New Side-Channel Attack Identified in Modern Intel CPUs: The Indirector Vulnerability

Security researchers have uncovered a new and concerning vulnerability in modern Intel CPUs, including the latest variants like Raptor Lake and Alder Lake. The attack, named Indirector, exploits weaknesses in the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) to bypass security defenses and access sensitive data stored in processors.

The IBP is a crucial component in modern CPUs that predicts the target addresses of indirect branches, which are control flow instructions computed at runtime, making them difficult to predict accurately. The Indirector attack, developed by researchers at the University of California San Diego, utilizes precise Branch Target Injection (BTI) techniques to execute speculative code and steal information from the processor using a side-channel attack.

This attack leverages a custom tool called the iBranch Locator to identify indirect branches and inject malicious targets into the IBP and BTB entries. By using high-precision IBP and BTB injections, attackers can bypass existing defenses and compromise system security in various scenarios.

While Intel has implemented mitigations like Indirect Branch Restricted Speculation (IBRS) and Single Thread Indirect Branch Predictors (STIBP) to protect against target injection attacks, the researchers found these defenses to be inadequate. They recommend more aggressive use of the Indirect Branch Predictor Barrier (IBPB) and propose incorporating finer-grained Branch Prediction Unit (BPU) isolation in future CPU designs.

The researchers shared their findings with Intel in February 2024, prompting the company to notify other affected hardware and software vendors about the vulnerability. This discovery underscores the importance of ongoing scrutiny and improvement of hardware components to stay ahead of potential threats in the ever-evolving landscape of cybersecurity.