Five years after the Spectre and Meltdown CPU attacks, researchers have discovered a new variant called Indirector that exploits low-level features of Intel CPUs to break security boundaries and leak protected data. This technique, developed by researchers at the University of California, San Diego, targets the indirect branch predictor (IBP) and branch target buffer (BTB) in high-end Intel CPUs like Raptor Lake and Alder Lake.
Branch Target Injection (BTI) is a technique used in attacks like Spectre v2, which exploit the speculative execution feature of modern CPUs. Speculative execution involves predicting the path of a program’s execution to optimize performance, temporarily storing sensitive data in CPU caches. These attacks can cross process and privilege boundaries, breaking security mechanisms like Address Space Layout Randomization (ASLR).
The Indirector attack focuses on the IBP component of the CPU branch predictor, which calculates the target address of indirect branches. By exploiting vulnerabilities in the IBP mechanism, researchers were able to develop precise BTI attacks that could inject arbitrary target addresses into the IBP or BTB, leaking sensitive data and compromising security boundaries.
Intel has been notified about the Indirector attack, and while mitigation techniques like Indirect Branch Prediction Barrier (IBPB) exist, they come with significant performance overhead that may not be acceptable for all workloads. Intel has also made changes to the branch prediction unit (BPU) design in new CPUs to prevent indirect branching attacks, but researchers recommend further isolation measures to enhance security.
In conclusion, the Indirector attack highlights ongoing security challenges in CPU microarchitecture and the need for effective mitigation strategies to protect against speculative execution vulnerabilities. Researchers continue to explore new attack techniques, emphasizing the importance of collaboration between hardware vendors, software developers, and security researchers to address these threats.
Article Source
https://www.csoonline.com/article/2514202/new-intel-cpu-side-channel-attack-indirector-can-leak-sensitive-data.html/amp/
