現代處理器因為分支預測器投機執行的特性帶來了幽靈攻擊，讓使用者有資訊外洩的疑慮。這種攻擊藉由訓練預測器來操控用戶執行某些危險的指令，透過執行這些指令，攻擊者能夠存取到原無存取權的資料，進而造成安全性的疑慮。這篇論文將會探討透過拔除分支預測器來阻止攻擊者惡意訓練的行為，並將節省下來的資源投入到多路徑執行架構。我們提出的多路徑執行架構會公平地執行每一個平行路徑，此方式會讓攻擊者無法隨意操控流水線的指令，對於幽靈攻擊能有更高的防禦能力。本架構不僅節省了許多硬體資源，也增加處理器的安全性，與遇到分支指令即暫停的架構相比，也有更好的效能表現。

Due to the branch predictors, modern processors are susceptible to Spectre attacks, a speculative execution feature that raises concerns about user information leakage. These attacks manipulate the processor's behavior by training the predictor to execute potentially harmful instructions, allowing attackers to access privileged data, thereby raising security concerns. This thesis discusses how removing the branch predictor can prevent attackers from maliciously training and reallocating the saved resource to a multi-path execution architecture. Our proposed multiverse architecture can execute each path fairly, making it difficult for attackers to manipulate the instruction pipeline, thus offering a novel defense concept against some variants of Spectre attacks. Our architecture not only saves significant hardware resource but also enhances processor security, in addition, our work offers comparable and even better performance compared to architecture that stalls on unresolved branches, which provides a better way to against Spectre attack.

[1] Hennessy, J. L., Patterson, D. A., “Computer architecture: a quantitative approach,” Elsevier, 2011
[2] Yarom, Yuval and Falkner, Katrina, “FLUSH+ RELOAD: A high resolution, low noise, l3 cache Side-Channel attack,” USENIX conference on Security Symposium, 2014
[3] Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom, “Spectre Attacks: Exploiting Speculative Execution,” IEEE Symposium on Security and Privacy, 2019
[4] Hovav Shacham, “The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86),” Computer and Communications Security, 2007
[5] M. J. Knieser and C. A. Papachristou, “Y-pipe: A Conditional Branching Scheme Without Pipeline Delays,” International Symposium on Microarchitecture, 1992
[6] A. K. Uht, V. Sindagi and K. Hall, “Disjoint eager execution: an optimal form of speculative execution,” International Symposium on Microarchitecture, 1995
[7] Tien-Fu Chen, “Supporting highly speculative execution via adaptive branch trees,” International Symposium on High-Performance Computer Architecture, 1998
[8] A. Klauser, A. Paithankar and D. Grunwald, “Selective eager execution on the PolyPath architecture,” International Symposium on Computer Architecture, 1998
[9] Pritpal S. Ahuja, Kevin Skadron, Margaret Martonosi, and Douglas W. Clark., “Multipath execution: opportunities and limits,” International Conference on Supercomputing, 1998
[10] Nathan Binkert et al., “The Gem5 Simulator,” ACM SIGARCH Computer Architecture News, 2011
[11] Standard Performance Evaluation Corporation, “SPEC CPU 2006,” https://www.spec.org/cpu2006/
[12] Cybersecurity vulnerabilities (CVE), “CVE-2018-3639, SSB,” https://www.cve.org/CVERecord?id=CVE-2018-3639
[13] R. E. Kessler, “The Alpha 21264 microprocessor,” IEEE Micro, 1999