Security researchers at the University of California have discovered a new high-precision attack called “Indirector” that targets vulnerabilities in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB) of high-end Intel CPUs like Raptor Lake and Alder Lake. This attack bypasses current defenses and compromises CPU security by exploiting weaknesses in these components.
The IBP is a crucial hardware component in modern CPUs that predicts the destination addresses of indirect branches, which are control flow instructions with addresses calculated at runtime, making them difficult to predict accurately. By reverse engineering the IBP, researchers have identified new attack vectors that can compromise CPU security by bypassing existing defenses.
The IBP on modern Intel CPUs has a three-table structure that is two-way set associative and indexed with different global history lengths. These tables use hash functions to calculate the index and label based on the global history and branch instruction address. Attackers can manipulate indirect branch prediction by identifying the exact index and label hash functions, redirecting program control flow to malicious addresses.
The indirect attack utilizes a tool called iBranch Locator to locate indirect branches within the IBP efficiently without prior historical information. This tool simplifies the process by identifying the victim’s IBP set and searching for label aliases, reducing the effort required to locate victim entries. Two types of high-precision injection attacks can then be performed: PPI injection attack and BTB injection attack.
To mitigate the risks of Indirector attacks, researchers recommend aggressive use of the Indirect Branch Predictive Barrier (IBPB) and safe design practices in Intel CPUs to prevent aliasing between indirect branches of different SMT cores and privilege levels. These findings have been communicated to Intel in February 2024, and details of the attack will be presented at the USENIX Security Symposium in August 2024.
In conclusion, the Indirector attack highlights the importance of addressing vulnerabilities in hardware components like the IBP and BTB to enhance CPU security against sophisticated attacks like BTI. Researchers continue to explore ways to improve defenses and collaboration with hardware and software vendors to address these critical security issues.
Article Source
https://cybersecuritynews.com/indirector-side-channel-attack/