Augmenting Branch Predictor to Secure Program Execution

Abstract

Although there are various ways to exploit software vulnerabilities for malicious attacks, the attacks always result in unexpected behavior in program execution, deviating from what the programmer/user intends to do. Program execution blindly follows the execution path specified by control flow transfer instructions with the targets generated at run-time without any validation. An enhancement is therefore proposed to secure program execution by introducing a validation mechanism over control flow transfer instructions at micro-architecture level. The proposed scheme, as a behavior-based protection, treats a triplet of the indirect branch's location, its target address, and the execution path preceding it as a behavior signature of program execution and validates it at run-time. The first two pieces of information can prevent an adversary from overwriting control data and introducing foreign code or impossible targets to redirect an indirect branch. The last one is necessary to defeat the attacks that use a legitimate target but follow an unintended execution path. Interestingly, the branch predictor is found to contain the signature information already and doing a portion of the validation when resolving the branch, thus greatly reducing the validation frequency. An enhancement of branch target buffer (BTB) entry together with a signature table implemented in the form of a Bloom filter in hardware is proposed to incorporate the validation into the processor's pipeline, providing a new defense in the processor architecture to secure program execution.