A&S Graduate Studies
[PAST EVENT] Tao Zhang, Computer Science - Dissertation Defense
Abstract:
Modern microprocessors utilize branch prediction and speculative execution to enhance instruction throughput. Instead of stalling the pipeline and waiting for branch targets to be computed, the CPU consults branch predictors for a possible destination and performs speculative execution. These microarchitectural techniques improve the efficiency of instruction pipelining and out-of-order execution, enabling higher performance and better resource utilization. Despite their widespread adoption, the potential security implications of branch misprediction and transient execution have not drawn much attention until recently.
Around early 2018, the discovery of Spectre attacks exposed critical vulnerabilities in CPUs, undermining both software and hardware isolation and confidentiality. These attacks exploit the side effects of speculative execution stemming from branch predictions. By manipulating branch predictors to generate incorrect predictions, an attacker can trigger speculative execution to bypass bound checks or operate on arbitrary memory space. Consequently, such exploits can access sensitive data during speculative execution and then exfiltrate the information through various microarchitectural side channels.
Spectre and its variants pose a significant security threat that is challenging to mitigate, and existing defenses often come with substantial performance overheads. This dissertation tackles the threat from two perspectives. We first enhance the understanding of exploitable hardware primitives by introducing new transient trojan attacks. Second, we propose secure microarchitecture designs without compromising performance.
We first challenge the perception that the triggers and effects of transient execution attacks are fully understood and that the existing protections leave no room for any attack to occur. We present transient trojans, software modules that conceal malicious activity within transient execution mode. These trojans appear entirely benign, pass static and dynamic analysis checks, but reveal sensitive data when triggered. To construct these trojans, we conducted a comprehensive analysis of the current attack surface in light of recommended mitigation techniques. We uncovered new exploitation techniques through reverse-engineering branch predictors in a selection of recent x86_64 processors. Leveraging these findings, we design three types of transient trojans, showcasing their ability to evade detection and their effectiveness. Second, we present the secret token branch predictor unit (STBPU), a secure BPU design to defend against collision-based speculative execution attacks and BPU side channels with minimal performance impact. Securing branch predictors is challenging, as techniques like partitioning or flushing the BPU only partially mitigate collision-based exploits. Moreover, such mitigations compromise branch prediction accuracy, leading to overall CPU performance degradation. STBPU resolves these challenges by customizing BPU data representations for each software entity that requires isolation. Furthermore, STBPU monitors related hardware events and preemptively adjusts BPU data representations.
Bio:
Tao Zhang is a Ph.D. candidate in the Computer Science Department at William & Mary, under the supervision of Prof. Dmitry Evtyushkin. His research focuses on microarchitecture security, side and covert channels, and secure hardware design. His Ph.D. research has been published in ASPLOS 2020 and DSN 2022. Tao has been interning at Intel since May 2022. Before joining William & Mary, he received his B.Eng. degree from North China University of Technology and his M.S. degree from Central Michigan University.
Sponsored by: Computer Science