Computer scientists uncover groundbreaking cybersecurity threats

A team of researchers has unearthed two innovative cyber threats targeting the conditional branch predictor within advanced Intel processors, posing potential risks to billions of currently deployed processors.
Led by computer scientists from the University of California San Diego, a collaborative effort involving multiple universities and industry partners will unveil their discoveries at the upcoming 2024 ACM ASPLOS Conference. Their paper, titled “Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor,” showcases insights from scientists at UC San Diego, Purdue University, Georgia Tech, the University of North Carolina Chapel Hill, and Google.
Their investigation unveils a novel attack focusing on a feature within the branch predictor known as the Path History Register (PHR), which tracks both branch order and addresses. This breakthrough provides more precise information compared to previous attacks, shedding light on the exact structure of the branch predictor.
Intel and Advanced Micro Devices (AMD) have responded to the researchers’ concerns, with Intel scheduled to issue a Security Announcement and AMD to release a Security Bulletin today.
In software, branching occurs frequently as programs navigate various paths based on data values, with the branch predictor optimizing performance by anticipating future outcomes based on past histories. Previous attacks targeted prediction tables, analyzing entries to discern branch tendencies.
In this new study, researchers exploit the PHR, which records the addresses and order of the last 194 taken branches in recent Intel architectures. Using innovative techniques, they demonstrate the capability to capture precise branch outcomes and uncover global ordering of all branches, even beyond the typical 194-branch limit.
“This method allows us to capture sequences of tens of thousands of branches in precise order, enabling the leakage of secret images processed by widely used libraries,” explained Hosein Yavarzadeh, lead author and UC San Diego Ph.D. student.
Furthermore, the researchers introduce a highly precise Spectre-style poisoning attack, enabling attackers to manipulate branch predictions within victim code and expose confidential data.
“The level of control we have now enables us to manipulate instances of taken branches with unprecedented precision,” said UC San Diego computer science Professor Dean Tullsen.
Their proof-of-concept showcases the ability to extract secret AES encryption keys by forcing encryption algorithms to exit prematurely.
“Pathfinder represents the most precise and powerful microarchitectural control-flow extraction attack seen so far,” noted Kazem Taram, assistant professor of computer science at Purdue University and UC San Diego computer science Ph.D. graduate.
Intel and AMD have been notified of these security findings, with plans to address them through security announcements and bulletins. The vulnerabilities have also been shared with relevant security organizations.

Leave a Reply

Your email address will not be published. Required fields are marked *