Researchers from the University of California San Diego (UCSD) have uncovered a new method to conduct Spectre-like side-channel attacks targeting high-end Intel CPUs, such as the latest Raptor Lake and Alder Lake microprocessors. This new technique, dubbed “Indirector,” leverages a speculative execution feature in Intel CPUs to manipulate the control flow of a program, thereby influencing the order in which instructions and function calls are executed.

Similar to the infamous Spectre attack, the Indirector method allows attackers to deceive the CPU into making incorrect speculative executions, potentially leading to the disclosure of sensitive information. Hosein Yavarzadeh, one of the researchers involved in the study alongside Luyi Li and Dean Tullsen, indicated that their attack was successfully tested on Raptor Lake (13th gen), Alder Lake (12th gen), and Skylake (6th gen) CPUs. He also mentioned that with some minor adjustments, the attack could potentially target other Intel flagship CPUs spanning the last decade.

Despite the discovery of this novel attack vector, Intel has not yet released any microcode fix to address the Indirector vulnerability. Yavarzadeh expressed concerns about Intel’s suggested mitigation strategy, known as the Indirect Branch Predictor Barrier (IBPB), which was introduced by the company in 2018 to combat Spectre-like threats. While Intel has touted IBPB as an effective safeguard in critical security contexts, critics have pointed out its significant performance drawbacks when activated.

Speculative execution, a performance optimization technique employed by modern CPUs like Raptor Lake and Alder Lake, involves predicting and executing future instructions before their actual need is confirmed. Previous speculative execution attacks, such as Spectre and Meltdown, primarily focused on compromising components like the Branch Target Buffer (BTB) and the Return Stack Buffer (RSB) within the execution process.

The latest research from UCSD sheds light on the Indirect Branch Predictor (IBP), an often overlooked aspect of speculative execution responsible for forecasting the target addresses of indirect branches. By conducting a thorough reverse engineering of the IBP structure in Intel processors, the researchers were able to identify new attack vectors that bypass existing defenses and undermine CPU security. Yavarzadeh emphasized the importance of understanding the intricate details of the IBP and the Branch Target Buffer units to develop effective injection attacks that target Intel’s branch prediction mechanisms.

In a successful exploitation scenario, an attacker could manipulate the Indirect Branch Predictor or the Branch Target Buffer to take control of a victim program’s execution flow, potentially leading to data leakage. While the attacker would need to operate on the same CPU core as the victim, this method is deemed more efficient than other contemporary target injection attacks.

As the cybersecurity landscape continues to evolve, researchers are continuously uncovering novel attack vectors that exploit hardware vulnerabilities in CPUs. It remains critical for industry stakeholders to collaborate on developing robust security measures to mitigate the risks posed by speculative execution-based attacks. While Intel has yet to address the Indirector vulnerability, the findings of this research underscore the ongoing challenges in securing modern CPU architectures against sophisticated threats.

Извор линк