Research On Software Defense Methods For Predictive Execution Attacks

The predictive execution attack is an important security threat in the field of modern processors.Attackers can use branch prediction mechanism to construct side channels to illegally disclose secret information,Branch Scope attacks in predicted execution attacks mainly uses the execution trace of direct branch in intel dual-mode branch direction predictor to disclose branch direction information.Most of the existing software solutions to protect against predictive execution attacks cannot resist Branch Scope attacks;A few schemes suggest removing branches or eliminating branch direction sensitivity,but they require complex control flow conversion and are not universal.At present,there is no work to propose an effective and practical software protection scheme that can resist Branch Scope attacks.In this thesis,we take the predictive execution attack as the research object,and propose two software protection schemes against Branch Scope attack to make up for the current protection loopholes.We refresh the execution traces of direct branches in the direction predictor by repeatedly executing branches,and prevent attackers from illegally obtaining secret information by detecting the state of the branch direction predictor.The two schemes have less code modification and low difficulty in program conversion.The main work and contribution of this thesis are as follows:(1)We have systematically studied the existing predictive execution attacks and protection strategies,analyzed the characteristics of attacks and the basic principles of various protection methods,and compared and evaluated the protection capabilities of existing schemes.(2)We put forward two new software protection schemes.Firstly,The two schemes transform different branch structures into a unified form.Secondly,the loop structure is used to realize the repeated execution of the branch.In the first scheme called Fix PHT,the branch is repeatedly executed in a fixed direction,and the state of the branch direction predictor is fixed.In the second scheme called Rand PHT,branches are executed repeatedly in random directions,and the state of the branch direction predictor is randomized.Finally,the suspension and rollback mechanism of hardware transactional memory is used to ensure that the key code is not maliciously interrupted.We analyzed the security,practicability and efficiency of the two schemes in detail.(3)We have experimentally evaluated the safety and performance of the new protection schemes.We selected four open Branch Scope attack targets to verify the effectiveness of the two schemes in various attack scenarios.We also evaluated the performance overhead of the two protection schemes based on the nbench benchmarking suite.The results show that both schemes can effectively resist the Branch Scope attack.The performance loss of Fix PHT is26%～35% on average,and that of Rand PHT is 22%～32% on average.