| The branch predictor is an important microarchitecture component on modern processors,which effectively alleviates the pipeline stalling problem.Although its design has not been disclosed by the manufacturer,in recent years,researchers exposed branch prediction mechanism through reverse engineering,and have successively discovered many attacks based on the branch prediction mechanism.Now,there are a large number of researches about branch prediction attacks in x86,but less researches on Arm.In this paper,we organizes and summarizes the components and attack chains of various branch predictive attacks that have been disclosed,and detect them on the Arm architecture platform,and a total of four branch predictive attacks are detected.Currently,defenses against branch prediction attacks mainly include barrier instructions,formal verification,and real-time monitoring.Among them,the real-time monitoring method is more practical because it is easy to deploy and transparent to upper-level programmers.However,the current research on branch prediction attacks is also focused on x86,and there is a lack of related research on Arm.Most of the current real-time monitoring methods use sampling PMU counts as their information source,which is slightly insufficient in detecting branch prediction attacks.We use the Coresight hardware framework in Arm to build a real-time monitoring system,which can simultaneously collect trace streams and PMU counts,and its accuracy can reach cycle granularity.We used the real-time monitoring system to detect branch prediction attacks,and achieved an accuracy rate of 97.6%.It also has the ability to detect unknown attacks.Finally,we found a covert channel BTBC based on the branch predictor BTB component.BTBC has similar channel performance to other branch predictor-based covert channels when continuously transmitting data.When the transmission capacity is 200bps,the SER is only 2%.And we also give the defense measures against such covert channels. |
PDF Full Text Request