Branch History Injection attack affects Intel and ARM CPUs

Branch History Injection

Speculative execution flaws in Intel and AMD processors have attracted a lot of attention years ago. These vulnerabilities are serious and difficult to fix. In fact, until now Intel is still cooperating with system developers such as Microsoft to regularly release mitigation patches to increase the difficulty of exploiting related vulnerabilities.

These vulnerabilities are hardware-level vulnerabilities and cannot be completely fixed. It seems that the vulnerability was not fixed until Intel’s 11th generation CPU, so all previous processors can only defend by installing microcode updates. The so-called mitigation is actually disabling the speculative execution technique, which results in a significant drop in CPU performance.
Branch History Injection

The speculative execution series of vulnerabilities can still be mined. A paper from the Systems and Network Security Group at Vrije Universiteit Amsterdam reveals how the team rediscovered and exploited speculative execution vulnerabilities in Intel and ARM processors. The most serious variant of Spectre v2 in the Spectre series of vulnerabilities at that time was CVE-2017-5715.

Speculative execution itself is a technique used to improve CPU performance, speeding up by executing instructions that may be needed ahead of time. However, if the relevant instructions involve confidential data and put the data in the cache, the attacker can steal the confidential data in the cache, so this type of attack is also called a side-channel attack.
Although Intel, Microsoft, and the Linux kernel team have jointly proposed various fixes to mitigate the branch injection vulnerability. Now, however, researchers have discovered that there is another way to exploit the Spectre-V2 attacks – Branch History Injection (BHI or Spectre-BHB).

The Branch History Injection vulnerability does not affect the AMD processors. Recently, Intel and ARM have issued security advisories after the researchers submitted the vulnerability. Among them, Intel split the new vulnerabilities discovered into CVE-2022-0001 and CVE-2022-0002, while ARM only provided a vulnerability number CVE-2022-23960.

Intel rolls out a new microcode update to mitigate the vulnerability ahead of the paper’s release. Whether the current mitigation update has been merged into the Windows 10/11 March 2020 Security Update is unclear.