Intel CPUs Vulnerable to ‘Indirector’ Side-Channel Attack

Modern Intel CPUs, including Raptor Lake and Alder Lake, have been found to be susceptible to a new side-channel attack, dubbed Indirector, which could be exploited to leak sensitive data.

The attack, discovered by researchers exploits weaknesses in the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB), bypassing current defenses and compromising CPU security.

“The Indirect Branch Predictor (IBP) predicts the target addresses of indirect branches, which are control flow instructions with target addresses computed at runtime,” the researchers explained.

The core concept is to exploit IBP vulnerabilities to execute precise Branch Target Injection (BTI) attacks, also known as Spectre v2 (CVE-2017-5715), which can lead to unauthorized data disclosure through a side-channel to an attacker with local user access.

Using a custom tool called iBranch Locator, attackers can identify any indirect branch and perform targeted IBP and BTP injections to execute speculative execution.

While previous attacks like Pathfinder targeted the Conditional Branch Predictor, Indirector attacks focus on target predictors, making them more severe.

Indirector reverse engineers IBP and BTB to predict the target addresses of branch instructions in modern CPUs, enabling high-resolution branch target injection attacks that can hijack control flow and leak secrets.

Intel, informed of these findings in February 2024, stated that existing mitigations for IBRS, eIBRS, and BHI are effective against Indirector, and no new mitigations are required.

Recommended countermeasures include more aggressive use of the Indirect Branch Predictor Barrier (IBPB) and enhancing the Branch Prediction Unit (BPU) design with more complex tags, encryption, and randomization.

This research coincides with the discovery of a speculative execution attack on Arm CPUs, called TIKTAG, targeting the Memory Tagging Extension (MTE) to leak data with a success rate of over 95% in less than four seconds.

Researchers found new TikTag gadgets capable of leaking MTE tags from arbitrary memory addresses through speculative execution, significantly increasing the attack success rate.

Arm responded by stating that while MTE provides deterministic and probabilistic defenses against certain exploits, it is not designed to fully protect against an interactive adversary capable of brute-forcing, leaking, or crafting arbitrary Address Tags.

To mitigate the risk posed by the Indirector attack, users should ensure that their systems are regularly updated with the latest security patches from Intel and other hardware vendors. Implementing enhanced security measures such as the Indirect Branch Predictor Barrier (IBPB) and hardening the Branch Prediction Unit (BPU) with complex tags, encryption, and randomization can significantly reduce vulnerability.

Additionally, users should employ comprehensive endpoint protection solutions that include behavioral detection capabilities to identify and block suspicious activities.