A multi-university and industry research team led by computer scientists at the University of California San Diego has discovered two novel types of attacks that target the conditional branch predictor found in high-end Intel processors. These attacks could be exploited to compromise billions of processors currently in use, potentially exposing confidential data.
The researchers’ work, to be presented at the 2024 ACM ASPLOS Conference, reveals a unique attack that is the first to target a feature in the branch predictor called the Path History Register (PHR). The PHR tracks both branch order and branch addresses, exposing more information with more precision than prior attacks.
“We successfully captured sequences of tens of thousands of branches in precise order, utilizing this method to leak secret images during processing by the widely used image library, libjpeg,” said Hosein Yavarzadeh, a UC San Diego Computer Science and Engineering Department PhD student and lead author of the paper.
Precise Spectre-Style Poisoning Attack
The researchers also introduce an exceptionally precise Spectre-style poisoning attack, enabling attackers to induce intricate patterns of branch mispredictions within victim code. This manipulation can lead the victim to execute unintended code paths, inadvertently exposing its confidential data.
“While prior attacks could misdirect a single branch or the first instance of a branch executed multiple times, we now have such precise control that we could misdirect the 732nd instance of a branch taken thousands of times,” said UC San Diego computer science Professor Dean Tullsen.
The team presents a proof-of-concept where they force an encryption algorithm to transiently exit earlier, resulting in the exposure of reduced-round ciphertext. Through this demonstration, they illustrate the ability to extract the secret AES encryption key.
“Pathfinder can reveal the outcome of almost any branch in almost any victim program, making it the most precise and powerful microarchitectural control-flow extraction attack that we have seen so far,” said Kazem Taram, an assistant professor of computer science at Purdue University and a UC San Diego computer science PhD graduate.
Intel and AMD have been informed of the security findings and plan to address the concerns raised in the paper through a Security Announcement and a Security Bulletin, respectively. The findings have also been shared with the Vulnerability Information and Coordination Environment (VINCE).
The research was partially supported by various organizations, including the Air Force Office of Scientific Research, the Defense Advanced Research Projects Agency, the National Science Foundation, the Alfred P. Sloan Research Fellowship, and gifts from Intel, Qualcomm, and Cisco.
Keyword/phrase: High-precision attacks on Intel and AMD processors
