Researchers have identified two new types of attacks that target the conditional branch predictor in high-end Intel processors, which could potentially compromise billions of processors currently in use. A multi-university and industry research team led by computer scientists at the University of California San Diego will present their findings at the 2024 ACM ASPLOS Conference. The paper, titled “Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor,” is a collaboration with researchers from Purdue University, Georgia Tech, the University of North Carolina Chapel Hill, and Google.
The discovery of a unique attack that exploits the feature in the branch predictor known as the Path History Register, which tracks both branch order and branch addresses, provides more precise information compared to previous attacks. This increased precision allows for a more in-depth understanding of the structure of the branch predictor and potential vulnerabilities. Intel and AMD have responded to the concerns raised by the researchers, with Intel set to issue a Security Announcement and AMD planning to release a Security Bulletin addressing the security issues identified in the research.
Branch prediction is a crucial optimization technique used in modern processors, allowing programs to anticipate future branch outcomes based on past histories stored within prediction tables. Previous attacks have focused on analyzing entries in these tables to understand recent branch tendencies at specific addresses. In their new study, researchers leverage the Path History Register in modern predictors to index prediction tables, allowing for the recovery of detailed branch ordering information that was previously inaccessible.
The researchers also introduce a precise Spectre-style poisoning attack that enables attackers to induce complex patterns of branch mispredictions in victim code, exposing confidential data unintentionally. This level of control enables attackers to misdirect specific instances of branches in victim programs, potentially leading to the exposure of sensitive information. Through a proof-of-concept demonstration, the researchers show how an encryption algorithm can be forced to exit early, resulting in the extraction of the secret AES encryption key.
The research team includes computer science professors and PhD students from UC San Diego, as well as collaborators from Purdue University, Google, Georgia Tech, and the University of North Carolina Chapel Hill. The work was supported by various organizations, including the Air Force Office of Scientific Research, the Defense Advanced Research Projects Agency, the National Science Foundation, the Alfred P. Sloan Research Fellowship, and gifts from industry partners such as Intel, Qualcomm, and Cisco. The team’s findings highlight the importance of addressing vulnerabilities in high-end Intel processors to enhance overall security in computing systems.
