The Indirector attack, also known as Branch Target Injection (BTI), targets vulnerabilities in two key CPU components: the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB). These components are designed to predict the next instructions a program will execute in order to improve processor performance. The attack exploits flaws in the way these components handle data and their predictable structure.
The Indirector attack involves three main steps. First, attackers use the iBranch Locator tool to identify vulnerable branches within the IBP. This tool uses eviction techniques to pinpoint the exact location of these branches for manipulation. Once vulnerable branches are identified, malicious code is injected into the CPU’s prediction structures, enabling speculative execution of unauthorized code. Finally, the attack breaks the Address Space Allocation Randomization (ASLR) security measure by calculating the exact memory addresses of targeted branches and their destinations, allowing for manipulation of program flow and potential data leaks.
The vulnerability may affect Intel’s 12th and 13th generation Core processors, codenamed Raptor Lake and Alder Lake. Mitigating the Indirector attack involves using strategies like the indirect branch prediction barrier (IBPB) and improving the branch prediction unit (BPU) with more complex labels, encryption, and randomization. However, implementing IBPB may lead to a significant performance loss of up to 50%.
Researchers Yavarzadeh, Li, and Tullsen reported the vulnerability to Intel in February 2024, and the company notified hardware and software vendors. A technical paper detailing the Indirector attack, its methodologies, and possible mitigations has been published. Proof-of-concept code and tools for branch injection attacks are also available for further investigation on GitHub. The full findings will be presented at the USENIX Security Symposium in August 2024.
In addition to the Indirector attack, Arm CPUs have been found vulnerable to a Speculative execution attack called “TIKTAG,” which exploits the Memory Tagging Extension (MTE) to leak data with high success rates.
Overall, these vulnerabilities highlight the ongoing challenges in ensuring the security of modern processors and the importance of proactive measures to protect against potential attacks.
Article Source
https://www.computing.co.uk/news/4330999/intel-processors-threatened-cpu-channel-attack