New Intel CPU Flaws Leak Sensitive Data From Privileged Memory
An Anonymous Coward writes:
ETH Zurich boffins exploit branch prediction race condition to steal info from memory, fixes have mild perf hit
by Thomas Claburn // Tue 13 May 2025
Researchers at ETH Zurich in Switzerland have found a way around Intel's defenses against Spectre, a family of data-leaking flaws in the x86 giant's processor designs that simply won't die.
Sandro Ruegge, Johannes Wikner, and Kaveh Razavi have identified a class of security vulnerabilities they're calling Branch Predictor Race Conditions (BPRC), which they describe in a paper [PDF] scheduled to be presented at USENIX Security 2025 and Black Hat USA 2025 later this year.
Spectre refers to a set of hardware-level processor vulnerabilities identified in 2018 that can be used to break the security isolation between software. It does this by exploiting speculative execution - a performance optimization technique that involves the CPU anticipating future code paths (also known as branch prediction) and executing down those paths before they're actually needed.
In practice, this all means malware running on a machine, or a rogue logged-in user, can potentially abuse Spectre flaws within vulnerable Intel processors to snoop on and steal data - such as passwords, keys, and other secrets - from other running programs or even from the kernel, the heart of the operating system itself, or from adjacent virtual machines on a host, depending on the circumstances. In terms of real-world risk, we haven't seen the Spectre family exploited publicly in a significant way, yet.
There are several Spectre variants. One of these, Spectre v2, enables an attacker to manipulate indirect branch predictions across different privilege modes to read arbitrary memory; it effectively allows a malicious program to extract secrets from the kernel and other running applications.
Intel has added various hardware-based defenses against these sorts of attacks over the years, which include Indirect Branch Restricted Speculation (IBRS/eIBRS) for restricting indirect branch target prediction, a sanitizing technique called Indirect Branch Predictor Barrier (IBPB), and other microarchitectural speculation controls.
eIBRS, the researchers explain, is designed to restrict indirect branch predictions to their originating privilege domain, preventing them from leaking across boundaries. Additional protection provided by IBPB is recommended in scenarios where different execution contexts, like untrusted virtual machines (VMs), share the same privilege level and hardware domain.
But Ruegge, Wikner, and Razavi found that branch predictors on Intel processors are updated asynchronously inside the processor pipeline, meaning there are potential race conditions - situations when two or more processes or threads attempt to access and update the same information concurrently, resulting in unpredictable behavior.
Read more of this story at SoylentNews.