New Intel CPU Vulnerability 'Indirector' Exposes Sensitive Data

Modern CPUs from Intel, including Raptor Lake and Alder Lake, have been found vulnerable to a new side-channel attack that could be exploited to leak sensitive information from the processors.

The attack, codenamed Indirector by security researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen, leverages shortcomings identified in Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) to bypass existing defenses and compromise the security of the CPUs.

“The Indirect Branch Predictor (IBP) is a hardware component in modern CPUs that predicts the target addresses of indirect branches,” the researchers noted.

“Indirect branches are control flow instructions whose target address is computed at runtime, making them challenging to predict accurately. The IBP uses a combination of global history and branch address to predict the target address of indirect branches.”

The idea, at its core, is to identify vulnerabilities in IBP to launch precise Branch Target Injection (BTI) attacks – aka Spectre v2 (CVE-2017-5715) – which target a processor’s indirect branch predictor to result in unauthorized disclosure of information to an attacker with local user access via a side-channel.

This is accomplished by means of a custom tool called iBranch Locator that’s used to locate any indirect branch, followed by carrying out precision targeted IBP and BTP injections to perform speculative execution.

Yavarzadeh, one of the lead authors of the paper, told The Hacker News that “while Pathfinder targeted the Conditional Branch Predictor, which predicts whether a branch will be taken or not, this research attacks target predictors,” adding “Indirector attacks are much more severe in terms of their potential scenarios.”

Indirector reverse engineers IBP and BTB, Yavarzadeh said, which are responsible for predicting the target addresses of branch instructions in modern CPUs, with an aim to create extremely high-resolution branch target injection attacks that can hijack the control flow of a victim program, causing it to jump to arbitrary locations and leak secrets.

Intel, which was made aware of the findings in February 2024, has since informed other affected hardware/software vendors about the issue.

“Intel reviewed the report submitted by academic researchers and determined previous mitigation guidance provided for issues such as IBRS, eIBRS, and BHI are effective against this new research and no new mitigations or guidance is required,” a spokesperson for the company told the publication.

As countermeasures, it’s recommended to make use of the Indirect Branch Predictor Barrier (IBPB) more aggressively and harden the Branch Prediction Unit (BPU) design by incorporating more complex tags, encryption, and randomization.

The research comes as Arm CPUs have been found susceptible to a speculative execution attack of their own called TIKTAG that targets the Memory Tagging Extension (MTE) to leak data with over a 95% success rate in less than four seconds.

The study “identifies new TikTag gadgets capable of leaking the MTE tags from arbitrary memory addresses through speculative execution,” researchers Juhee Kim, Jinbum Park, Sihyeon Roh, Jaeyoung Chung, Youngjoo Lee, Taesoo Kim, and Byoungyoung Lee said.

“With TikTag gadgets, attackers can bypass the probabilistic defense of MTE, increasing the attack success rate by close to 100%.”

In response to the disclosure, Arm said “MTE can provide a limited set of deterministic first line defenses, and a broader set of probabilistic first line defenses, against specific classes of exploits.”

“However, the probabilistic properties are not designed to be a full solution against an interactive adversary that is able to brute force, leak, or craft arbitrary Address Tags.”

(The story was updated after publication to include comments from Hosein Yavarzadeh and Intel.)

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.