Current processors from Intel, including Raptor Lake and Alder Lake, have been found to be vulnerable to a new side-channel attack that can be used to leak sensitive information from the processors.
A code-named attack Director by security researchers Louis Lee, Hossein Yavarzadeh, and Dean Tallsen exploits vulnerabilities discovered in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB) to bypass existing defenses and compromise the security of processors.
“The indirect branch predictor (IBP) is a hardware component of modern processors that predicts the target addresses of indirect branches,” the researchers note. noted.
“Indirect branches are flow-of-control instructions whose destination address is calculated at runtime, making them difficult to predict accurately. IBP uses a combination of global history and branch addresses to predict the target address of indirect branches.”
The idea is essentially to identify weaknesses in IBP launch precise attacks Branch Target Injection (BTI) – also known as Specter v2 (CVE-2017-5715) – which are directed to the processor indirect predictor of branches lead to unauthorized disclosure of information to an attacker with local user access through a side channel.
This is achieved with a special tool called iBranch Locator, which is used to locate any indirect branch, followed by precise targeted injections of IBP and BTP for speculative execution.
Yavarzadeh, one of the paper’s lead authors, told The Hacker News that “so far Pathfinder targeting the Conditional Branch Predictor, which predicts whether a branch will be taken or not, this study attacks target predictors,” adding, “Indirector attacks are much more serious in terms of their possible scenarios.”
According to Yavarzadeh, Indirector reverse-engineers the IBP and BTB, which are responsible for predicting the target addresses of branch instructions in modern processors, in order to create extremely high-resolution targeted branch injection attacks that can hijack the control flow of a victim program, causing it to go into random places and reveal secrets.
Intel, which learned of the findings in February 2024, has since notified other affected hardware and software vendors of the issue.
“Intel reviewed the report presented by academic researchers and identified preliminary mitigation recommendations for issues such as IBRS, eIBRSand BE are effective against this new study, and no new mitigations or recommendations are required,” a company spokesperson told the publication.
As a countermeasure, it is recommended to use the indirect branch prediction barrier (IBPB) more aggressively and strengthen the branch prediction unit (BPU) design by including more complex tags, encryption, and randomization.
The research comes after Arm processors were found to be susceptible to a proprietary speculative execution attack called TIKTAG, which targets Memory Tag Extensions (MTEs) to leak data with more than 95% success in less than four seconds.
The study “identifies new TikTag gadgets capable of leaking MTE tags from arbitrary memory addresses through speculative execution,” by researchers Juhee Kim, Jinbum Park, Sihyun Roh, Jaeyoung Chung, Yongju Lee, Taesu Kim, and Byungyeong Lee said.
“Using TikTag gadgets, attackers can bypass MTE’s probabilistic defenses, increasing attack success rates by nearly 100%.”
In response to the disclosure of Arm said “MTE can provide a limited set of deterministic first-line defenses and a broader set of probabilistic first-line defenses against certain classes of exploits.”
“However, probabilistic properties are not intended to be a complete solution against an interactive adversary that is capable of brute force, leaking, or creating arbitrary address tags.”
(The story was updated after publication to include comments from Hossein Yavarzadeh and Intel.)
