Hacking

BranchScope is a new side-channel attack method against Intel chip

 

BranchScope is a new side-channel attack technique that like Meltdown and Spectre attacks can be exploited by an attacker to obtain sensitive information from vulnerable processors.

A group of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University has discovered a new side-channel attack dubbed BranchScope that could be used against Intel chips.

Like Meltdown and Spectre attacks, the BranchScope technique can be exploited by an attacker to obtain sensitive information from vulnerable processors.

“We present BranchScope — a new side-channel attack where the attacker infers the direction of an arbitrary conditional branch instruction in a victim program by manipulating the shared directional branch predictor” reads the paper published by the experts.

The experts reported that the attacker needs to have access to the targeted system and it must be in the position of executing arbitrary code.

The experts confirmed that the recently issued patches for both the Spectre and Meltdown attacks are not able to mitigate the BranchScope attack.

Intel experts speculate that mitigations for the Spectre attack Variant 1 could be effective against BranchScope attacks.

The experts successfully tested the side-channel attacks against three types of Intel i5 and i7 CPUs based on Skylake, Haswell and Sandy Bridge microarchitectures.

The bad news for Intel is that the technique is effective also if the targeted application is running inside of an Intel SGX enclave, a specific hardware-based mechanism for the code isolation.

BranchScope technique is similar to the Spectre one, both targets the prediction mechanism implemented by processors to improve the performance of the chips.

The Branch prediction units (BPUs) are used to improve the performance of processors by guessing the execution path of branch instructions. According to the researchers, when two processes are executed on the same physical CPU core, they share a BPU, potentially allowing a malicious process to manipulate execution path of branch instructions.

On modern chips, the BPU is composed of two structures, the branch target buffer (BTB) and the directional predictor. An attacker that is able to manipulate them could potentially access sensitive data from the memory of the chip.

In the BranchScope technique, the attacker manipulates the branch predictors.

“BranchScope is the first fine-grained attack on the directional branch predictor, expanding our understanding of the side channel vulnerability of the branch prediction unit.” continues the experts.

“Our attack targets complex hybrid branch predictors with unknown organization. We demonstrate how an attacker can force these predictors to switch to a simple 1-level mode to simplify the direction recovery”

The experts suggested both software and hardware-based countermeasures.

 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – BranchScope, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

49 mins ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

12 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

17 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

22 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.