Researchers from ETH Zurich were able to circumvent Intel’s defenses against Spectre — a family of data leaking vulnerabilities. This time, they discovered a new class of security vulnerabilities called Branch Predictor Race Conditions (BPRC)
The researchers found they can exploit situations where a processor switches privilege levels, such as from user to kernel, while branch predictor updates are still in flight. This misalignment allows predictions to be incorrectly tagged with elevated privileges. They use this behavior to craft a new Spectre v2 attack vector, dubbed Branch Privilege Injection (BPI), which allows unprivileged code to inject branch predictions misclassified as kernel-level.
“BPI enables the classical Spectre v2 attack despite the eIBRS mitigation that was supposed to stop Spectre v2,” Kaveh Razavi, assistant professor at ETH Zurich, told The Register. “Spectre v2 can leak information across different security boundaries.”
Razavi said there are several possible attack scenarios.
“You could start a VM in your favorite cloud and this VM could then leak information from the hypervisor, including information that belongs to other VMs owned by other customers,” he explained.
“While such attacks are in theory possible, and we have shown that BPI enables such attacks, our particular exploit leaks information in the user-to-kernel scenario. In such a scenario, the attacker runs inside an unprivileged user process (instead of a VM), and leaks information from the OS (instead of the hypervisor).”
Essentially, BPI allows the attacker to inject branch predictions tagged with elevated privileges in user mode, which ignores the security guarantees of eIBRS and IBPB. Thereafter, a Spectre v2 attack (sometimes called Branch Target Injection, or BTI) can be carried out to gain access to sensitive data in memory.
Thankfully, a microcode update has been released. This vulnerability only impacts intel chips released after the 9th Generation.
Intel has released a microcode update to address the flaw. The chipmaker’s advisory, issued Tuesday, resolves BPI, a vulnerability (CVE-2024-45332) that Intel calls Indirect Branch Predictor Delayed Updates.
All Intel x86 chips since the 9th generation (Coffee Lake Refresh) are affected, the researchers say, noting that they’ve seen some impact going back to 7th generation (Kaby Lake) processors.