New vulnerability in Intel CPUs uncovered by security researchers

New branch prediction processor attack found affecting computer CPUs

American universities have combined their security efforts to investigate another branch prediction processor attack affecting computer CPUs, similar to the Spectre processor flaw uncovered earlier this year.

Named BranchScope, the hack was found by researchers from the College of William and Mary, Carnegie Mellon, the University of California Riverside and Binghamton University, and is said to expose sensitive system data by exploiting the way modern processors work.

The researchers said in a report that the attack uses some of the same predictive execution vulnerabilities as Spectre, exploiting the branch predictors of chips by using them to inadvertently leak sensitive information.

"BranchScope [is] a new side-channel attack where the attacker infers the direction of an arbitrary conditional branch instruction in a victim program by manipulating the shared directional branch predictor," they said.

"The directional component of the branch predictor stores the prediction on a given branch (taken or not-taken) and is a different component from the branch target buffer (BTB) attacked by previous work."

The security researchers added that BranchScope is the first fine-grained attack on the directional branch predictor, which has helped to expand their understanding of the side channel vulnerability of the branch prediction unit.

They tested the attack on several Intel processors and found that the root cause of the branch-based attacks is the execution of branch instructions that are conditioned on the state of secret data.

"Our attack targeted complex hybrid branch predictors with unknown organisation. We demonstrated how an attacker can force these predictors to switch to a simple 1-level mode to simplify the direction recovery," the researchers' stated.

There are several possible solutions to mitigate the attack, including "algorithmically removing" dependencies of branch outcomes on secret data. However, they researchers concluded applying such protection to large code bases is challenging as this mechanism can only be limited to the key parts of programs operating with sensitive data.

As a result, it seems it could take quite a number of years to fully discover and patch all the bugs associated with this specific branch speculative execution.