Researchers from the University of California have unveiled a novel high-precision Branch Target Injection (BTI) attack, dubbed “Indirector,” that exploits vulnerabilities in the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) of high-end Intel CPUs, specifically the Raptor Lake and Alder Lake generations.
Security researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen named the attack Indirector. This attack exploits weaknesses in the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) to circumvent current defenses and jeopardize CPU security.
Unveiling the Indirect Branch Predictor (IBP)
The Indirect Branch Predictor (IBP) is a critical hardware component in modern CPUs designed to predict the target addresses of indirect branches, which are control flow instructions whose target address is computed at runtime.
This makes them particularly challenging to predict accurately. The IBP uses a combination of global history and branch address to make these predictions.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
By reverse engineering the IBP, the researchers have comprehensively analyzed its size, structure, and prediction mechanisms, revealing new attack vectors that can bypass existing defenses and compromise CPU security.
Researchers found that IBP in modern Intel CPUs has a structure with three tables. Each table is a 2-way set associative and is indexed with different global history lengths.
These tables use a hash function to compute the index and tag based on the global history and the branch instruction address.
The exact index and tag hashing functions, crucial for launching precise BTI attacks, were identified, allowing attackers to manipulate the prediction of indirect branches and redirect the program’s control flow to a malicious target address.
High-Precision Branch Target Injection Attacks
The Indirect attack leverages a custom tool called iBranch Locator, which efficiently locates any indirect branch within the IBP without prior history information.
This tool divides the locating process into two steps: identifying the IBP set where the victim’s indirect branch is located and searching for tag aliasing.
By simplifying the search for tag aliasing, the iBranch Locator significantly reduces the effort required to locate victim IBP entries compared to previous methods.
Using this tool, two types of high-precision injection attacks can be mounted:
- IBP Injection Attack: The attacker locates victim entries using iBranch Locator and injects an arbitrary target address into the IBP.
- BTB Injection Attack: The attacker evicts the victim from the IBP and injects malicious targets into the victim’s BTB entry, misleading it via BTB prediction.
To mitigate the risks posed by Indirector attacks, the researchers recommend the following countermeasures:
- Aggressive Use of IBPB: The Indirect Branch Predictor Barrier (IBPB) should be used more aggressively. Currently, Linux activates IBPB during context switches between different users, but its use is limited due to significant performance overheads.
- Secure BPU Design: Intel has integrated new fields such as Core-ID and Privilege Level into their recent IBP design to prevent aliasing between indirect branches from different SMT cores and privilege levels. However, more complex tags should be considered for future designs to provide finer-grained isolation across security domains.
Intel was informed of these findings in February 2024 and has since communicated the issues to other affected hardware and software vendors. The full details of the Indirector attack will be presented at the upcoming USENIX Security Symposium in August 2024.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files