A team of researchers from College of William & Mary, University of California Riverside, Carnegie Mellon University of Qatar and Binghamton University demoed a new attack named BranchScope that Intel CPUs are vulnerable to. They demoed this vulnerability to the CPUs made by Intel.
BranchScope vulnerability in Intel CPUs
The bad news is that though this vulnerability is similar to Meltdown and Spectre, the patch that was released to fix the Spectre and Meltdown vulnerabilities will not help in any way to fix this one. By taking advantage of this, the attacker can obtain potentially sensitive information from the victim’s computer. This sensitive information is not accessible directly. The attacker should have access to the targeted system and must be able to execute arbitrary code.
This attack has been demoed on Intel i5 and i7 CPUs based on Skylake, Haswell and Sandy Bridge. Even if the targeted application is running inside of an Intel SGX enclave, Intel SGX or Software Guard Extension, the victim is still vulnerable. It is a hardware-based isolated execution system designed to prevent code and data from being disclosed outside.
BranchScope works similar to Spectre. They both target the directional branch predictors. BPUs or Branch Prediction Units are used to improve the performance of pipelined processors but now are causing a vulnerability.
The BPU of a processor has two main components; they are a branch target buffer (BTB) and a directional predictor and manipulation to either of them may result in a leak of data. For more info, you can watch this video released by Intel. In that video, Intel describes how these attacks actually work.
The researchers also published a paper that said
BranchScope is the first fine-grained attack on the directional branch predictor, expanding our understanding of the side channel vulnerability of the branch prediction unit,
Intel issued a statement regarding this in an email-
We have been working with these researchers and we have determined the method they describe is similar to previously known side channel exploits. We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper. We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers.
These researchers also demoed new variants of Spectre and Meltdown. They named them as SgxPectre, Meltdown Prime, and SpectrePrime.
