{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,27]],"date-time":"2026-01-27T15:17:51Z","timestamp":1769527071428,"version":"3.49.0"},"reference-count":35,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2016,3,7]],"date-time":"2016-03-07T00:00:00Z","timestamp":1457308800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Science Foundation","award":["CNS-1422401"],"award-info":[{"award-number":["CNS-1422401"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Archit. Code Optim."],"published-print":{"date-parts":[[2016,4,5]]},"abstract":"<jats:p>Covert channels through shared processor resources provide secret communication between two malicious processes: the trojan and the spy. In this article, we classify, analyze, and compare covert channels through dynamic branch prediction units in modern processors. Through experiments on a real hardware platform, we compare contention-based channel and the channel that is based on exploiting the branch predictor\u2019s residual state. We analyze these channels in SMT and single-threaded environments under both clean and noisy conditions. Our results show that the residual state-based channel provides a cleaner signal and is effective even in noisy execution environments with another application sharing the same physical core with the trojan and the spy. We also estimate the capacity of the branch predictor covert channels and describe a software-only mitigation technique that is based on randomizing the state of the predictor tables on context switches. We show that this protection eliminates all covert channels through the branch prediction unit with minimal impact on performance.<\/jats:p>","DOI":"10.1145\/2870636","type":"journal-article","created":{"date-parts":[[2016,3,8]],"date-time":"2016-03-08T08:33:07Z","timestamp":1457425987000},"page":"1-23","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":61,"title":["Understanding and Mitigating Covert Channels Through Branch Predictors"],"prefix":"10.1145","volume":"13","author":[{"given":"Dmitry","family":"Evtyushkin","sequence":"first","affiliation":[{"name":"State University of New York at Binghamton"}]},{"given":"Dmitry","family":"Ponomarev","sequence":"additional","affiliation":[{"name":"State University of New York at Binghamton"}]},{"given":"Nael","family":"Abu-Ghazaleh","sequence":"additional","affiliation":[{"name":"University of California, Riverside"}]}],"member":"320","published-online":{"date-parts":[[2016,3,7]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/1229285.1266999"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1007\/11967668_15"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866341"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2014.42"},{"key":"e_1_2_1_5_1","volume-title":"Proceedings of the 2001 IEEE International Symposium for Performance Analysis of Systems and Software.","author":"Co M.","unstructured":"M. Co and K. Skadron. 2001. The effects of context switching on branch predictor performance. In Proceedings of the 2001 IEEE International Symposium for Performance Analysis of Systems and Software."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/2086696.2086714"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA.2014.6835931"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2842621"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/232974.232975"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2014.25"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2768566.2768571"},{"key":"e_1_2_1_12_1","volume-title":"A Guide to Understanding Covert Channel Analysis of Trusted Systems","author":"Gligor Virgil D.","unstructured":"Virgil D. Gligor. 1993. A Guide to Understanding Covert Channel Analysis of Trusted Systems. National Computer Security Center."},{"key":"e_1_2_1_13_1","unstructured":"Mordechai Guri Matan Monitz Yisroel Mirski and Yuval Elovici. 2015. BitWhisper: Covert signaling channel between air-gapped computers using thermal manipulations. arXiv:1503.07919."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1002\/j.1538-7305.1950.tb00463.x"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2451116.2451146"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.5555\/882488.884165"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA.2015.7056069"},{"key":"e_1_2_1_18_1","unstructured":"Intel. 2010. Intel 64 and IA-32 Architectures Software Developer Manual. Available at http:\/\/www.intel.com"},{"key":"e_1_2_1_19_1","unstructured":"Alexey Kopytov. 2004. SysBench: A System Performance Benchmark. https:\/\/github.com\/akopytov\/sysbench."},{"key":"e_1_2_1_20_1","unstructured":"Scott McFarling. 1993. Combining Branch Predictors. Technical Report TN-36. Digital Western Research Laboratory."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/2487726.2488368"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/TCAD.2014.2331332"},{"key":"e_1_2_1_23_1","volume-title":"Proceedings of the Workshop on Complexity-Effective Design, in Conjunction with ISCA.","author":"Ramsay Matt","unstructured":"Matt Ramsay, Chris Feucht, and Mikko H. Lipasti. 2003. Exploring efficient SMT branch predictor design. In Proceedings of the Workshop on Complexity-Effective Design, in Conjunction with ISCA."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831171"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653687"},{"key":"e_1_2_1_26_1","volume-title":"Proceedings of the 2013 European Workshop on System Security (EUROSEC\u201913)","author":"Saltaformaggio B.","unstructured":"B. Saltaformaggio, D. Xu, and X. Zhang. 2013. BusMonitor: A hypervisor-based solution for memory bus covert channels. In Proceedings of the 2013 European Workshop on System Security (EUROSEC\u201913)."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/1508244.1508258"},{"key":"e_1_2_1_28_1","volume-title":"Proceedings of the International Symposium on High Performance Computer Architecture. IEEE","author":"Wang Y.","unstructured":"Y. Wang, A. Ferraiuolo, and E. Suh. 2014a. Timing channel protection for a shared memory controller. In Proceedings of the International Symposium on High Performance Computer Architecture. IEEE, Los Alamitos, CA."},{"key":"e_1_2_1_29_1","volume-title":"Proceedings of the 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA\u201914)","author":"Wang Yao","unstructured":"Yao Wang, Andrew Ferraiuolo, and G. Edward Suh. 2014b. Timing channel protection for a shared memory controller. In Proceedings of the 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA\u201914). IEEE, Los Alamitos, CA, 225--236."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2006.20"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/RISP.1991.130767"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.5555\/2362793.2362802"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.45"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.25"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.31"}],"container-title":["ACM Transactions on Architecture and Code Optimization"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2870636","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2870636","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2870636","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T09:22:36Z","timestamp":1763457756000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2870636"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,3,7]]},"references-count":35,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2016,4,5]]}},"alternative-id":["10.1145\/2870636"],"URL":"https:\/\/doi.org\/10.1145\/2870636","relation":{},"ISSN":["1544-3566","1544-3973"],"issn-type":[{"value":"1544-3566","type":"print"},{"value":"1544-3973","type":"electronic"}],"subject":[],"published":{"date-parts":[[2016,3,7]]},"assertion":[{"value":"2015-10-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2015-12-01","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2016-03-07","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}