Modern CPUs from Intel, including Raptor Lake and Alder Lake, have been identified susceptible to a novel side-channel attack that might be used to leak critical information from the processors.
The attack, dubbed Indirector by security researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen, uses vulnerabilities uncovered in Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) to overcome current protections and undermine the security of the CPUs.
"The Indirect Branch Predictor (IBP) is a hardware component in modern CPUs that predicts the target addresses of indirect branches," the researchers said.
"Indirect branches are control flow instructions whose destination address is determined at runtime, making them hard to forecast precisely. The IBP employs a mix of global history and branch address to forecast the destination address of indirect branches."
The idea, at its core, is to identify vulnerabilities in IBP to launch precise Branch Target Injection (BTI) attacks – aka Spectre v2 (CVE-2017-5715) – which target a processor's indirect branch predictor to result in unauthorized disclosure of information to an attacker with local user access via a side-channel.
This is performed by way of a special tool called iBranch Locator that's used to find any indirect branch, followed by carrying out precision targeted IBP and BTP injections to execute speculative execution.
Yavarzadeh, one of the lead authors of the paper, told The Hacker News that "while Pathfinder targeted the Conditional Branch Predictor, which predicts whether a branch will be taken or not, this research attacks target predictors," adding "Indirector attacks are much more severe in terms of their potential scenarios."
Indirector reverse engineers IBP and BTB, Yavarzadeh said, which are responsible for predicting the target addresses of branch instructions in modern CPUs, with an aim to create extremely high-resolution branch target injection attacks that can hijack the control flow of a victim program, causing it to jump to arbitrary locations and leak secrets.
Intel, which was made aware of the discoveries in February 2024, has subsequently alerted other impacted hardware/software suppliers about the vulnerability.
"Intel reviewed the report submitted by academic researchers and determined previous mitigation guidance provided for issues such as IBRS, eIBRS, and BHI are effective against this new research and no new mitigations or guidance is required," a spokeswoman for the firm told the magazine.
As countermeasures, it's proposed to make use of the Indirect Branch Predictor Barrier (IBPB) more aggressively and strengthen the Branch Prediction Unit (BPU) architecture by integrating more complicated tags, encryption, and randomization.
The discovery comes as Arm CPUs have been proven vulnerable to a speculative execution attack of their own dubbed TIKTAG that targets the Memory Tagging Extension (MTE) to leak data with over a 95% success rate in less than four seconds.
The work "identifies new TikTag gadgets capable of leaking the MTE tags from arbitrary memory addresses through speculative execution," researchers Juhee Kim, Jinbum Park, Sihyeon Roh, Jaeyoung Chung, Youngjoo Lee, Taesoo Kim, and Byoungyoung Lee claimed.
"With TikTag gadgets, attackers can bypass the probabilistic defense of MTE, increasing the attack success rate by close to 100%."
In response to the revelation, Arm claimed "MTE can provide a limited set of deterministic first line defenses, and a broader set of probabilistic first line defenses, against specific classes of exploits."
"However, the probabilistic properties are not designed to be a full solution against an interactive adversary that is able to brute force, leak, or craft arbitrary Address Tags."
(The article was revised after publication to incorporate comments from Hosein Yavarzadeh and Intel.)
