A new high-precision Branch Target Injection (BTI) attack called ‘Indirector’ has been discovered by researchers at the University of California, San Diego. This attack targets flaws in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB) found in modern Intel processors, specifically in the Raptor Lake and Alder Lake generations. Indirector manipulates speculative execution to extract sensitive information from the CPU.
The researchers will present their findings at the upcoming USENIX Security Symposium in August 2024. The attack exploits vulnerabilities in the IBP and BTB systems, which are used to predict target addresses of branches in the CPU based on historical execution data. The predictable structure of these components allows for precise manipulation by the attacker.
Indirector employs three main mechanisms for its attacks: iBranch Branch Locator, PPI/BTB injections, and ASLR Override. These methods involve identifying victim branches, injecting targeted code into prediction structures, and breaking address space layout randomization (ASLR) to control the flow of processes. In addition to speculative execution, cache side-channel techniques are used to infer accessed data.
To mitigate Indirector attacks, the researchers propose implementing more aggressive use of the Indirect Branch Prediction Barrier (IBPB) and enhancing the branch prediction unit (BPU) design with complex labels, encryption, and randomization. However, there are performance trade-offs associated with these mitigations, especially with IBPB causing a 50% performance loss on Linux systems.
Intel was informed of the Indirector attack in February 2024 and has notified affected hardware and software vendors. The researchers have provided a white paper detailing the attack methodologies, data leakage mechanisms, and suggested mitigations. They have also shared proof-of-concept code and tools for their branch injection attacks on GitHub.
Overall, Indirector poses a significant threat to modern Intel CPUs, and mitigating this attack requires a careful balance between security measures and performance considerations. The researchers’ work sheds light on the vulnerabilities in current branch prediction systems and highlights the importance of addressing these issues to protect against sophisticated BTI attacks.
Article Source
https://www.bleepingcomputer.com/news/security/latest-intel-cpus-impacted-by-new-indirector-side-channel-attack/amp/