CIBPU: A Conflict-Invisible Secure Branch Prediction Unit

Abstract

Traditional Secure Branch Prediction Units (SBPUs) often suffer from significant performance degradation or weak security due to visible branch conflicts and reliance on vulnerable key update mechanisms. This paper introduces CIBPU, a Conflict-Invisible SBPU that uses redundant storage and load-aware indexing alongside a static encryption mechanism to prevent attackers from perceiving branch conflicts. Implemented on a RISC-V core, CIBPU achieves strong, persistent security with a minimal performance overhead of only 1.12% to 2.20%.

Report

CIBPU: A Conflict-Invisible Secure Branch Prediction Unit

Key Highlights

• Novel Security Approach: CIBPU (Conflict-Invisible SBPU) aims to prevent attackers from perceiving branch conflicts within the Branch Prediction Unit (BPU), eliminating a primary vector for timing and conflict-based side-channel attacks.
• Low Performance Overhead: The scheme boasts exceptionally low performance overhead, measured at an average of 1.12%–2.20% in gem5 simulations.
• Real-World Validation: CIBPU was successfully implemented on the open-source RISC-V core, SonicBOOM, and burned onto an FPGA board, showing consistent performance degradation of approximately 2.01%.
• Strong Security: The design ensures strong security throughout the BPU's lifecycle without requiring the periodic key re-randomization schemes utilized by previous, vulnerable encryption-based methods.

Technical Details

• Mechanism Stack: CIBPU achieves conflict invisibility through three integrated techniques:
  1. Redundant storage design.
  2. Load-aware indexing and replacement design.
  3. A unique encryption mechanism that does not necessitate periodic key updates.
• Comparison to Prior Art: Previous SBPU solutions, based either on physical isolation or periodic key re-randomization, offered limited security and caused prominent performance degradation, which CIBPU successfully mitigates.
• Implementation Platforms: Evaluated using a RISC-V core model in the gem5 simulator and validated on physical hardware using the open-source SonicBOOM RISC-V core on an FPGA board.
• Hardware Cost: The paper notes the hardware storage overhead is "acceptable" while delivering state-of-the-art performance.

Implications

• Advancing RISC-V Security: By demonstrating robust security features directly integrated into an open-source RISC-V implementation (SonicBOOM) with minimal performance impact, CIBPU provides a critical blueprint for the secure evolution of the RISC-V instruction set architecture.
• Resolving Security/Performance Trade-off: CIBPU demonstrates that high-security measures against speculative execution attacks (like Spectre variants that exploit BPU conflicts) do not require prohibitive performance penalties, offering the lowest overhead among evaluated state-of-the-art schemes.
• Microarchitectural Defense: The concept of making microarchitectural events (like conflicts) invisible is a foundational step forward in designing secure hardware primitives, moving beyond simple isolation or periodic randomization to achieve persistent security.