Branch prediction? Never heard of her.

In this video we talk about a new vulnerability disclosed in every intel CPU that takes advantage of a hardware race condition in the intel processor’s branch predictor.

Branch Privilege Injection: Compromising Spectre v2 Hardware
Mitigations by Exploiting Branch Predictor Race Conditions
https://comsec.ethz.ch/research/microarch/branch-privilege-injection/
https://comsec.ethz.ch/wp-content/files/bprc_sec25.pdf

Tietoturvatutkijat Sveitsin ETH Zürichin yliopistosta ovat löytäneet uuden, vakavan haavoittuvuuden Intelin prosessoreista. Kyseessä on täysin uusi haavoittuvuusluokka, jota kutsutaan nimellä Branch Privilege Injection. Se perustuu tapaan, jolla prosessorit ennakoivat tulevia laskentatehtäviä suorituskyvyn parantamiseksi.

Tutkijoiden mukaan haavoittuvuus mahdollistaa prosessin välisten suojausten ohittamisen ja koko keskusmuistin sisällön lukemisen pala kerrallaan. Tietojen vuotaminen tapahtuu nopeudella, joka on kaikkea muuta kuin teoreettinen: yli 5000 tavua sekunnissa, käytännössä hyökkääjä voi lukea koko muistin muutamassa minuutissa.

Haavoittuvuus koskee kaikkia Intelin prosessoreita, jotka on julkaistu vuodesta 2018 lähtien – niin henkilökohtaisissa tietokoneissa, kannettavissa kuin pilvipalvelinten suorittimissa. Tämä tekee uhasta erityisen vakavan erityisesti pilviympäristöissä, joissa useat käyttäjät jakavat saman laitteiston.

Nanosekuntien mittainen turva-aukko

Haavoittuvuus syntyy hetkellisesti, kun prosessori vaihtaa käyttäjien välillä. Juuri tässä siirtymässä ennakoivat laskennat voivat antaa hyökkääjälle mahdollisuuden päästä käsiksi toisen käyttäjän tietoihin. Kyse on nanosekunnin mittaisista ajoituksista, joita hyökkääjä voi toistaa yhä uudelleen ja lukea muistia tavu kerrallaan.

Tutkijoiden mukaan tämä ei ole yksittäinen ohjelmistovirhe, vaan osoitus syvemmistä ongelmista prosessoriarkkitehtuurissa, jotka juontavat juurensa spekulatiivisiin suorituskykytekniikoihin. Vastaavia haavoittuvuuksia ovat aiemmin olleet esimerkiksi Spectre, Meltdown ja Retbleed.

Intel on jo julkaissut mikrokoodipäivityksiä ongelman korjaamiseksi, ja käyttäjien suositellaan varmistavan, että kaikki käyttöjärjestelmä- ja BIOS-päivitykset on asennettu.

Intel, AMD and Arm each published security advisories on Patch Tuesday, including for newly disclosed CPU attacks.

https://www.securityweek.com/chipmaker-patch-tuesday-intel-amd-arm-respond-to-new-cpu-attacks/

Chip giants Intel, AMD and Arm each published Patch Tuesday security advisories to inform customers about vulnerabilities found recently in their products, including ones related to newly disclosed CPU attacks.

One of the CPU attacks was disclosed this week by researchers at Swiss university ETH Zurich. The researchers discovered a branch privilege injection issue, tracked as CVE-2024-45332, that they claim “brings back the full might of branch target injection attacks (Spectre-BTI) on Intel”.

The researchers claim that while Intel’s Spectre-BTI (aka Spectre v2) mitigations have worked for nearly six years, they have now found a way to break them due to a race condition impacting Intel CPUs.

Spectre-style attacks could allow an attacker who has access to the targeted system to obtain potentially valuable information from memory, such as encryption keys and passwords.

In its advisory, Intel said it’s releasing microcode updates to mitigate CVE-2024-45332, which it described as a sensitive information disclosure issue.

AMD has published an advisory to inform customers that — as stated by the researchers as well — the vulnerability does not impact its CPUs.

Another CPU attack was disclosed this week by researchers at Dutch university VU Amsterdam. Their analysis, dubbed Training Solo, led to the discovery of three new classes of self-training Spectre v2 attacks, which highlight the limitations of domain isolation.

