UC San Diego researchers have publicly disclosed Indirector, a high-precision branch target injection attack on the indirect branch predictor. These UCSD security researchers discovered that Indirector impacts recent Intel Alder Lake and Raptor Lake processors. However, Intel believes that no further mitigation is necessary.
The Indirector attack can be summarized as follows:
“This paper presents novel high-precision branch target injection (BTI) attacks, exploiting the complex structures of indirect branch predictor (IBP) and branch target buffer (BTB) in high-end Intel processors (Raptor Lake and Alder Lake).
It presents, for the first time, a complete picture of the IBP and BTB within the latest Intel processors, revealing their size, structure, and the precise functions governing index and tag hashing.
Additionally, this study reveals new details about the inner workings of Intel’s hardware defenses, such as IBPB, IBRS, and STIBP, including previously unknown flaws in their coverage.
Building on insights from reverse engineering efforts, this research develops highly precise branch target injection (BTI) attacks to breach security boundaries in various scenarios, including cross-process and cross-privilege scenarios, and uses IBP and BTB to break address space layout randomization (ASLR).
The Indirector website is indirector.cpusec.org.
The UCSD researchers suggest mitigating Indirector by using the Indirect Branch Predictor Barrier (IBPB) more aggressively and by better securing the BPU design. Increased use of IBPB would come at a significant performance cost. Intel, for its part, however, believes that no further mitigation is needed beyond what is already in place for Spectre-like attacks. There is also this GitHub repository with more artifacts around Indirector.
News Source : www.phoronix.com
Gn tech
