Indirector – High-Precision Branch Target Injection Attacks: A New Threat to Intel CPUs
Researchers at the University of California San Diego have published a groundbreaking paper detailing a new class of security vulnerabilities in Intel’s high-end CPUs. These vulnerabilities, dubbed “Indirector” attacks, exploit weaknesses in the chip’s branch prediction mechanisms to precisely manipulate program execution flow.
Branch Target Injection (BTI) attacks, a type of side-channel attack, have been a growing concern since the discovery of Spectre and Meltdown in 2018. While previous research focused primarily on other components of the branch prediction unit, this new study delves into the previously overlooked Indirect Branch Predictor (IBP). The researchers’ findings reveal that the IBP can be exploited to launch highly precise BTI attacks, potentially compromising the security of modern computing systems.
The paper, titled “Indirector: High-Precision Branch Target Injection Attacks Exploiting the Indirect Branch Predictor,” presents a comprehensive reverse-engineering effort of the IBP in Intel’s Raptor Lake and Alder Lake CPUs. This meticulous analysis unveils the inner workings of the IBP, including its size, structure, and the precise functions governing index and tag hashing.
Using carefully crafted microbenchmarks and performance counters, the team reverse-engineered the IBP’s structure, unveiling its intricate indexing and tagging mechanisms. The IBP’s three tables—each 2-way set associative with 512 entries per way—use complex hash functions based on the Program Counter (PC) and global history. These discoveries are pivotal for launching precise BTI attacks, allowing attackers to manipulate indirect branch predictions and redirect program control flow to malicious targets.
Moreover, the researchers identified new details about Intel’s existing hardware defenses, such as IBPB, IBRS, and STIBP, exposing previously unknown weaknesses in their coverage. By leveraging these insights, they developed a powerful tool called iBranch Locator, enabling them to pinpoint and manipulate specific indirect branches within the IBP with high accuracy.
“Equipped with iBranch Locator, the attacker is able to locate any victim IBP entry and inject an arbitrary target address,” said Hosein Yavarzadeh, one of the paper’s co-authors.
The implications of these findings are far-reaching, as they could potentially impact a wide range of systems and applications that rely on Intel CPUs. The researchers responsibly disclosed their findings to Intel in February 2024, and the company is working on mitigation strategies.
To mitigate the risks posed by Indirector attacks, the researchers recommend more aggressive use of Indirect Branch Prediction Barrier (IBPB) and improvements in Branch Prediction Unit (BPU) design. While Intel has integrated new fields to prevent aliasing between different SMT cores and privilege levels, additional measures are needed for same-core and same-privilege scenarios. Future BPU designs should incorporate more complex tags to enhance security domain isolation.
For more information, the full research paper can be found here.
