Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2fdcdb0f-98e9-499b-a5b3-f9c4f6032bc9@oracle.com>
Date: Thu, 27 Jun 2024 17:15:20 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Indirector: High-Precision Branch Target Injection Attacks Exploiting
 the Indirect Branch Predictor

https://indirector.cpusec.org/ announces a new Spectre V2 attack method being
presented at Usenix Security Conference in August:

     This paper introduces novel high-precision Branch Target Injection
     (BTI) attacks, leveraging the intricate structures of the Indirect
     Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end
     Intel CPUs (Raptor Lake and Alder Lake).

     It presents, for the first time, a comprehensive picture of the IBP
     and the BTB within the most recent Intel processors, revealing their
     size, structure, and the precise functions governing index and tag
     hashing.

     Additionally, this study reveals new details into the inner workings
     of Intel's hardware defenses, such as IBPB, IBRS, and STIBP, including
     previously unknown holes in their coverage.

     Leveraging insights from reverse engineering efforts, this research
     develops highly precise Branch Target Injection (BTI) attacks to
     breach security boundaries across diverse scenarios, including
     cross-process and cross-privilege scenarios and uses the IBP and the
     BTB to break Address Space Layout Randomization (ASLR).

Their mitigation recommendation for operating systems running on Intel CPUs is:

     Using IBPB more aggressively: To the best of our understanding, Linux
     opts to automatically activate the IBPB during context switches
     between different users. The default policy in the latest Linux
     version, termed "IBPB: conditional", only activates IBPB during
     transitions to SECCOMP mode or tasks with restricted indirect branches
     in the kernel. Consequently, IBPB activation is infrequent in both
     user and kernel spaces due to the significant performance overhead (up
     to 50%). It is not a viable mitigation for frequent domain crossings
     (browsers, sandboxes, and even kernel/user) - plus the fact that the
     OS does not use it in the most frequent domain transitions by default.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.