Branch History Injection attack affects Intel and ARM CPUs

These vulnerabilities are hardware-level vulnerabilities and cannot be completely fixed. It seems that the vulnerability was not fixed until Intel’s 11th generation CPU, so all previous processors can only defend by installing microcode updates. The so-called mitigation is actually disabling the speculative execution technique, which results in a significant drop in CPU performance.

The speculative execution series of vulnerabilities can still be mined. A paper from the Systems and Network Security Group at Vrije Universiteit Amsterdam reveals how the team rediscovered and exploited speculative execution vulnerabilities in Intel and ARM processors. The most serious variant of Spectre v2 in the Spectre series of vulnerabilities at that time was CVE-2017-5715.

Speculative execution itself is a technique used to improve CPU performance, speeding up by executing instructions that may be needed ahead of time. However, if the relevant instructions involve confidential data and put the data in the cache, the attacker can steal the confidential data in the cache, so this type of attack is also called a side-channel attack.
Although Intel, Microsoft, and the Linux kernel team have jointly proposed various fixes to mitigate the branch injection vulnerability. Now, however, researchers have discovered that there is another way to exploit the Spectre-V2 attacks – Branch History Injection (BHI or Spectre-BHB).

The Branch History Injection vulnerability does not affect the AMD processors. Recently, Intel and ARM have issued security advisories after the researchers submitted the vulnerability. Among them, Intel split the new vulnerabilities discovered into CVE-2022-0001 and CVE-2022-0002, while ARM only provided a vulnerability number CVE-2022-23960.