"Indirector" Attack Disclosed For Intel Alder Lake & Raptor Lake CPUs

Written by Michael Larabel in Linux Security on 3 July 2024 at 09:30 AM EDT. 87 Comments
LINUX SECURITY
UC San Diego researchers have gone public with Indirector, high-precision branch target injection attacks on the indirect branch predictor. This UCSD security researchers found Indirector impacting recent Intel Alder Lake and Raptor Lake processors. Intel believes though that no further mitigations are required.

The Indirector attack is summed up as:
"This paper introduces novel high-precision Branch Target Injection (BTI) attacks, leveraging the intricate structures of the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs (Raptor Lake and Alder Lake).

It presents, for the first time, a comprehensive picture of the IBP and the BTB within the most recent Intel processors, revealing their size, structure, and the precise functions governing index and tag hashing.

Additionally, this study reveals new details into the inner workings of Intel's hardware defenses, such as IBPB, IBRS, and STIBP, including previously unknown holes in their coverage.

Leveraging insights from reverse engineering efforts, this research develops highly precise Branch Target Injection (BTI) attacks to breach security boundaries across diverse scenarios, including cross-process and cross-privilege scenarios and uses the IBP and the BTB to break Address Space Layout Randomization (ASLR)."

The Indirector website is indirector.cpusec.org.

Indirector logo


The UCSD researchers suggest mitigating Indirector by using IBPB (Indirect Branch Predictor Barrier) more aggressively and better securing the BPU design. Greater IBPB use would come at significant performance cost. Intel for their part believes though that no further mitigations are required over what's already in place for the Spectre-style attacks. There is also this GitHub repository with more artifacts around Indirector.
87 Comments
Related News
Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS
Landlock Sandboxing Now Supports More Controls Around Unix Sockets
Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations
Linux 6.12 Landing Integrity Policy Enforcement "IPE" Module
AMD Engineer Proposes "Attack Vector Controls" To Rethink CPU Security Mitigation Handling
Linux 6.12 To Add New Build Options For More Fine-Grained Control Over CPU Mitigations
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Concerns Raised Over Bitwarden Moving Further Away From Open-Source
Linus Torvalds Growing Frustrated By Buggy Hardware & Theoretical CPU Attacks
"100% Free" GNU Boot Discovers Again They Have Been Shipping Non-Free Code
AMD Linux Graphics Driver To Switch To More Aggressive Power Heuristics By Default
Ubuntu Considers Replacing initramfs-tools With Dracut
Open-Source Radeon Vulkan Driver "RADV" Demonstrated On Windows
ReiserFS File-System Expected To Be Removed With Linux 6.13
NVIDIA Is Helping To Improve Linux's Dynamic Display Mux Support For Laptops