July 3, 2024 at 10:33AM
Researchers at UCSD have developed a new method, called “Indirector,” to execute Spectre-like side channel attacks on high-end Intel CPUs. This technique exploits the speculative execution feature to redirect a program’s control flow, potentially leaking sensitive data. The attack works on various generations of Intel CPUs and poses challenges for current mitigations.
Based on the meeting notes, the researchers at the University of California San Diego (UCSD) have discovered a new technique termed “Indirector” that enables Spectre-like side channel attacks on high-end Intel CPUs, including the recent Raptor Lake and Alder Lake microprocessors. This technique leverages the speculative execution feature in Intel CPUs to manipulate the control flow of a program, leading to incorrect speculative executions and potential data leakage. The attack has been tested on various generations of Intel CPUs, and it is believed to work on flagship Intel CPUs spanning the last decade with minor modifications.
Intel has not released a microcode fix for the “Indirector” attack and has instead recommended using their previously introduced mitigation strategy, IBPB (Indirect Branch Predictor Barrier), more frequently. However, the researchers argue that this could lead to significant performance overhead and suggest that the issue should be addressed through hardware or software patches.
The primary focus of the research was on analyzing the Indirect Branch Predictor (IBP) in modern Intel processors, with the goal of unveiling the intricate details of this component and the Branch Target Buffer. This involved reverse engineering the structure of the IBP and analyzing its mechanisms for making predictions. The researchers were able to develop highly effective injection attacks targeting the branch prediction mechanism in Intel CPUs, with the potential to hijack the control flow of a victim program and leak sensitive data.
The newly developed attack targets a previously overlooked component of speculative execution, the Indirect Branch Predictor, and is described as a more efficient method compared to other state-of-the-art target injection attacks. The researchers emphasize the need for mitigating this attack vector to ensure the security of modern CPUs.
For more information, you can listen to the latest Dark Reading Confidential podcast, which features discussions with ransomware negotiators about their interactions with cybercriminals and their experiences brokering deals to restore operations in critical environments.