Intel CPUs Face Spectre-Like Indirector Attack That Leaks Data

  /     /     /  
Publicated : 23/11/2024   Category : security


Intel CPUs Face Spectre-Like Indirector Attack That Leaks Data


Indirector targets a speculative execution component in silicon that previous research has largely overlooked.



Researchers at the University of California San Diego (UCSD) have found a new way to execute Spectre-like side channel attacks against high-end Intel CPUs, including the recent Raptor Lake and Alder Lake microprocessors.
Like Spectre, the new technique, which the researchers have dubbed
Indirector
, exploits a speculative execution feature in the Intel CPUs to redirect the control flow of a program — that is, the order in which it executes individual instructions and function calls.
An attacker could use the tactic to essentially trick the CPU into making incorrect speculative executions and leak sensitive data.
Hosein Yavarzadeh, one of the authors of the research (his co-authors are Luyi Li and Dean Tullsen) says they tested their attack on Raptor Lake (13th gen), Alder Lake (12th gen), and Skylake (6th gen) CPUs. But with some minor modifications, the attack should work on all other flagship Intel CPUs spanning the past decade at least, he adds.
Intel so far has not released any microcode fix for Indirector, Yavarzadeh says. They believe that the best way to mitigate target injection attacks is to use their previously introduced mitigation strategy, called IBPB, more frequently, he notes. We believe that this would incur a lot of performance overhead and this should be mitigated in hardware or by software patches. IBPB, or
Indirect Branch Predictor Barrier
, is a hardware-level fix that
Intel released in 2018
to protect against Spectre-like attacks. The company has described it as being especially effective in certain contexts where security is critical. But many have described the feature as extracting a steep performance penalty when invoked.
Speculative execution
, or out-of-order execution, is a performance boosting technique where CPUs like Raptor Lake and Alder Lake essentially guess or predict the outcome of future instructions and start executing them before knowing if they are actually needed.
Previous
speculative execution attacks
— like
Spectre and Meltdown
— have primarily focused on poisoning two specific components of the execution process. One of them is the
Branch Target Buffer
(BTB), which stores the predicted target addresses that processor likely needs; the other is Return Stack Buffer (RSB),
a fixed-size buffer
that predicts the target address or return instructions.
The newly developed attack focuses on a previously overlooked component of speculative execution called the Indirect Branch Predictor. The IBP is a critical component of the branch prediction unit that predicts the target address of indirect branches, the UCSD researchers wrote in their paper. As they explained, indirect branches are control flow instructions where the target address is computed at runtime, making them hard to predict accurately. By analyzing the IBP, we uncover new attack vectors that can bypass existing defenses and compromise the security of modern CPUs.
Yavarzadeh describes the effort as involving a complete reverse engineering of the structure of IBP in modern Intel processors and then analyzing the size, structure, and mechanisms for making predictions.
The primary motivation behind the Indirector research was to unveil the intricate details of the Indirect Branch Predictor and the Branch Target Buffer units, which are responsible for predicting the target addresses of branch instructions in modern CPUs, he says. The effort involved examining every single detail of the prediction mechanisms in the two units and Intels mitigation measures for protecting against attacks targeting these two components. From that, the researchers were able to develop highly effective injection attacks targeting the branch prediction mechanism in Intel CPUs, Yavarzadeh says.
A potential exploit involves an attacker poisoning the Indirect Branch Predictor and/or the Branch Target Buffer to hijack the control flow of a victim program. This allows the attacker to jump to an arbitrary location and potentially leak secrets, he says. For a successful attack, an adversary would need to run on the same CPU core as the victim, but the method is significantly more efficient than other state-of-the-art target injection attacks, he says.
Dont miss the latest
Dark Reading Confidential podcast
, where we talk to two ransomware negotiators about how they interact with cybercriminals, including: how they brokered a deal to restore operations in a hospital NICU where lives were at stake; and how they helped a church, where the attackers themselves got a little religion.
Listen now!

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Intel CPUs Face Spectre-Like Indirector Attack That Leaks Data