The Micro-architectural Support Countermeasures against the Branch Prediction Analysis Attack

Recently, a kind of micro-architectural side-channel analysis attacks, Branch Prediction Analysis (BPA), has been demonstrated to be practically feasible on the popular commodity PC platform. This attack extracts the secret information based on monitoring the branch target buffers (BTB). Some cryptography algorithms, such as RSA, ECC are naturally vulnerable to BPA because of the key-centric sequence of conditional branches. BPA attack can successfully steal almost all of the security key bits during one single encryption process in virtue of an elaborately designed and "legitimate" spy-process. Although there are some countermeasures existing in the state-of-art literatures, all of them are software-based methods, which lead to a series of design challenges. This paper proposes an architectural support scheme against the BPA attack comprehensively. A well-customized surveillance table with limited size is appended to record each process in order to dynamically recognize which one is malicious in time. And then a lock-based BTB scheme is utilized to protect the BTB visiting from BPA attack efficiently to ensure the sensitive information not be leaked due to the conditional branches loophole. Experimental results show that the proposed anti-BPA attack scheme not only leverages approximate 8KB area cost to provide strong security protection but also incurs slight performance improvement about 0.12% on average about the benchmarks. Meanwhile, it is transparent on the application level to alleviate the difficulties of the programmers.