1. Field
The present invention relates generally to computer security and, more specifically, to mitigating side channel attacks based on branch prediction activity or other timing considerations in a processor.
2. Description
New theories for attacking the security of computer systems have been proposed. These theories are called Branch Prediction Attacks (BPA) and Simple Branch Prediction Attacks (SBPA). See Onur Aciiçmez, çetin Koç, and Jean-Pierre Seifert, “Predicting Secret Keys via Branch Prediction”, available on the Internet at http:**eprint.iacr.orq*2006*288 (the “/”s have been replaced with “*”s herein) (accepted to the upcoming Rivest/Shamir/Adleman (RSA) 2007 conference); and Onur Aciiçmez, çetin Koç, and Jean-Pierre Seifert, “On the Power of Simple Branch Prediction Analysis”, available on the Internet at http:**cryptome.orq*sbpa*sbpa.htm (the “/”s have been replaced with “*”s herein).
The papers showed how an unprivileged spy program can discover a private RSA key by using branch prediction leaks during the Square-and-Multiply (S&M) modular exponentiation procedure. The results were demonstrated on OpenSSL version 9.7 (an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols). Careful reading of these papers leads to the conclusion that branch prediction attacks can be extended beyond the particular example of modular exponentiation in OpenSSL 9.7. In fact, the OpenSSL version 9.8 mitigations against cache attacks do not protect against the new threat. Moreover, it turns out that one of the added mitigations actually opened a door to a branch prediction attack.
New mitigations to side channel attacks are needed to deter attempts to subvert the security of a computer system.