STBPU: A Reasonably Safe Branch Predictor Unit

Published in arXiv, 2021

Recommended citation: T Zhang, T Lesch, K Koltermann, D Evtyushkin. STBPU: A Reasonably Safe Branch Predictor Unit. arXiv preprint arXiv:2108.02156. (under review) https://arxiv.org/abs/2108.02156

Modern processors have suffered a deluge of danger- ous side channel and speculative execution attacks that exploit vulnerabilities rooted in branch predictor units (BPU). Many such attacks exploit the shared use of the BPU between un- related processes, which allows malicious processes to retrieve sensitive data or enable speculative execution attacks. Attacks that exploit collisions between different branch instructions inside the BPU are among the most dangerous. Various protections and mitigations are proposed such as CPU microcode updates, secured cache designs, fencing mechanisms, invisible speculations. While some effectively mitigate speculative execution attacks, they overlook BPU as an attack vector, leaving BPU prone to malicious collisions and resulting critical penalty such as advanced micro-op cache attacks. Furthermore, some mitigations severely hamper the accuracy of the BPU resulting in increased CPU performance overhead. To address these, we present the secret token branch predictor unit (STBPU), a branch predictor design that mitigates collision-based speculative execution attacks and BPU side channel whilst incurring little to no performance overhead. STBPU achieves this by customizing inside data representations for each software entity requiring isolation. To prevent more advanced attacks, STBPU monitors hardware events and preemptively changes how STBPU data is stored and interpreted.

Recommended citation:


@misc{zhang2021stbpu,
      title={STBPU: A Reasonably Safe Branch Predictor Unit}, 
      author={Tao Zhang and Timothy Lesch and Kenneth Koltermann and Dmitry Evtyushkin},
      year={2021},
      eprint={2108.02156},
      archivePrefix={arXiv},
      primaryClass={cs.CR}
}