Intel’s cutting-edge processors, including the Raptor Lake and Alder Lake series, have been found vulnerable to a novel side-channel attack dubbed “Indirector.” This newly discovered threat could potentially leak sensitive data from the CPUs, raising serious security concerns.
The Discovery of Indirector
The vulnerability was unearthed by a team of security researchers comprising Luyi Li, Hosein Yavarzadeh, and Dean Tullsen. Their research reveals that the attack exploits weaknesses in two critical components of modern CPUs: the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB). These components are integral to predicting the target addresses of indirect branches, which are control flow instructions whose target addresses are determined at runtime.
“The Indirect Branch Predictor (IBP) is a hardware component in modern CPUs that predicts the target addresses of indirect branches,” the researchers explained. “Indirect branches are control flow instructions whose target address is computed at runtime, making them challenging to predict accurately. The IBP uses a combination of global history and branch address to predict the target address of indirect branches.”
How Indirector Works
The essence of the Indirector attack is to exploit vulnerabilities in the IBP to execute precise Branch Target Injection (BTI) attacks. This method, also known as Spectre v2 (CVE-2017-5715), targets the processor’s indirect branch predictor. By doing so, it can lead to unauthorized disclosure of information to an attacker with local user access via a side-channel.
The attack is facilitated through a custom tool known as iBranch Locator. This tool is designed to locate any indirect branch, after which it performs precision-targeted IBP and BTP injections to carry out speculative execution. Speculative execution is a process where the CPU tries to guess the instructions it needs to execute next, potentially leading to leaks of sensitive data if an attacker can manipulate this process.
Intel’s Response and Mitigations
Intel was informed of the findings in February 2024. Since then, the company has alerted other affected hardware and software vendors about the issue. As part of the mitigation strategies, it is recommended to employ the Indirect Branch Predictor Barrier (IBPB) more aggressively. Additionally, hardening the Branch Prediction Unit (BPU) design by incorporating more complex tags, encryption, and randomization is advised.
These measures aim to make it significantly harder for attackers to exploit the IBP and BTB, thereby protecting sensitive information from being leaked.
Comparisons with Arm CPU Vulnerabilities
Interestingly, the discovery of Indirector coincides with the identification of another speculative execution attack on Arm CPUs, called TIKTAG. This attack targets the Memory Tagging Extension (MTE) and has been found to leak data with over a 95% success rate in less than four seconds.
The researchers behind the TIKTAG study, Juhee Kim, Jinbum Park, Sihyeon Roh, Jaeyoung Chung, Youngjoo Lee, Taesoo Kim, and Byoungyoung Lee, noted that the attack “identifies new TikTag gadgets capable of leaking the MTE tags from arbitrary memory addresses through speculative execution. With TikTag gadgets, attackers can bypass the probabilistic defense of MTE, increasing the attack success rate by close to 100%.”
In response, Arm stated that “MTE can provide a limited set of deterministic first line defenses, and a broader set of probabilistic first line defenses, against specific classes of exploits. However, the probabilistic properties are not designed to be a full solution against an interactive adversary that is able to brute force, leak, or craft arbitrary Address Tags.”
The Broader Implications
The discovery of these vulnerabilities in both Intel and Arm CPUs underscores the ongoing challenges in securing modern processors. As CPUs become more complex and powerful, the potential attack surfaces also expand, providing new opportunities for attackers to exploit.
For users and organizations relying on these processors, it is crucial to stay informed about such vulnerabilities and apply recommended mitigations promptly. Furthermore, the tech industry must continue to invest in advanced security measures to protect against ever-evolving threats.
Conclusion
The Indirector vulnerability in Intel CPUs and the TIKTAG attack on Arm processors highlight the persistent and evolving nature of cybersecurity threats. As researchers uncover new vulnerabilities, it becomes imperative for manufacturers to enhance their security measures continuously. By doing so, they can better safeguard sensitive data and maintain the trust of users worldwide.
Follow us on 
(Twitter) for real time updates and exclusive content.
Pingback: FakeBat Loader Malware: Drive-by-Download Attack