Researchers Uncover BranchScope A New Intel CPUs Exploit
Cybersecurity researchers from four major universities have disclosed a new processor-based vulnerability called BranchScope that is similar to Spectre/Meltdown, but which are immune to the fixes put in place that patch those vulnerabilities, dubbed as BranchScope.
It leverages the speculative execution capabilities found in most modern processors and can be used to circumvent memory protections implemented in the hardware and operating system level. The difference between BranchScope and Spectre/Meltdown is that while both are side-channel attacks that require manipulation of speculative execution, the new vulnerability is the first to focus on the shared branch target predictor, the researchers said.
The BranchScope exploit enables attackers to take control of this “think ahead” decision-making component and steer the upcoming path in the wrong direction. Hackers can then grab sensitive data stored in memory not generally accessible by users and applications. The vulnerability is similar to Spectre Variant 2, only BranchScope targets the process that decides which branch the CPU will take next whereas Spectre Variant 2 resides in the cache component associated with branch prediction.
BranchScope works reliably and efficiently from user space across three generations of Intel processors in the presence of system noise, with an error rate of less than one percent,” the paper states. “BranchScope can be naturally extended to attack SGX (Software Guard Extensions) enclaves with even lower error rates than in traditional systems.
The researchers specifically tested BranchScope on three Intel processors: The sixth-generation Core i6-6200U chip, the fourth-generation Core i7-4800MQ chip, and the second-generation Core i7-2600 chip. As the paper suggests, hackers don’t need administrator privileges to execute the attack. Data can even be pulled from private regions of memory, aka enclaves, that’s locked away by the processor’s Software Guard Extensions.
The researchers believe Intel’s updates addressing Meltdown and the two Spectre vulnerabilities won’t mitigate the security hole seen in the BranchScope discovery. The problem resides in a different part of speculative execution thus Intel will need to conjure up new software fixes for current chips, and a hardware fix for future processors. But Intel believes it’s current patches should address the BranchScope issue.
We have been working with these researchers and have determined the method they describe is similar to previously known side channel exploits,
We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper.
According to Intel, one of the best ways to protect customers is to have a close relationship with the research community. But the company likely wasn’t quite so enthusiastic after researchers went public with the Meldown and Spectre vulnerabilities earlier this year. The company is likely bracing for additional criticism given BranchScope is now out in the open.
The final recommendation is partitioning the BPU in such a way that attackers and victims do not share the same structures.