Researchers at the University of California, San Diego have uncovered a security vulnerability in modern Intel processors that could enable data theft from affected systems. The attack, called Branch Target Injection (BTI) or "Indirector", exploits weaknesses in two key CPU components: the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB). IBP and BTB are designed to improve processor performance by predicting the next instruction a program will execute.
BTB monitors recently executed target addresses for branch instructions and predicts future branch occurrences along with their targets; and IBP is designed to predict the target addresses of indirect branch instructions. The "Indirector" attack exploits flaws in how these components handle data and their predictable structure. It uses a three-pronged approach that starts with the use of the iBranch Locator.
This specialized tool uses turnover techniques to identify the precise location (index and tag) of vulnerable branches within the IBP. Attackers can use this to precisely manipulate the specific records associated with these branches. Once the vulnerable branches are identified, the attack injects malicious code into the CPU's prediction structures, allowing unauthorized code to run temporarily, potentially exposing sensitive data.
Finally, the "Indirector" Address Space Layout Randomisation (ASLR) disrupts the security measure by calculating the exact memory addresses of the targeted branches and their intended destinations. With this knowledge, attackers can more easily predict and manipulate the course of the program, potentially leading to data leaks. This attack can target Intel's 12th and 13th generation Core processors, codenamed Raptor Lake and Alder Lake.
Dealing with the "Indirector" attack requires a delicate balancing act. The researchers propose two main strategies: a more aggressive use of the Indirect Branch Predictor Barrier (IBPB) and improving the Branch Prediction Unit (BPU) design with more complex tags, encryption and randomization. However, enabling IBPB incurs a significant performance penalty, potentially reducing processing speed by 50%.
The researchers, Hosein Yavarzadeh, Luyi Li and Dean Tullsen, informed Intel of the vulnerability in February 2024, and the company has notified hardware and software vendors. The researchers have published a technical paper [pdf] detailing the "Indirector" attack, its methods and potential mitigations. In addition, proof-of-concept code and tools for branch injection attacks are available on GitHub for further research and analysis by the security community.
The research team will present their full findings at the upcoming USENIX Security Symposium in August 2024. The news comes in the wake of another processor vulnerability disclosure. Arm processors were recently found to be vulnerable to a speculative execution attack called "TIKTAG". This attack exploits the Memory Tagging Extension (MTE) and can leak data with high success rates.