Computer scientists reveal new attacks on cybersecurity

Researchers have discovered two new types of attacks that target conditional branch predictors found in high-end Intel processors. If exploited, this could potentially compromise billions of processors in use today.

A multi-university and industry research team led by UC San Diego computer scientists will present their findings at the 2024 ACM ASPLOS conference, which begins tomorrow. The paper, “Pathfinder: High-resolution control-flow attacks that exploit conditional branch predictors,” draws on research by scientists at the University of California, San Diego, Purdue University, Georgia Institute of Technology, the University of North Carolina at Chapel Hill, and Google. Based on.

They discovered a unique attack that, for the first time, targets a feature of branch predictors called path history registers, which track both branch order and branch addresses. As a result, more information is exposed with more precision than previous attacks that lacked insight into the exact structure of branch predictors.

As a result of their research, Intel and Advanced Micro Devices (AMD) were able to address the concerns raised by researchers and advise users on security issues. Today, Intel will be issuing a security bulletin and AMD will be releasing a security bulletin.

Branches frequently occur in software as programs navigate different paths based on different data values. The direction of these branches, whether “selected” or “unselected,” provides important insight into the executed program data. Given the large impact of branches on the performance of modern processors, an important optimization known as a “branch predictor” is employed. This predictor predicts future branch outcomes by looking at past history stored in a prediction table. Previous attacks have exploited this mechanism by analyzing entries in these tables to identify recent branching trends at specific addresses.

In this new work, researchers leverage the use of path history registers (PHRs) by modern predictors to index prediction tables. PHR records the addresses and exact order of the last 194 branches selected on modern Intel architectures. Using an innovative technique for capturing PHRs, the researchers demonstrated that not only the most recent results but also the results of all branches can be captured sequentially. Remarkably, they reveal the global ordering of all branches. Even though PHR typically maintains the most recent 194 branches, researchers have presented advanced techniques for recovering a significantly longer history.

“We successfully leveraged this method to capture a sequence of tens of thousands of branches in precise order to leak secret images during processing by the widely used image library libjpeg.” said Dr. Hossein Yavarzadeh of the Department of Computer Science and Engineering at the University of California, San Diego. . student and first author of the paper.

The researchers also introduced highly accurate Specter-style poisoning attacks that allow attackers to induce complex patterns of branch mispredictions in a victim's code. “This operation allows the victim to execute unintended code paths and inadvertently expose sensitive data,” said Dean Talsen, a computer science professor at the University of California, San Diego.

“Previous attacks could accidentally send a single branch, or the first instance of a branch that would be executed multiple times, but now we have very precise control and can send thousands of You can now inadvertently submit the 732nd instance of a branch to be executed,” Tullsen said.

The team presents a proof of concept that forces the encryption algorithm to temporarily terminate early, resulting in exposure of ciphertext with a reduced number of rounds. Through this demonstration, we will demonstrate the ability to extract the secret AES encryption key.

“Pathfinder can reveal the results of almost any branch of almost any victim program, making it the most accurate and powerful tool we've seen to date,” said Kazem Taram, assistant professor of computer science at Purdue University. “This is a control flow extraction attack on microarchitectures.” in Computer Science from the University of California, San Diego. he graduated.

In addition to Dean Talsen and Hossein Yavarzadeh, other co-authors are from the University of California, San Diego. Archit Agarwal and Dian Stephan. Other co-authors include Christina Garman and Kazem Taram of Purdue University. Daniel Mogimi, Google; Daniel Genkin, Georgia Tech. Max Christman and Andrew Kwon of the University of North Carolina at Chapel Hill;

The researchers communicated their security findings outlined in this paper to both Intel and AMD in November 2023. Intel has notified other affected hardware/software vendors of this issue. Intel and AMD plan to address the concerns raised in today's paper through a respective security bulletin and bulletin (AMD-SB-7015). The findings were shared in the Vulnerability Information Coordination Environment (VINCE) case VU#157097: Class of attack primitives allows data leakage on high-end Intel CPUs.