Intel CPUs Face Spectre-Like 'Indirector' Attack That Leaks Data

Researchers at the University of California San Diego (UCSD) have found a new way to execute Spectre-like side channel attacks against high-end Intel CPUs, including the recent Raptor Lake and Alder Lake microprocessors.

Like Spectre, the new technique, which the researchers have dubbed "Indirector," exploits a speculative execution feature in the Intel CPUs to redirect the control flow of a program — that is, the order in which it executes individual instructions and function calls.

Spectre-Like Side Channel Attack

An attacker could use the tactic to essentially trick the CPU into making incorrect speculative executions and leak sensitive data.

Hosein Yavarzadeh, one of the authors of the research (his co-authors are Luyi Li and Dean Tullsen) says they tested their attack on Raptor Lake (13th gen), Alder Lake (12th gen), and Skylake (6th gen) CPUs. But with some minor modifications, the attack should work on all other flagship Intel CPUs spanning the past decade at least, he adds.

Intel so far has not released any microcode fix for Indirector, Yavarzadeh says. "They believe that the best way to mitigate target injection attacks is to use their previously introduced mitigation strategy, called IBPB, more frequently," he notes. "We believe that this would incur a lot of performance overhead and this should be mitigated in hardware or by software patches." IBPB, or Indirect Branch Predictor Barrier, is a hardware-level fix that Intel released in 2018 to protect against Spectre-like attacks. The company has described it as being especially effective in certain contexts where security is critical. But many have described the feature as extracting a steep performance penalty when invoked.

Speculative execution, or out-of-order execution, is a performance boosting technique where CPUs like Raptor Lake and Alder Lake essentially guess or predict the outcome of future instructions and start executing them before knowing if they are actually needed.

Previous speculative execution attacks — like Spectre and Meltdown — have primarily focused on poisoning two specific components of the execution process. One of them is the Branch Target Buffer (BTB), which stores the predicted target addresses that processor likely needs; the other is Return Stack Buffer (RSB), a fixed-size buffer that predicts the target address or return instructions.

An Overlooked Speculative Execution Component

The newly developed attack focuses on a previously overlooked component of speculative execution called the Indirect Branch Predictor. "The IBP is a critical component of the branch prediction unit that predicts the target address of indirect branches," the UCSD researchers wrote in their paper. As they explained, indirect branches are control flow instructions where the target address is computed at runtime, making them hard to predict accurately. "By analyzing the IBP, we uncover new attack vectors that can bypass existing defenses and compromise the security of modern CPUs."

Yavarzadeh describes the effort as involving a complete reverse engineering of the structure of IBP in modern Intel processors and then analyzing the size, structure, and mechanisms for making predictions.

"The primary motivation behind the Indirector research was to unveil the intricate details of the Indirect Branch Predictor and the Branch Target Buffer units, which are responsible for predicting the target addresses of branch instructions in modern CPUs," he says. The effort involved examining every single detail of the prediction mechanisms in the two units and Intel's mitigation measures for protecting against attacks targeting these two components. From that, the researchers were able to develop highly effective injection attacks targeting the branch prediction mechanism in Intel CPUs, Yavarzadeh says.

"A potential exploit involves an attacker poisoning the Indirect Branch Predictor and/or the Branch Target Buffer to hijack the control flow of a victim program. This allows the attacker to jump to an arbitrary location and potentially leak secrets," he says. For a successful attack, an adversary would need to run on the same CPU core as the victim, but the method is significantly more efficient than other state-of-the-art target injection attacks, he says.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two ransomware negotiators about how they interact with cybercriminals, including: how they brokered a deal to restore operations in a hospital NICU where lives were at stake; and how they helped a church, where the attackers themselves "got a little religion." Listen now!