Write about mitigations for branch predictor-based side channels

[kbeyls]

After a bit of investigation, it seems the following are mitigations that could be worthwhile to briefly discuss in the book:

• (SW/HW) Flushing branch state when switching between sandboxes/distrusting contexts.
• (HW) partitioning branch predictor "real estate", so it doesn't get shared.
• (SW): remove branches, e.g. if-conversion - especially the branches that are dependent on secret data. algorithmically or through if-conversion.
• (HW): randomize branch predictor indexing, i.e. how branches alias.
• (HW/SW): Prevent predicting sensitive branches.
• (SW): obfuscating a set of conditional branches by converting them into a single indirect branch. Zigzagger, see [@Lee2017].

[MattPD]

FWIW, the following may be of relevance, https://github.com/MattPD/cpplinks/blob/master/comparch.micro.channels.md#defense-branch-predictor (and, for the broader context, https://github.com/MattPD/cpplinks/blob/master/comparch.micro.channels.md#branch-predictor)

[kbeyls]

Thank you for those pointers, that is very useful! I think/hope I've already read most of the publications pointed to in there, but will check.

@all-contributors please add @MattPD for bug, review

[allcontributors[bot]]

@kbeyls

I couldn't determine any contributions to add, did you specify any contributions? Please make sure to use valid contribution names.

I've put up a pull request to add @MattPD! :tada: