You can now find Cyber Kendra on Google News!

Newly Uncovered "Branch History Injection" Attack Bypass Spectre Mitigations

New side-channel attack dropped, Native BHI Attack

A team of cybersecurity researchers has unveiled a new variant of the notorious Spectre v2 vulnerability, dubbed "Branch History Injection" (BHI) or "Spectre-BHB."

This groundbreaking discovery highlights the limitations of the hardware-based mitigations implemented by industry giants Intel and Arm to protect against cross-privilege Spectre v2 attacks. The findings, which are set to be presented at the esteemed USENIX Security Symposium 2022

Spectre v2, also known as Branch Target Injection (BTI), is considered one of the most dangerous transient execution vulnerabilities. It allows attackers to abuse branch mispredictions to leak sensitive data across privilege boundaries, such as from the kernel to user space.

In response, hardware vendors like Intel and Arm deployed mitigations (eIBRS and CSV2, respectively) to isolate indirect branch predictions between different privilege levels.

Branch History Injection: Exposing the Chinks in the Armor

However, the researchers discovered that while eIBRS and CSV2 do prevent direct injection of branch targets from lower to higher privilege levels, the isolation they provide is incomplete.

The team found that these hardware mitigations fail to fully isolate all branch prediction history states between privilege levels. Specifically, they identified that the global branch history, which plays a crucial role in influencing branch target predictions, can still be poisoned from user space to manipulate kernel-level branch predictions.

The researchers have dubbed this new cross-privilege Spectre v2 variant "Branch History Injection." With BHI, although attackers cannot directly inject branch targets, they can still manipulate the global branch history from user space.

Visualization of our BHI exploit

This allows them to influence kernel branch predictions and trick the kernel into speculatively executing "interesting" kernel gadgets that can leak data. In other words, user space can still gain some control over speculative execution in higher privileged contexts like the kernel.

Demonstrating BHI Attack: Proof-of-Concept Exploits

To underscore the gravity of Branch History Injection, the researchers developed proof-of-concept (PoC) exploits that leverage the technique to leak arbitrary kernel memory in Intel processors with eIBRS enabled.

These PoCs not only showcase the effectiveness of BHI but also challenge the widely held assumption that same-privilege-level Spectre v2 attacks are impractical.

The researchers further demonstrated the feasibility of "intra-mode" attacks, such as kernel-to-kernel, without requiring any user space branch history injection.

Affected Processors and Vendor Response

According to the research team, a wide range of Intel CPUs are vulnerable to Branch History Injection, with only some Atom models remaining unaffected. Arm has also confirmed that several of their designs, including the Cortex-A72, Cortex-A76, Cortex-X1, Neoverse N1, and others, are impacted by this vulnerability. In contrast, AMD processors appear to be immune to BHI.

In response to these findings, both Intel and Arm have swiftly published security advisories and whitepapers detailing the issues and releasing software mitigations to address the vulnerability.

Furthermore, the Linux kernel will now disable unprivileged eBPF functionality by default, as it can be exploited to facilitate these attacks.

Implications and Recommendations

The discovery of Branch History Injection serves as a stark reminder that even with the advent of advanced hardware-based Spectre v2 defenses like eIBRS and CSV2, a significant residual attack surface remains. While these mitigations undoubtedly raise the bar for attackers, they are not an impenetrable shield.x

In light of these findings, the researchers recommend re-enabling software mitigations, such as retpolines, even on systems equipped with the latest hardware defenses. They also advise further reducing the speculative execution attack surface by disabling user access to eBPF functionality in the kernel by default.

As speculative execution vulnerabilities continue to present ongoing security challenges, the Branch History Injection research serves as a critical reminder for the security community to rigorously analyze and test the security boundaries and residual attack surface of both software and hardware-based mitigations. Speculative execution threats are here to stay and require multilayered, defense-in-depth approaches.

The revelation of Branch History Injection [PDF] marks a significant milestone in the ongoing battle against speculative execution vulnerabilities. It serves as a clarion call for hardware manufacturers, software developers, and security researchers to collaborate closely and remain vigilant in the face of ever-evolving threats.

As the cybersecurity landscape continues to shift, we must learn from discoveries like BHI and strive to develop more robust, comprehensive, and resilient defenses.

Only by staying one step ahead of potential adversaries can we hope to safeguard the digital realm and protect the sensitive data that lies at the heart of our interconnected world.

Post a Comment