There are two types of attacks that target the conditional branch predictor found in high-end Intel processors, which could compromise billions of processors currently in use.

A unique attack is the first to target a feature in the branch predictor called the Path History Register, which tracks branch order and branch addresses. As a result, more information with more precision ends up exposed than with prior attacks that lacked insight into the exact structure of the branch predictor.

A multi-university and industry research team led by computer scientists at University of California San Diego, along with Purdue University, Georgia Tech, the University of North Carolina Chapel Hill and Google, discovered the vulnerabilities and wrote a paper on the subject entitled, “Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor.”

Their research resulted in Intel and Advanced Micro Devices (AMD) addressing the concerns raised by the researchers and advising users about the security issues. Intel issued a security announcement, while AMD released a security bulletin.

Branching Different Paths
In software, frequent branching occurs as programs navigate different paths based on varying data values. The direction of these branches, whether “taken” or “not taken,” provides crucial insights into the executed program data.

Schneider Bold

Given the significant impact of branches on modern processor performance, a crucial optimization known as the “branch predictor” ends up employed. This predictor anticipates future branch outcomes by referencing past histories stored within prediction tables. Previous attacks exploited this mechanism by analyzing entries in these tables to discern recent branch tendencies at specific addresses.

In this new study, researchers leverage modern predictors’ utilization of a Path History Register (PHR) to index prediction tables. The PHR records the addresses and precise order of the last 194 taken branches in recent Intel architectures. With innovative techniques for capturing the PHR, researchers demonstrate the ability to not only capture the most recent outcomes but also every branch outcome in sequential order.

Remarkably, researchers uncover the global ordering of all branches. Despite the PHR typically retaining the most recent 194 branches, the researchers present an advanced technique to recover a significantly longer history.

A new paper entitled, “Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor,” details two novel attacks that could compromise the billions of Intel and AMD processors.
Source: Hosein Yavarzadeh

“We successfully captured sequences of tens of thousands of branches in precise order, utilizing this method to leak secret images during processing by the widely used image library, libjpeg,” said Hosein Yavarzadeh, a UC San Diego Computer Science and Engineering Department PhD student and lead author of the paper.

Intricate Patterns
The researchers also introduce an exceptionally precise Spectre-style poisoning attack, enabling attackers to induce intricate patterns of branch mispredictions within victim code. “This manipulation leads the victim to execute unintended code paths, inadvertently exposing its confidential data,” said UC San Diego computer science Professor Dean Tullsen.

“While prior attacks could misdirect a single branch or the first instance of a branch executed multiple times, we now have such precise control that we could misdirect the 732nd instance of a branch taken thousands of times,” Tullsen said.

The team has a proof-of-concept where they force an encryption algorithm to transiently exit earlier, resulting in the exposure of reduced-round ciphertext. Through this demonstration, they illustrate the ability to extract the secret AES encryption key.

“Pathfinder can reveal the outcome of almost any branch in almost any victim program, making it the most precise and powerful microarchitectural control-flow extraction attack that we have seen so far,” said Kazem Taram, an assistant professor of computer science at Purdue University and a UC San Diego computer science PhD graduate.

Click here to view the paper.


Pin It on Pinterest

Share This