Analysis Summary

Modern Intel CPUs including Raptor Lake and Alder Lake are vulnerable to a new side-channel attack named Indirector. This attack exploits flaws in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB) to leak sensitive information.

The IBP, a hardware component in CPUs, predicts target addresses of indirect branches which are control flow instructions with runtime-computed addresses. The attack focuses on leveraging these predictions to launch precise Branch Target Injection (BTI) attacks similar to Spectre v2 (CVE-2017-5715), to compromise CPU security.

Using a custom tool called iBranch Locator, the researchers identified indirect branches and executed targeted IBP and BTB injections for speculative execution. This method allows attackers to bypass existing defenses such as those targeting the Conditional Branch Predictor. The Indirector attack reverse engineers IBP and BTB to create high-resolution branch target injection attacks hijacking the control flow of victim programs and leaking sensitive information.

Intel informed about these findings in February 2024, reviewed the report, and concluded that existing mitigations like IBRS, eIBRS, and BHI are effective against this new attack requiring no new mitigations. As countermeasures, it's recommended to use the Indirect Branch Predictor Barrier (IBPB) more aggressively and enhance the Branch Prediction Unit (BPU) design with complex tags, encryption, and randomization.

Simultaneously, Arm CPUs face a speculative execution attack called TIKTAG targeting the Memory Tagging Extension (MTE). Researchers found that TIKTAG can leak data with a success rate of over 95% in less than four seconds. The attack bypasses MTE's probabilistic defenses, increasing the success rate nearly to 100%. Arm acknowledges that while MTE offers some deterministic and probabilistic defenses, these are not designed to be foolproof against skilled adversaries capable of brute-forcing or crafting arbitrary Address Tags.

Impact

• Exposure of Sensitive Information
• Security Bypass

Affected Vendors

Remediation

• Increase the utilization of the Indirect Branch Predictor Barrier (IBPB) to enhance protection against speculative execution attacks.
• Strengthen the design of the Branch Prediction Unit (BPU) by incorporating more sophisticated tags.
• Implement encryption mechanisms within the BPU to safeguard against unauthorized data access.
• Introduce randomization techniques in the BPU to reduce predictability and mitigate exploitation risks.
• Adhere to Intel's existing mitigation guidance, including measures for IBRS (Indirect Branch Restricted Speculation), eIBRS (Enhanced IBRS), and BHI (Branch History Injection), which are effective against these vulnerabilities.
• Deploy enhanced monitoring and security protocols to detect and respond to potential speculative execution exploits.
• Maintain up-to-date awareness of security patches and advisories from Intel and other relevant hardware and software vendors to address emerging threats promptly.