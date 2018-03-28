SECURITY RESEARCHERS from numerous US universities have joined forces to reveal yet another branch prediction processor attack affecting CPUs, similar to the Spectre processor flaw uncovered earlier this year.



Dubbed BranchScope and spotted by Ars Technica, the hack was found by researchers from the College of William and Mary, Carnegie Mellon, the University of California Riverside and Binghamton University, and is said to expose sensitive system data by exploiting modern processor operations.



The researchers said in a collective report that the attack uses some of the same predictive execution vulnerabilities as Spectre, exploiting the branch predictors of chips by using them to inadvertently leak sensitive information.

"BranchScope [is] a new side-channel attack where the attacker infers the direction of an arbitrary conditional branch instruction in a victim program by manipulating the shared directional branch predictor," the universities declared.

"The directional component of the branch predictor stores the prediction on a given branch (taken or not-taken) and is a different component from the branch target buffer (BTB) attacked by previous work."

The security researchers said that BranchScope is the first fine-grained attack on the directional branch predictor, which has helped to expand their understanding of the side channel vulnerability of the branch prediction unit.

They demonstrated how the attack works by testing it on several Intel processors and found that the root cause of the branch-based attacks is the execution of branch instructions that are conditioned on the state of secret data.

"Our attack targeted complex hybrid branch predictors with unknown organisation. We demonstrated how an attacker can force these predictors to switch to a simple 1-level mode to simplify the direction recovery," the researchers' report stated.



The university professors said there are several possible solutions in mitigating the attack, including "algorithmically removing" dependencies of branch outcomes on secret data. However, they concluded that it is challenging to apply such protection to large code bases as this mechanism can only be limited to the key parts of programs operating with sensitive data.

As a result, it seems it could take quite a number of years to fully discover and patch the bugs associated with this specific branch speculative execution.

However, Intel effectively brushed off the new security concerns.

"We have been working with these researchers and we have determined the method they describe is similar to previously known side channel exploits," the chipmaker said.

"We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper."

So these new flaws may not be such a big deal after all, but time will tell. µ