https://indirector.cpusec.org/ announces a new Spectre V2 attack method being
presented at Usenix Security Conference in August:
This paper introduces novel high-precision Branch Target Injection
(BTI) attacks, leveraging the intricate structures of the Indirect
Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end
Intel CPUs (Raptor Lake and Alder Lake).
It presents, for the first time, a comprehensive picture of the IBP
and the BTB within the most recent Intel processors, revealing their
size, structure, and the precise functions governing index and tag
hashing.
Additionally, this study reveals new details into the inner workings
of Intel's hardware defenses, such as IBPB, IBRS, and STIBP, including
previously unknown holes in their coverage.
Leveraging insights from reverse engineering efforts, this research
develops highly precise Branch Target Injection (BTI) attacks to
breach security boundaries across diverse scenarios, including
cross-process and cross-privilege scenarios and uses the IBP and the
BTB to break Address Space Layout Randomization (ASLR).
Their mitigation recommendation for operating systems running on Intel CPUs is:
Using IBPB more aggressively: To the best of our understanding, Linux
opts to automatically activate the IBPB during context switches
between different users. The default policy in the latest Linux
version, termed "IBPB: conditional", only activates IBPB during
transitions to SECCOMP mode or tasks with restricted indirect branches
in the kernel. Consequently, IBPB activation is infrequent in both
user and kernel spaces due to the significant performance overhead (up
to 50%). It is not a viable mitigation for frequent domain crossings
(browsers, sandboxes, and even kernel/user) - plus the fact that the
OS does not use it in the most frequent domain transitions by default.
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
