"Indirector" Attack Disclosed For Intel Alder Lake & Raptor Lake CPUs
UC San Diego researchers have gone public with Indirector, high-precision branch target injection attacks on the indirect branch predictor. This UCSD security researchers found Indirector impacting recent Intel Alder Lake and Raptor Lake processors. Intel believes though that no further mitigations are required.
The Indirector attack is summed up as:
The Indirector website is indirector.cpusec.org.
The UCSD researchers suggest mitigating Indirector by using IBPB (Indirect Branch Predictor Barrier) more aggressively and better securing the BPU design. Greater IBPB use would come at significant performance cost. Intel for their part believes though that no further mitigations are required over what's already in place for the Spectre-style attacks. There is also this GitHub repository with more artifacts around Indirector.
The Indirector attack is summed up as:
"This paper introduces novel high-precision Branch Target Injection (BTI) attacks, leveraging the intricate structures of the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs (Raptor Lake and Alder Lake).
It presents, for the first time, a comprehensive picture of the IBP and the BTB within the most recent Intel processors, revealing their size, structure, and the precise functions governing index and tag hashing.
Additionally, this study reveals new details into the inner workings of Intel's hardware defenses, such as IBPB, IBRS, and STIBP, including previously unknown holes in their coverage.
Leveraging insights from reverse engineering efforts, this research develops highly precise Branch Target Injection (BTI) attacks to breach security boundaries across diverse scenarios, including cross-process and cross-privilege scenarios and uses the IBP and the BTB to break Address Space Layout Randomization (ASLR)."
The Indirector website is indirector.cpusec.org.
The UCSD researchers suggest mitigating Indirector by using IBPB (Indirect Branch Predictor Barrier) more aggressively and better securing the BPU design. Greater IBPB use would come at significant performance cost. Intel for their part believes though that no further mitigations are required over what's already in place for the Spectre-style attacks. There is also this GitHub repository with more artifacts around Indirector.
87 Comments