Please use this identifier to cite or link to this item:
https://hdl.handle.net/2440/139863
Type: | Thesis |
Title: | Exploring the Vulnerability of Branch Prediction Unit |
Author: | Tao, Mingtian |
Issue Date: | 2023 |
School/Discipline: | School of Computer and Mathematical Sciences |
Abstract: | In recent years, the notable performance improvements in the modern processor can be largely attributed to the incorporation of speculative execution. This feature empowers the processor to make predictions and execute instructions based on assumptions about the program behavior. By speculatively executing instructions that may follow a branch, the processor keeps the pipeline busy and avoids potential stalls caused by waiting for the branch outcome to be determined. Those predictions are made by the branch prediction unit (BPU) based on the past branch history. Over the years, the BPU has become a target of extensive research due to the sensitive information it stores. The objective of this thesis is to explore the security aspect of the BPU through analyzing the structure of the branch target buffer (BTB). In this thesis, we first presents a novel technique called BunnyHop, which transfers the BTB state to the cache state, revealing secrets within the BTB. We develop this technique by reverse engineering the instruction prefetcher. We show that the instruction prefetcher is guided by the BTB. Leveraging the BunnyHop technique, we further reverse engineer the BTB on several recent Intel machines, providing new observations. We find that BTB divides branches into two groups: long branch and short branch. Furthermore, we discover the implementation and the replacement policy within the BTB. Combining the BunnyHop and findings from the BTB reverse engineering, we perform two attacks. One attack targets an openssl implementation of the elliptic curve secp256k1, running inside an Intel software guard extensions (SGX) enclave. We are able to attain a success rate of above 98%. Another attack aims to bypass the Kernel Address Space Layout Randomization (KASLR) on Linux system. We manage to recover the address of kernel image from the user space, breaking the kernel protection boundary. Compared with previous similar attacks, our KASLR attack is significantly faster. |
Advisor: | Yarom, Yuval Chuengsatiansup, Chitchanok (University of Melbourne) |
Dissertation Note: | Thesis (MPhil.) -- University of Adelaide, School of Computer and Mathematical Sciences, 2023 |
Keywords: | BTB BPU branch prediction reverse engineering side channel attack SGX KASLR |
Provenance: | This thesis is currently under embargo and not available. |
Appears in Collections: | Research Theses |
Files in This Item:
File | Description | Size | Format | |
---|---|---|---|---|
Tao2023_MPhil.pdf Restricted Access | Library staff access only. | 1.13 MB | Adobe PDF | View/Open |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.