | 2/30      | 5/12 | 39/156  |
| НуВР                 | 18/28 | 10/56     | 0/30       | 0/30      | 5/12 | 33/156  |

### **Analysis: Evaluation for Known/New Attacks**



#### Secure branch predictor evaluation for known/new attacks

- > HyBP provides the best protection against known and newly derived attacks
- ➢Two-Level Encryption, Noisy-XOR-BP, and LS-BP have better protection coverage
- ➢Lock-Based BTB has significant omissions for newly derived attacks
- ► MI6 and BRB do not adequately protect against known and newly derived attacks

| Secure BP            | PHT (known) | BTB (known) | RSB (known) | PHT (new) | BTB (new) | RSB (new) |
|----------------------|-------------|-------------|-------------|-----------|-----------|-----------|
| Lock-Based BTB       | 12/12       | 6/50        | 0/5         | 16/16     | 35/66     | 5/7       |
| MI6                  | 2/12        | 50/50       | 0/5         | 8/16      | 66/66     | 5/7       |
| BRB                  | 2/12        | 50/50       | 0/5         | 8/16      | 66/66     | 5/7       |
| Two-Level Encryption | 5/12        | 7/50        | 0/5         | 9/16      | 35/66     | 5/7       |
| Noisy-XOR-BP         | 5/12        | 7/50        | 0/5         | 9/16      | 35/66     | 5/7       |
| PSC (ideal)          | 0/12        | 50/50       | 0/5         | 0/16      | 66/66     | 5/7       |
| LS-BP                | 5/12        | 7/50        | 0/5         | 9/16      | 35/66     | 5/7       |
| НуВР                 | 5/12        | 4/50        | 0/5         | 13/16     | 6/66      | 5/7       |

# **Analysis: Secure BPs vs Secure Speculation**



#### > Evaluation of secure BPs and HW defenses against speculative attacks

 Hardware-based secure speculation can only mitigate a limited number of speculative execution attacks or only mitigate specific cache covert channels
 Secure branch predictor designs can mitigate more speculative execution attacks

| Defense Strategy | Speculative<br>Attacks<br>(cache channel) | Speculative<br>Attacks<br>(other channel) | Defense Strategy     | Speculative<br>Attacks<br>(cache channel) | Speculative<br>Attacks<br>(other channel) |
|------------------|-------------------------------------------|-------------------------------------------|----------------------|-------------------------------------------|-------------------------------------------|
| Lock-Based BTB   | 12/20                                     | 12/20                                     | MI6                  | 17/20                                     | 17/20                                     |
| BRB              | 17/20                                     | 17/20                                     | Two-Level Encryption | 6/20                                      | 6/20                                      |
| Noisy-XOR-BP     | 6/20                                      | 6/20                                      | PSC (ideal)          | 15/20                                     | 15/20                                     |
| LS-BP            | 6/20                                      | 6/20                                      | HyBP                 | 6/20                                      | 6/20                                      |
| DAWG             | 17/20                                     | 19/20                                     | CSF-LFENCE           | 15/20                                     | 15/20                                     |
| STT              | 15/20                                     | 15/20                                     | InvisiSpec           | 15/20                                     | 19/20                                     |

### **Analysis: Secure BPs vs Secure Speculation**



#### > Evaluation of secure BPs and HW defenses against speculative attacks

 Hardware-based secure speculation can only mitigate a limited number of speculative execution attacks or only mitigate specific cache covert channels
 Secure branch predictor designs can mitigate more speculative execution attacks

Secure branch predictor designs are promising solutions in mitigating branch predictor security vulnerabilities and preserving the confidentiality and integrity of computer systems!

|   | DKD          | 1//20 | 1//20 | тио-селет спстурнон | 0/20  | 0/20  |
|---|--------------|-------|-------|---------------------|-------|-------|
|   | Noisy-XOR-BP | 6/20  | 6/20  | PSC (ideal)         | 15/20 | 15/20 |
|   | LS-BP        | 6/20  | 6/20  | HyBP                | 6/20  | 6/20  |
| ſ | DAWG         | 17/20 | 19/20 | CSF-LFENCE          | 15/20 | 15/20 |
|   | STT          | 15/20 | 15/20 | InvisiSpec          | 15/20 | 19/20 |





#### >Modeling: propose a three-step branch predictor modeling methodology

We propose a three-step modeling approach for evaluating the security properties of branch predictors at the microarchitecture design stage. Our technique abstractly characterizes 19 branch predictor states and 53 operations of the attacker and victim that could affect these states.

#### > Framework: derive 156 effective attack patterns with 89 novel variants

We develop a comprehensive and automated evaluation framework based on the proposed model that leverages symbolic execution to analyze all potential three-step combinations, yielding 156 valid attack patterns against branch predictors, with 89 novel attacks never discovered.

#### >Analysis: conduct security analysis of exisiting HW-based secure designs

We apply our security analysis framework to 8 existing secure branch predictor designs and four typical hardware alleviations against speculative execution attacks, and the results show that secure branch predictors are promising solutions for enhancing the security of the computer system.

http://csccl.whu.edu.cn

CSCCL (CryptoChip Lab) at Wuhan University

Archival: https://doi.org/10.5281/zenodo.10297402

wangquancheng@whu.edu.cn





≻Artifact

≻Contact

