July 1, 2024 at 01:40PM
New BTI attack called Indirector targets modern Intel CPUs, specifically Raptor Lake and Alder Lake generations. It exploits flaws in Indirect Branch Predictor and Branch Target Buffer to manipulate speculative execution, enabling data extraction. Researchers at UC San Diego discovered and presented the attack, proposing mitigations like IBPB and BPU enhancements, with performance trade-offs.
Based on the meeting notes, it appears that modern Intel processors, specifically those in the Raptor Lake and Alder Lake generations, are vulnerable to a new type of high-precision Branch Target Injection (BTI) attack called ‘Indirector.’ This attack exploits flaws in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB) components found in modern Intel CPUs, allowing for the manipulation of speculative execution and potential data extraction.
The Indirector attack was discovered and presented by researchers at the University of California, San Diego, with full details set to be presented at the upcoming USENIX Security Symposium in August 2024. The attack mainly operates through three mechanisms: iBranch Locator, IBP/BTB injections, and ASLR bypass, allowing for targeted injections and speculative code execution.
In response to this vulnerability, Intel was informed about the attack in February 2024 and has subsequently informed impacted hardware and software vendors. The proposed mitigations against the Indirector attack include more aggressive use of the Indirect Branch Predictor Barrier (IBPB) and bolstering the Branch Prediction Unit (BPU) design. However, these mitigations may come with significant performance trade-offs, especially with IBPB potentially causing a 50% performance hit on Linux.
For more information about the Indirector attack, its methodologies, potential data leak mechanisms, and suggested mitigations, a technical paper and proof-of-concept code have been published by the researchers and are available on GitHub.