Current microprocessors employ an instruction cache (I-cache) to increase the performance of a system. An I-cache stores the most frequently executed instructions and provides the processor easy and fast access to these instructions. While increasing the performance of the system, I-cache architectures also create several security weaknesses.
One security weakness in conventional implementations of I-cache structures involves shared I-cache units in simultaneous multi-threaded (SMT) and/or multi-core systems, wherein I-cache units are shared between different logical or physical microprocessors (FIG. 1). If two or more processes are executing simultaneously on the same system and if the I-cache is shared between these processes, then a malicious process can indirectly observe the execution of security critical applications and discover confidential values based therein by analyzing I-cache modifications.
Another security weakness in conventional implementations of I-cache structures involves instruction mapping. The mapping process (mapping policy) is performed when a new instruction entry is to be written to I-cache, or an existing I-cache entry needs to be searched in I-cache. The mapping process decides where to store, and look for, I-cache entries in the I-cache.
In typical processor architectures, a particular instruction can only be stored in a particularly small set of I-cache locations in a strictly deterministic way. In other words, it is trivial to find out which locations of an I-cache can store a particular instruction. Due to this predictability, a malicious process can determine where a specific security-critical instruction can be found in I-cache and thus observe the execution of such an instruction. As such, the malicious process can discover when a process executes critical instructions, and, therefore, reveal the execution flow. The execution flow can expose the secret values used in the process.