Write about mitigations for branch predictor-based side channels
kbeyls opened this issue · 3 comments
After a bit of investigation, it seems the following are mitigations that could be worthwhile to briefly discuss in the book:
- (SW/HW) Flushing branch state when switching between sandboxes/distrusting contexts.
- (HW) partitioning branch predictor "real estate", so it doesn't get shared.
- (SW): remove branches, e.g. if-conversion - especially the branches that are dependent
on secret data. algorithmically or through if-conversion. - (HW): randomize branch predictor indexing, i.e. how branches alias.
- (HW/SW): Prevent predicting sensitive branches.
- (SW): obfuscating a set of conditional branches by converting them into a single indirect branch.
Zigzagger, see [@lee2017].
FWIW, the following may be of relevance, https://github.com/MattPD/cpplinks/blob/master/comparch.micro.channels.md#defense-branch-predictor (and, for the broader context, https://github.com/MattPD/cpplinks/blob/master/comparch.micro.channels.md#branch-predictor)
Thank you for those pointers, that is very useful!
I think/hope I've already read most of the publications pointed to in there, but will check.
@all-contributors please add @MattPD for bug, review
I couldn't determine any contributions to add, did you specify any contributions?
Please make sure to use valid contribution names.
I've put up a pull request to add @MattPD! 🎉