Intel processors threatened by new CPU side channel attack

Exploits weaknesses in two key components

Intel processors threatened by new CPU side channel attack

Researchers at the University of California, San Diego have uncovered a security vulnerability in modern Intel processors, which could enable attackers to steal sensitive information from affected systems.

The Branch Target Injection (BTI) attack, dubbed "Indirector," exploits weaknesses in two key CPU components: the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB).

The IBP and BTB are designed to improve processor performance by predicting the next instruction a programme will execute.

The BTB monitors recently executed target addresses of branch instructions and forecasts future branch occurrences along with their targets; and the IBP is designed to predict the target addresses of indirect branch instructions.

The Indirector attack takes advantage of flaws in how these components handle data, and their predictable structure.

It uses a three-pronged approach, starting with the use of iBranch Locator. This custom tool utilises eviction techniques to identify the exact location (index and tag) of vulnerable branches within the IBP. Attackers can use this to pinpoint the specific entries associated with these branches for precise manipulation.

Once the vulnerable branches are identified, the attack injects malicious code into the prediction structures of the CPU, enabling a form of "speculative execution," where the processor temporarily runs unauthorised code, potentially exposing sensitive data.

Finally Indirector disrupts Address Space Layout Randomisation (ASLR) security measure, by calculating the exact memory addresses of the targeted branches and their intended destinations. With this knowledge, attackers can more easily predict and manipulate the programme's flow, potentially leading to data leaks.

This attack can target Intel's 12th and 13th generation Core processors, codenamed Raptor Lake and Alder Lake.

Mitigating the Indirector attack requires a delicate balancing act.

The researchers propose two main strategies: more aggressive use of the Indirect Branch Predictor Barrier (IBPB), and improving the Branch Prediction Unit (BPU) design with more complex tags, encryption and randomisation.

However, IBPB activation comes with a significant performance penalty, potentially reducing processing speed by 50%.

The researchers, Hosein Yavarzadeh, Luyi Li and Dean Tullsen, informed Intel about the vulnerability in February 2024, and the company has notified hardware and software vendors.

The researchers have published a technical paper [pdf] detailing the Indirector attack, its methodologies and potential mitigations. Additionally, proof-of-concept code and tools for the branch injection attacks are available on GitHub for further research and analysis by the security community.

The research team will present their full findings at the upcoming USENIX Security Symposium in August 2024.

The news comes amidst another processor vulnerability disclosure.

Arm CPUs were recently found susceptible to a speculative execution attack called "TIKTAG."

This attack exploits the Memory Tagging Extension (MTE) and can leak data with high success rates.