Newer Intel CPUs vulnerable to new "Indirector" attack — Spectre-style attacks risk stealing sensitive data; Intel says no new mitigations required

Unprotected Intel Raptor Lake and Alder Lake CPUs are vulnerable to a newly discovered side-channel attack called "Indirector," which risks stealing sensitive data from the CPU. Indirector is closely related to the Spectre vulnerabilities , which set the tech world on fire in 2018, and the new paper presents for the first time a detailed diagram of two of the key components inside Intel processors that enable speculative execution. Intel told Tom's Hardware in a statement that these vulnerabilities are covered by its existing mitigation advice (more below).

Luyi Li, Hosein Yavarzadeh, and Dean Tullsen, all researchers from the University of California, San Diego, first discovered the weakness and shared their initial findings here . A full presentation of the paper will be given at the USENIX Security Symposium in August. The attacks are high-precision Branch Target Injections (BTI), a family of side-channel attacks also referred to as "Spectre-V2". The Indirector name specifically refers to attacks targeting the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB), two pieces of hardware found on new high-end Intel processors.

Spectre-like vulnerabilities are dangerous because they allow undetected and free access to information being processed inside a CPU through side-channel attacks. These attacks aren't detectable by anti-virus software, as the processor continues to operate as expected. The specific side-channel attack exploits branch prediction, a predictive operation inside the CPU trying to guess where if-then structures (branches) will go. If performed inefficiently, branch prediction leaves behind caches and other data, which may include encryption keys, passwords, or similar sensitive data. A more detailed explanation of Spectre can be found here .

Indirector is a Spectre-V2 attack that hits on the flaws in the previously mentioned IBP and BTB. The IBP and BTB were previously mysterious parts of the new Intel microarchitecture. Still, the UCSD paper presents for the first time a comprehensive picture of the two components, including their size and structure and exactly how their inefficient flaws allow attackers access to sensitive data.

Intel was informed by the paper authors of the vulnerability in February. Intel responded to our queries and provided the following statement:

“Intel reviewed the report submitted by academic researchers and determined previous mitigation guidance provided for issues such as IBRS, eIBRS and BHI are effective against this new research and no new mitigations or guidance is required.”

Intel technical mitigation guidance:

·        BHI: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html

·        IBRS, eIBRS: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/speculative-execution-side-channel-mitigations.html#IBRS "

The authors also recommend two strategies for mitigating the attacks: more aggressive use of an Indirect Branch Predictor Barrier (IBPB) and boosting the randomization and encryption of the BTB. These are imperfect solutions, especially considering the IBPB is nerfed on the Linux kernel due to its negative effect on performance. According to the study, Intel has already incorporated parts of the fixes into newer CPU designs.

Those interested in the attacks, more specifically, can read the full technical paper here . The authors also provide their Github repo containing tools to reverse-engineer the vulnerability and attack proof-of-concepts.