Intel CPUs Vulnerable to Spectre-Like ‘Indirector’ Attack, Compromising Data Security

Home » Intel CPUs Vulnerable to Spectre-Like ‘Indirector’ Attack, Compromising Data Security
Intel CPUs Vulnerable to Spectre-Like 'Indirector' Attack

Researchers from the University of California San Diego (UCSD) have discovered a novel method to launch Spectre-like side-channel attacks on high-end Intel CPUs, including the latest Raptor Lake and Alder Lake models.

Dubbed “Indirector,” this new technique, similar to Spectre, leverages speculative execution in Intel processors to manipulate a program’s control flow, altering the sequence of instruction and function execution.

Spectre-Inspired Side-Channel Vulnerability

An attacker could exploit this method to deceive the CPU into performing incorrect speculative executions, leading to the leakage of sensitive data.

Hosein Yavarzadeh, a co-author of the research along with Luyi Li and Dean Tullsen, revealed that their “Indirector” attack was tested on Raptor Lake (13th gen), Alder Lake (12th gen), and Skylake (6th gen) Intel CPUs. He suggests that, with slight adjustments, this attack could potentially affect most flagship Intel processors released over the past decade.

According to Yavarzadeh, Intel has not yet provided a microcode update to address Indirector. Instead, Intel recommends increasing the use of their previously introduced mitigation strategy, IBPB (Indirect Branch Predictor Barrier), to counter target injection attacks. Yavarzadeh points out that relying heavily on IBPB could lead to significant performance degradation and believes that hardware or software patches would be a better approach. Introduced in 2018 to combat Spectre-like vulnerabilities, IBPB is a hardware-level solution particularly effective in high-security contexts but often criticized for imposing considerable performance costs.

Speculative execution, also known as out-of-order execution, is a performance enhancement technique used by CPUs like Raptor Lake and Alder Lake. In this process, the CPU anticipates or predicts the results of upcoming instructions and begins executing them ahead of time, even before confirming their necessity.

Previous speculative execution attacks, such as Spectre and Meltdown, have primarily targeted two specific components within the execution process. One is the Branch Target Buffer (BTB), which stores addresses predicted to be needed by the processor, and the other is the Return Stack Buffer (RSB), a fixed-size buffer used to predict the target addresses of return instructions.

A Previously Neglected Speculative Execution Component

The newly identified attack, however, focuses on a different, previously underexplored component of speculative execution: the Indirect Branch Predictor (IBP). As outlined by the UCSD researchers in their study, the IBP is a crucial part of the branch prediction unit responsible for forecasting the target addresses of indirect branches. Indirect branches are control flow instructions where the target address is determined at runtime, posing a challenge for accurate prediction. By probing the IBP, the researchers revealed new attack vectors that can circumvent current defenses, compromising the security of modern CPUs.

Yavarzadeh explains that their research entailed a comprehensive reverse engineering of the Indirect Branch Predictor (IBP) in modern Intel processors. This process included scrutinizing its size, structure, and prediction mechanisms.

“The primary goal of the Indirector research was to uncover the complexities of the Indirect Branch Predictor and Branch Target Buffer units, which are crucial for predicting the target addresses of branch instructions in contemporary CPUs,” he says. The team meticulously analyzed every detail of these prediction mechanisms and Intel’s mitigation strategies designed to defend against attacks on these components. From this extensive examination, they developed potent injection attacks that exploit the branch prediction mechanisms in Intel CPUs, Yavarzadeh adds.

“A potential exploit involves an attacker poisoning the Indirect Branch Predictor and/or the Branch Target Buffer to hijack the control flow of a victim program. This allows the attacker to jump to an arbitrary location and potentially leak secrets,” he says. For a successful attack, an adversary would need to run on the same CPU core as the victim, but the method is significantly more efficient than other state-of-the-art target injection attacks, he says.

Mitigate cyber threats effectively with Keplersafe's expert solutions.