Researchers from the University of California have introduced a new high-precision Branch Target Injection (BTI) attack called “Indirector” that targets vulnerabilities in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB) of Intel CPUs, specifically those from the Raptor Lake and Alder Lake generations.
The attack, named Indirector, was developed by security researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen. It exploits weaknesses in the IBP and BTB to circumvent current defenses and compromise CPU security.
The IBP plays a crucial role in predicting the destination addresses of indirect branches in modern CPUs. These branches are control flow instructions whose destination address is calculated at runtime, making them challenging to predict accurately. The IBP uses a combination of global history and branch address to make these predictions.
By reverse engineering the IBP, the researchers were able to analyze its size, structure, and prediction mechanisms in detail, uncovering new attack vectors that can bypass existing defenses and compromise CPU security. They found that the IBP on modern Intel CPUs has a three-table structure, each being a two-way set associative and indexed with different global history lengths. These tables use hash functions to calculate the index and label based on global history and branch instruction address.
The researchers identified the exact index and label hash functions needed to launch precise BTI attacks, allowing attackers to manipulate indirect branch prediction and redirect program control flow to a malicious destination address.
The Indirector attack leverages a custom tool called iBranch Locator that efficiently locates indirect branches within the IBP without prior historical information. This tool simplifies the process by identifying the IBP set where the victim’s indirect branch is located and searching for label aliases. Using this tool, attackers can perform high-precision injection attacks, including PPI injection attacks and BTB Injection Attacks.
To mitigate the risks posed by Indirector attacks, the researchers recommend aggressive use of IBPB (Indirect Branch Predictive Barrier) and safe BPU design. Intel was notified of these findings in February 2024 and has shared them with other affected hardware and software vendors. The full details of the Indirector attack will be presented at the upcoming USENIX Security Symposium in August 2024.
In conclusion, the Indirector attack highlights the vulnerabilities in the IBP and BTB of Intel CPUs, posing significant risks to CPU security. By exploiting these weaknesses, attackers can redirect program control flow to malicious destinations, compromising system integrity. Researchers’ recommendations for countermeasures aim to enhance the security of Intel CPUs and prevent future attacks. This research sheds light on the importance of robust hardware security measures to combat emerging threats in the cybersecurity landscape.
Article Source
https://cybersecuritynews.com/indirector-side-channel-attack/amp/