Countermeasures Against Branch Target Buffer Attacks * Giovanni Agosta, Luca Breveglieri Dipartimento di Elettronica e Informazione, Politecnico di Milano, Piazza L. Da Vinci 32, 20133 Milano, Italy {agosta,brevegli}@elet.polimi.it Gerardo Pelosi Dipartimento di Ingegneria dell’Informazione e Metodi Matematici, Universit` a degli Studi di Bergamo, Viale Marconi 5, 20044 Dalmine (BG), Italy gerardo.pelosi@unibg.it Israel Koren Department of Electrical & Computer Engineering, University of Massachusetts, Amherst, MA 01003 koren@ecs.umass.edu Abstract Branch Prediction Analysis has been recently proposed as an attack method to extract the key from software im- plementations of the RSA public key cryptographic algo- rithm. In this paper, we describe several solutions to protect against such an attack and analyze their impact on the exe- cution time of the cryptographic algorithm. We show that the code transformations required for protection against branch target buffer attacks can be automated and impose only a negligible performance penalty. 1 Introduction Timing attacks against secret-key/public-key cryptosys- tems attempt to recover complete key information by mea- suring the running time of certain computations during the encryption or decryption processes. Timing attacks have been developed against many common crypto-algorithms (e.g., RSA, DSA, Diffie-Hellman and RC5) relying on the key-dependent correlation between the input data and the execution time [7]. The reasons for the dependence of the execution time on the key include conditional branches, cache hits/misses and processor instructions executed in a * This work was carried out under partial financial support of the Italian MiUR (Project PRIN 2006 ID-2006099978) and in part by project FSE ID-413174. non-fixed time. For a timing attack to succeed, it must be possible to measure the running time of cryptographic operations. Such measurements can be done not only on a smart card which is in the attacker’s possession, but also on a software imple- mentation of a crypto-algorithm running on a remote ma- chine [1]. Several techniques have been developed to protect cryp- tographic systems against timing attacks, e.g., by forcing the execution time to be independent of the key bits. In [5, 6] Acıic ¸mez et al. propose a new attack method that exploits the fact that the Branch Target Buffer (BTB) [3] keeps a history log of the branching choices per- formed by a cryptographic primitive. The attacker will run a spy process on the same multi-threaded processor that is executing the cryptographic process and will take advan- tage of the fact that both processes share the use of the BTB. The basic idea is that the spy process will execute a sufficiently high number of branches to guarantee that the BTB entries that keep track of the branches executed by the cryptographic process will be replaced, thus forc- ing the cryptographic process to always have mispredicted branches. Then, when the cryptographic process executes, it will cause the BTB to be modified when the attacked branch is taken, and leave the spy process’ branch target address intact in the BTB when the attacked branch is not taken. This attack, being based on a log of the branching choices that is common to all processes, enables an un- privileged spy process to quickly infer the key used by the 1