[PAST EVENT] Tao Zhang, Computer Science - Oral Preliminary Exam Schedule
Modern microprocessors rely on branch prediction and speculative execution to achieve a high speed of high levels of instruction supply. Instead of issuing stalls and waiting for the branch target to be resolved, the CPU consults branch predictors for a possible destination and performs speculative execution. These microarchitecture design techniques can improve the utilization of instruction pipelines and out-of-order execution. However, the security implications of mispredictions and speculations have not drawn attention until recently. In early 2018, Spectre attacks negated the confidentiality and isolations in both software and hardware levels. This vulnerability stems from the side effects of the aforementioned performance enhancements. Namely, by manipulating branch predictors for an incorrect prediction, speculative execution can bypass bound checks or take place on arbitrary memory space. As a result, exploits can access the victim's secret during speculative execution and then exfiltrate the information over various microarchitectural covert channels.
Spectre, alongside its variants, presented an enormous security threat that is hard to mitigate fully, and existing defenses impose big performance overheads. In this dissertation, we address the threat from two perspectives. We first improve the understanding of exploitable hardware primitives with new transient trojan attacks. Next, we propose secure microarchitecture designs without compromising performance.
We first argue against the widely spread perception that the triggers and effects of transient execution attacks are fully understood, and recommended protections leave no room for any attack to occur. We present transient trojans, software modules that conceal their malicious activity within transient execution mode. They appear entirely benign, pass static and dynamic analysis checks, but reveal sensitive data when triggered. To construct these trojans, we perform a detailed analysis of the attack surface currently present in today's systems with respect to the recommended mitigation techniques. We reverse engineer branch predictors in several recent x86_64 processors to uncover previously unknown exploitation techniques. Using these techniques, we construct three types of transient trojans and demonstrate their stealthiness and practicality. Next, we present the secret token branch predictor unit (STBPU), a secure BPU design to defend against collision-based speculative execution attacks and BPU side channels whilst incurring little to no performance overhead. Recent attacks point out that many randomization-based cache designs are flawed and cannot prevent efficient eviction set constructions or leak information across epochs. Besides, due to the pivotal role on the critical paths, modern BPU has hierarchical structures that are not suitable for complex hash algorithms; changing branch prediction mechanisms could affect prediction accuracy. STBPU resolves the above challenges by customizing inside data representations for each software entity requiring isolation. Furthermore, STBPU monitors related hardware events and preemptively changes how BPU data is stored and interpreted. The future work aims to address in-place speculative execution attacks. Specifically, we conduct branch data dependency analysis and observe potentials to achieve early-stage branch resolution on applicable conditional and indirect branches. This design can achieve better security-performance trade-offs by limiting heavy protections to the unresolved branches.
Tao Zhang is a Ph.D. candidate in the Computer Science Department at William & Mary, under the supervision of Prof. Dmitry Evtyushkin. His research focuses on microarchitecture security, side and covert channels, and secure hardware design. Previously, he received his B.Eng. degree from North China University of Technology in 2012 and his M.S. degree from Central Michigan University in 2014.