Linus Torvalds, the father of Linux, is a fairly expressive person and his takes are almost always very interesting.

In a recent message on the Linux Kernel Mailing List (LKML) public inbox, Torvalds has been spotted showing his frustration about processor vulnerabilities as he said that he was “pretty damn fed up with buggy hardware and completely theoretical attacks” as he feels it is the job of the hardware vendors, the likes of Intel, AMD or Nvidia, to do better in finding theoretical attacks and vulnerabilities due to certain unaddressed and underlying hardware issues.

“Honestly, I’m pretty damn fed up with buggy hardware and completely theoretical attacks that have never actually shown themselves to be used in practice.

So I think this time we push back on the hardware people and tell them it’s *THEIR* damn problem, and if they can’t even be bothered to say yay-or-nay, we just sit tight.

Because dammit, let’s put the onus on where the blame lies, and not just take any random shit from bad hardware and say “oh, but it *might* be a problem”.

Linus”

Intel introduced LAM or Liner Address Masking with its 12th Gen Sapphire Rapids chips to improve memory safety

AMD’s Upper Address Ignore (UAI) also works in a similar fashion and was introduced with the Zen 4 architecture or Ryzen 7000 series.

However, utilizing LAM makes a CPU vulnerable to speculation attacks also called SLAM (short for side-channel attacks via LAM)

This is not the first time Linus Torvalds has complained against hardware companies over vulnerabilities. Back in 2023, the faulTPM CPU flaw on AMD Ryzen

The latest generations of Intel processors, including Xeon chips, and AMD’s older microarchitectures on Linux are vulnerable to new speculative execution attacks that bypass existing ‘Spectre’ mitigations.

The vulnerabilities impact Intel’s 12th, 13th, and 14th chip generations for consumers and the 5th and 6th generation of Xeon processors for servers, along with AMD’s Zen 1, Zen 1+, and Zen 2 processors.

The attacks undermine the Indirect Branch Predictor Barrier (IBPB) on x86 processors, a core defense mechanism against speculative execution attacks.

Researchers disclosed a new high-precision Branch Target Injection attack method named Indirector, but Intel says no new mitigations are needed.

https://www.securityweek.com/intel-says-no-new-mitigations-required-for-indirector-cpu-attack/

A team of researchers from the University of California San Diego has published a paper detailing a novel attack method targeting Intel CPUs, but the chip giant says no new mitigations are required to address it.

The new attack, named Indirector, is similar to the well-known Spectre v2 or Spectre Branch Target Injection (BTI) attack.

These methods typically allow an attacker who has access to the targeted system to obtain information, including sensitive data such as passwords or encryption keys, from memory.

The researchers described Indirector as a high-precision BTI attack that exploits the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs such as Raptor Lake and Alder Lake.

According to the researchers, previous BTI attacks overlooked IBP, which they describe as a “critical component of the branch prediction unit that predicts the target address of indirect branches”.

https://indirector.cpusec.org/

This paper introduces novel high-precision Branch Target Injection (BTI) attacks, leveraging the intricate structures of the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs (Raptor Lake and Alder Lake).

In 2018, chip designer Arm introduced a hardware security feature called Memory Tagging Extensions (MTE) as a defense against memory safety bugs. But it may not be as effective as first hoped.

Implemented and supported last year in Google’s Pixel 8 and Pixel 8 Pro phones and previously in Linux, MTE aims to help detect memory safety violations, as well as hardening devices against attacks that attempt to exploit memory safety flaws.

Memory safety bugs are said to be responsible for the majority of security vulnerabilities in large codebases. And for the past few years, there’s been a concerted effort in the public and private sector to reduce such flaws by promoting memory safe programming languages, software-based code hardening techniques, and hardware-specific options like SPARC ADI and Arm MTE.

MTE works by tagging blocks of physical memory with metadata. This metadata serves as a key that permits access. When a pointer references data within a tagged block of memory, the hardware checks to make sure the pointer contains a key matching that of the memory block to gain access to the data. A mismatch throws out an error.

Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm.

The techniques have been collectively dubbed Pathfinder by a group of academics from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google.

“Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks,” Hosein Yavarzadeh, the lead author of the paper, said in a statement shared with The Hacker News.

“Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks,” Hosein Yavarzadeh, the lead author of the paper, said in a statement shared with The Hacker News.