New Intel CPU Vulnerability 'Indirector' Exposes Sensitive Data
Modern Intel CPUs, including Raptor Lake and Alder Lake, are vulnerable to a new side-channel attack that can leak sensitive information. This attack, named Indirector by researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen, exploits weaknesses in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB) to bypass existing defenses and compromise CPU security.
"The Indirect Branch Predictor (IBP) is a hardware component in modern CPUs that predicts the target addresses of indirect branches," the researchers noted. Indirect branches are control flow instructions whose target address is determined at runtime, making accurate prediction challenging. The IBP uses global history and branch address data to predict these target addresses.
The attack identifies vulnerabilities in the IBP to launch precise Branch Target Injection (BTI) attacks, also known as Spectre v2 (CVE-2017-5715). These attacks target a processor's indirect branch predictor to cause unauthorized information disclosure to an attacker with local user access via a side-channel. This is done using a custom tool called iBranch Locator to locate indirect branches and perform targeted IBP and BTB injections for speculative execution.
Intel was informed of these findings in February 2024 and has notified other affected hardware and software vendors. As mitigations, it is recommended to use the Indirect Branch Predictor Barrier (IBPB) more aggressively and to harden the Branch Prediction Unit (BPU) design by incorporating more complex tags, encryption, and randomization.
Additionally, Arm CPUs are vulnerable to a speculative execution attack called TIKTAG, which targets the Memory Tagging Extension (MTE) to leak data with over a 95% success rate in less than four seconds. Researchers Juhee Kim, Jinbum Park, Sihyeon Roh, Jaeyoung Chung, Youngjoo Lee, Taesoo Kim, and Byoungyoung Lee identified new TikTag gadgets capable of leaking MTE tags from arbitrary memory addresses through speculative execution.
For Further Reference