Exploring the Vulnerability of Branch Prediction Unit

Abstract

In recent years, the notable performance improvements in the modern processor can be largely attributed to the incorporation of speculative execution. This feature empowers the processor to make predictions and execute instructions based on assumptions about the program behavior. By speculatively executing instructions that may follow a branch, the processor keeps the pipeline busy and avoids potential stalls caused by waiting for the branch outcome to be determined. Those predictions are made by the branch prediction unit (BPU) based on the past branch history. Over the years, the BPU has become a target of extensive research due to the sensitive information it stores. The objective of this thesis is to explore the security aspect of the BPU through analyzing the structure of the branch target buffer (BTB). In this thesis, we first presents a novel technique called BunnyHop, which transfers the BTB state to the cache state, revealing secrets within the BTB. We develop this technique by reverse engineering the instruction prefetcher. We show that the instruction prefetcher is guided by the BTB. Leveraging the BunnyHop technique, we further reverse engineer the BTB on several recent Intel machines, providing new observations. We find that BTB divides branches into two groups: long branch and short branch. Furthermore, we discover the implementation and the replacement policy within the BTB. Combining the BunnyHop and findings from the BTB reverse engineering, we perform two attacks. One attack targets an openssl implementation of the elliptic curve secp256k1, running inside an Intel software guard extensions (SGX) enclave. We are able to attain a success rate of above 98%. Another attack aims to bypass the Kernel Address Space Layout Randomization (KASLR) on Linux system. We manage to recover the address of kernel image from the user space, breaking the kernel protection boundary. Compared with previous similar attacks, our KASLR attack is significantly faster.