Three researchers from the Swiss Federal Institute of Technology in Zurich have discovered a vulnerability in all modern Intel processors. Experts say it's a so-called "Branch Privilege Injection" flaw, a new variant of the infamous Spectre attacks. All Intel processors from the 9th generation onwards are affected.
Sensitive data at the mercy of hackers
The flaw allows sensitive data to be obtained via sections of the chip's memory reserved for programs with a high security level, for example the operating system kernel. These include passwords, encryption keys, and other kernel data.
To penetrate the most sensitive regions of memory, the attacker exploiting the flaw must trick the Indirect Branch Predictor (IBP) components, designed to improve program execution, and the Branch Target Buffer (BTB), which plays a key role in optimizing the chip's performance. These components are designed to frame branches, instructions in a program that guide the processor to different parts of the code based on certain conditions. To improve performance, the components speculate on the direction of a branch. This approach allows them to prefetch instructions, saving time.
It is these branch prediction systems that are failing. The Swiss researchers noticed that branch predictor updates are not synchronized with actual instruction execution. In short, the processor can update its predictions while executing instructions that should not be allowed based on the program's access rights. In short, the chip could continue to speculate on upcoming instructions, even when doing so would allow access to sensitive data, and without the original program having permission to do so. There is a very brief moment when the processor misjudges the security level granted to the program.
Barriers Bypassed
The strategy employed by the researchers consists of forcing the processor to make a prediction on an instruction. In the process, the attacker asks the system to switch to kernel mode. Before verifying that the request is authorized, the processor will execute the request. It will read highly sensitive data located in the kernel. The information is loaded into the chip's cache. The attacker can then seize it.
According to the researchers, their method of exploiting the flaw is capable of bypassing the mitigations implemented against Spectre v2, the second variant of the Spectre vulnerability, which was discovered in 2018. After its discovery, Intel implemented a series of mitigation measures on its processors. These security barriers are ineffective against the newly identified flaw. Intel's "hardware mitigation measures against these types of attacks have held up for nearly 6 years," the researchers note. The team from the Swiss Federal Institute of Technology in Zurich has demonstrated that its tactics effectively allowed them to get their hands on sensitive data. Intel Patches Vulnerability The researchers notified Intel last September. The manufacturer deployed a series of updates to correct the issue on all affected processors. These mitigations had an impact on the processors' performance. In a response to Bleeping Computer, Intel explains that it has strengthened "its hardware-based protections against Spectre v2 and recommends that customers contact their system manufacturer to perform the necessary updates.". Furthermore, Intel "is not aware of any actual exploitation of speculative execution vulnerabilities" to date.
Source: ETH Zurich
0 Comments