Predicting Secret Keys via Branch Prediction

Опубликовано 6 сентября 2016, 16:55

We give an overview of a new software side-channel attack, enabled by the branch prediction capability common to all modern high-performance CPUs. The penalty paid (extra clock cycles) for a miss-predicted branch can be used for cryptanalysis of cryptographic primitives that employ a data-dependent program flow. Analogous to the cache-based side-channel attacks, this attack allows an unprivileged process to attack other processes running in parallel on the same processor, despite sophisticated partitioning methods such as memory protection, sandboxing or even virtualization. We discuss in detail several such attacks for the RSA cryptosystem, and experimentally show their applicability to real systems. The practical results from our experiments should be encouraging engineers to think about efficient and secure software mitigations for such side-channel attacks. Additionally, we introduce several new hardware countermeasures.