Pierluigi Paganini March 27, 2018

BranchScope is a new side-channel attack technique that like Meltdown and Spectre attacks can be exploited by an attacker to obtain sensitive information from vulnerable processors.

A group of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University has discovered a new side-channel attack dubbed BranchScope that could be used against Intel chips.

Like Meltdown and Spectre attacks, the BranchScope technique can be exploited by an attacker to obtain sensitive information from vulnerable processors.

“We present BranchScope — a new side-channel attack where the attacker infers the direction of an arbitrary conditional branch instruction in a victim program by manipulating the shared directional branch predictor” reads the paper published by the experts.

The experts reported that the attacker needs to have access to the targeted system and it must be in the position of executing arbitrary code.

The experts confirmed that the recently issued patches for both the Spectre and Meltdown attacks are not able to mitigate the BranchScope attack.

Intel experts speculate that mitigations for the Spectre attack Variant 1 could be effective against BranchScope attacks.

The experts successfully tested the side-channel attacks against three types of Intel i5 and i7 CPUs based on Skylake, Haswell and Sandy Bridge microarchitectures.

The bad news for Intel is that the technique is effective also if the targeted application is running inside of an Intel SGX enclave, a specific hardware-based mechanism for the code isolation.

BranchScope technique is similar to the Spectre one, both targets the prediction mechanism implemented by processors to improve the performance of the chips.

The Branch prediction units (BPUs) are used to improve the performance of processors by guessing the execution path of branch instructions. According to the researchers, when two processes are executed on the same physical CPU core, they share a BPU, potentially allowing a malicious process to manipulate execution path of branch instructions.

On modern chips, the BPU is composed of two structures, the branch target buffer (BTB) and the directional predictor. An attacker that is able to manipulate them could potentially access sensitive data from the memory of the chip.

In the BranchScope technique, the attacker manipulates the branch predictors.

“BranchScope is the first fine-grained attack on the directional branch predictor, expanding our understanding of the side channel vulnerability of the branch prediction unit.” continues the experts.

“Our attack targets complex hybrid branch predictors with unknown organization. We demonstrate how an attacker can force these predictors to switch to a simple 1-level mode to simplify the direction recovery”

The experts suggested both software and hardware-based countermeasures.

Pierluigi Paganini

(Security Affairs – BranchScope, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]