Litcius/Paper detail

Exploring Branch Predictors for Constructing Transient Execution Trojans

Tao Zhang, Kenneth Koltermann, Dmitry Evtyushkin

202031 citationsDOIOpen Access PDF

Abstract

Transient execution is one of the most critical features used in CPUs to achieve high performance. Recent Spectre attacks demonstrated how this feature can be manipulated to force applications to reveal sensitive data. The industry quickly responded with a series of software and hardware mitigations among which microcode patches are the most prevalent and trusted. In this paper, we argue that currently deployed protections still leave room for constructing attacks. We do so by presenting transient trojans, software modules that conceal their malicious activity within transient execution mode. They appear completely benign, pass static and dynamic analysis checks, but reveal sensitive data when triggered. To construct these trojans, we perform a detailed analysis of the attack surface currently present in today's systems with respect to the recommended mitigation techniques. We reverse engineer branch predictors in several recent x86_64 processors which allows us to uncover previously unknown exploitation techniques. Using these techniques, we construct three types of transient trojans and demonstrate their stealthiness and practicality.

Topics & Concepts

Transient (computer programming)Construct (python library)Computer scienceSoftwarex86MicrocodeReverse engineeringEmbedded systemTransient analysisComputer securityOperating systemEngineeringProgramming languageTransient responseElectrical engineeringSecurity and Verification in ComputingAdvanced Malware Detection TechniquesPhysical Unclonable Functions (PUFs) and Hardware Security