Indirect Branch Validation Unit

Kyung Ho Lee, Yixin Shi, Hui Lin

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

This paper presents a micro-architectural enhancement, named Indirect Branch Validation Unit (IBVU), to prevent malicious attacks from compromising the control data of the program. The IBVU provides a run-time control flow protection by validating a dynamic instance of an indirect branch's address and its target address - indirect branch pair (IBP), which represents the program behavior. To validate an IBP at run-time with little performance and storage overhead, the IBVU employs a Bloom filter, a hashing based bit vector representation for querying a set membership. Two organizations trading off of the access delay and space in VLSI design are provided, and three commonly used hashing schemes are evaluated for the performance impact as well as the area overhead. Recognizing potential false positives from adopting the Bloom filter, consideration of reducing it per the Bloom filter's design parameters is discussed, while the difficulty of utilizing the false positives due to hashing based indexing of the Bloom filter for malicious attack is noted.

Original languageEnglish
Pages (from-to)461-468
Number of pages8
JournalMicroprocessors and Microsystems
Volume33
Issue number7-8
DOIs
Publication statusPublished - 2009 Oct 1

Fingerprint

Flow control

Keywords

  • Branch prediction
  • Control data
  • Indirect branch
  • Software attack

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Hardware and Architecture
  • Software
  • Artificial Intelligence

Cite this

Indirect Branch Validation Unit. / Lee, Kyung Ho; Shi, Yixin; Lin, Hui.

In: Microprocessors and Microsystems, Vol. 33, No. 7-8, 01.10.2009, p. 461-468.

Research output: Contribution to journalArticle

Lee, Kyung Ho ; Shi, Yixin ; Lin, Hui. / Indirect Branch Validation Unit. In: Microprocessors and Microsystems. 2009 ; Vol. 33, No. 7-8. pp. 461-468.
@article{0cc4fca6a1574a60a9e5f6519e995871,
title = "Indirect Branch Validation Unit",
abstract = "This paper presents a micro-architectural enhancement, named Indirect Branch Validation Unit (IBVU), to prevent malicious attacks from compromising the control data of the program. The IBVU provides a run-time control flow protection by validating a dynamic instance of an indirect branch's address and its target address - indirect branch pair (IBP), which represents the program behavior. To validate an IBP at run-time with little performance and storage overhead, the IBVU employs a Bloom filter, a hashing based bit vector representation for querying a set membership. Two organizations trading off of the access delay and space in VLSI design are provided, and three commonly used hashing schemes are evaluated for the performance impact as well as the area overhead. Recognizing potential false positives from adopting the Bloom filter, consideration of reducing it per the Bloom filter's design parameters is discussed, while the difficulty of utilizing the false positives due to hashing based indexing of the Bloom filter for malicious attack is noted.",
keywords = "Branch prediction, Control data, Indirect branch, Software attack",
author = "Lee, {Kyung Ho} and Yixin Shi and Hui Lin",
year = "2009",
month = "10",
day = "1",
doi = "10.1016/j.micpro.2009.09.002",
language = "English",
volume = "33",
pages = "461--468",
journal = "Microprocessors and Microsystems",
issn = "0141-9331",
publisher = "Elsevier",
number = "7-8",

}

TY - JOUR

T1 - Indirect Branch Validation Unit

AU - Lee, Kyung Ho

AU - Shi, Yixin

AU - Lin, Hui

PY - 2009/10/1

Y1 - 2009/10/1

N2 - This paper presents a micro-architectural enhancement, named Indirect Branch Validation Unit (IBVU), to prevent malicious attacks from compromising the control data of the program. The IBVU provides a run-time control flow protection by validating a dynamic instance of an indirect branch's address and its target address - indirect branch pair (IBP), which represents the program behavior. To validate an IBP at run-time with little performance and storage overhead, the IBVU employs a Bloom filter, a hashing based bit vector representation for querying a set membership. Two organizations trading off of the access delay and space in VLSI design are provided, and three commonly used hashing schemes are evaluated for the performance impact as well as the area overhead. Recognizing potential false positives from adopting the Bloom filter, consideration of reducing it per the Bloom filter's design parameters is discussed, while the difficulty of utilizing the false positives due to hashing based indexing of the Bloom filter for malicious attack is noted.

AB - This paper presents a micro-architectural enhancement, named Indirect Branch Validation Unit (IBVU), to prevent malicious attacks from compromising the control data of the program. The IBVU provides a run-time control flow protection by validating a dynamic instance of an indirect branch's address and its target address - indirect branch pair (IBP), which represents the program behavior. To validate an IBP at run-time with little performance and storage overhead, the IBVU employs a Bloom filter, a hashing based bit vector representation for querying a set membership. Two organizations trading off of the access delay and space in VLSI design are provided, and three commonly used hashing schemes are evaluated for the performance impact as well as the area overhead. Recognizing potential false positives from adopting the Bloom filter, consideration of reducing it per the Bloom filter's design parameters is discussed, while the difficulty of utilizing the false positives due to hashing based indexing of the Bloom filter for malicious attack is noted.

KW - Branch prediction

KW - Control data

KW - Indirect branch

KW - Software attack

UR - http://www.scopus.com/inward/record.url?scp=70350506103&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70350506103&partnerID=8YFLogxK

U2 - 10.1016/j.micpro.2009.09.002

DO - 10.1016/j.micpro.2009.09.002

M3 - Article

AN - SCOPUS:70350506103

VL - 33

SP - 461

EP - 468

JO - Microprocessors and Microsystems

JF - Microprocessors and Microsystems

SN - 0141-9331

IS - 7-8

ER -