On the Balance Between the Performance and Security of Modern Processor Micro-architectures
With a never-ending task to increase performance, hardware vendors often overlook how the design of a new micro-architecture can include bugs exploitable by devoted adversaries, which can be used to violate the security guarantees that users take for granted in modern computing systems. Therefore, in this work I take an adversarial role with the task of pinpointing as many security flaws as possible in multiple x86-64 processors implementing recent micro-architecture designs, from both Intel and AMD, where I attempt to propose any mitigation where possible.
As a brief introduction, I first report about how recent efforts by AMD fall short in their task to mitigate cache side-channels techniques in their recent Zen micro-architecture. Then, as a counter example, I propose The Race-Timing prototype, a new software-based technique, agnostic to the micro-architecture, that can configure effective cache-side channels in any modern processor that implements multi-threading. Following, I disclose Branchboozle, a new attack on the branch prediction unit of modern processors, from both Intel and AMD, capable of consistently triggering the now-infamous Spectre bug. Finally, I pay close attention to the memory management unit of recent Intel processors, which can be exploited to mount advanced forms of cache side-channel attacks known as Xlate. Yet, while hard to mitigate, the original implementation of Xlate is considerably slower when compared to other techniques, thus, I propose The TLB Mage, a comprehensive framework that accelerates Xlate attacks in general.
Ultimately, throughout this dissertation it will become apparent how there will never be an end to this line of research, where I will always try to point out security flaws in each new micro-architecture design. Nonetheless, doing so only benefits the end-users of modern computing systems, who can now be certain that work is being done to improve their security and privacy.