Intel CPUs are exposed to a ghostly attack that causes data loss

Researchers at the University of California San Diego (UCSD) have found a new way to perform Spectre-like side-channel attacks on high-end Intel CPUs, including the latest Raptor Lake and Alder Lake microprocessors.

Like Spectre, the new technology that the researchers “Indirect“” uses a speculative execution feature in Intel CPUs to redirect the control flow of a program – that is, the order in which it executes individual instructions and function calls.

Ghostly side channel attack

Using this tactic, an attacker could essentially trick the CPU into making false speculative executions and revealing sensitive data.

Hosein Yavarzadeh, one of the study's authors (his co-authors are Luyi Li and Dean Tullsen), says they tested their attack on Raptor Lake (13th generation), Alder Lake (12th generation), and Skylake (6th generation) CPUs. But with some minor modifications, the attack should work on at least all of Intel's other flagship CPUs from the last decade, he adds.

Intel has not yet released a microcode fix for Indirector, Yavarzadeh says. “They believe the best way to mitigate target injection attacks is to use their previously introduced mitigation strategy, called IBPB, more frequently,” he notes. “We believe this would cause a large performance loss and this should be mitigated through hardware or software patches.” IBPB or Indirect branch predictor barrieris a hardware-level fix that Intel released in 2018 to protect against Spectre-like attacks. The company has described it as particularly effective in certain contexts where security is critical. However, many have described the feature as causing significant performance degradation when invoked.

Speculative executionor out-of-order execution, is a performance improvement technique in which CPUs like Raptor Lake and Alder Lake essentially guess or predict the outcome of future instructions and begin executing them before they know if they are actually needed.

Previous speculative execution attacks – How Spectre and Meltdown — have focused primarily on poisoning two specific components of the execution process. One of these is the Branch target buffer (BTB), which stores the predicted target addresses that the processor is likely to need; the other is Return Stack Buffer (RSB), a buffer with a fixed size that predicts the destination address or returns instructions.

An overlooked speculative execution component

The newly developed attack focuses on a previously overlooked component of speculative execution called the indirect branch predictor. “The IBP is a critical component of the branch prediction unit that predicts the target address of indirect branches,” the UCSD researchers wrote in their paper. As they explained, indirect branches are control flow instructions where the target address is calculated at runtime, making them difficult to accurately predict. “By analyzing the IBP, we uncover new attack vectors that can bypass existing defenses and compromise the security of modern CPUs.”

Yavarzadeh describes the effort as involving a complete reverse engineering of the structure of IBP in modern Intel processors and a subsequent analysis of its size, structure and mechanisms for making predictions.

“The main motivation behind the Indirector research was to uncover the intricate details of the Indirect Branch Predictor and Branch Target Buffer units responsible for predicting the target addresses of branch instructions in modern CPUs,” he says. The effort involved examining every single detail of the prediction mechanisms in the two units and Intel's defenses to protect against attacks on these two components. Based on this, the researchers were able to develop highly effective injection attacks targeting the branch prediction mechanism in Intel CPUs, Yavarzadeh says.

“One possible attack is for an attacker to manipulate the indirect branch predictor and/or the branch target buffer to hijack the control flow of a victim program. This allows the attacker to jump anywhere and potentially reveal secrets,” he says. For a successful attack, an attacker would have to operate on the same CPU core as the victim, but the method is significantly more efficient than other modern target injection attacks, he says.

Don't miss the latest Dark Reading Confidential Podcastwhere we talk to two ransomware negotiators about how they interact with cybercriminals. Among other things, we talk about how they negotiated a deal to restore operations to a hospital's neonatal intensive care unit where lives were at stake; and how they helped a church where the attackers themselves “found a little religion.” Listen now!