Another Branch Prediction Attack
When Spectre and Meltdown were first announced earlier this year, pretty much everyone predicted that there would be many more attacks targeting branch prediction in microprocessors. Here’s another one:
In the new attack, an attacker primes the PHT and running branch instructions so that the PHT will always assume a particular branch is taken or not taken. The victim code then runs and makes a branch, which is potentially disturbing the PHT. The attacker then runs more branch instructions of its own to detect that disturbance to the PHT; the attacker knows that some branches should be predicted in a particular direction and tests to see if the victim’s code has changed that prediction.
The researchers looked only at Intel processors, using the attacks to leak information protected using Intel’s SGX (Software Guard Extensions), a feature found on certain chips to carve out small sections of encrypted code and data such that even the operating system (or virtualization software) cannot access it. They also described ways the attack could be used against address space layout randomization and to infer data in encryption and image libraries.
Research paper.
Who? • March 29, 2018 11:13 AM
We need new microarchitectures. No, fixing current bugs while preserving as many performance improvements as possible in future microprocessors is not the answer. Hiding bugs tweaking microcode and/or software, making them harder to exploit (a.k.a. “mitigation”), is not the answer either. We need removing anything that might be exploited in the future from our microprocessors. Of course industry will not take this route, it is better offering faster microprocessors and it is better if each new meltdown/spectre-like attack discovered makes people and corporations to replace their three-years old expensive computers with shinny new ones.
We need reliable, secure, architectures. Why not left the current high-performance improvements to gamers and people running high performance computing clusters while offering slower but secure processors to people that want them?