University security researchers have revealed yet-another branch prediction processor attack affecting computer CPUs, similar to the Spectre processor flaw uncovered earlier this year.
Dubbed BranchScope and spotted by Ars Technica, the hack was found by researchers from the College of William and Mary, Carnegie Mellon, the University of California Riverside and Binghamton University, and is said to expose sensitive system data by exploiting modern processors.
The researchers said in a collective report that the attack uses some of the same predictive execution vulnerabilities as Spectre, exploiting the branch predictors of chips by using them to inadvertently leak sensitive information.
"BranchScope [is] a new side-channel attack where the attacker infers the direction of an arbitrary conditional branch instruction in a victim program by manipulating the shared directional branch predictor," the universities declared.
"The directional component of the branch predictor stores the prediction on a given branch (taken or not-taken) and is a different component from the branch target buffer (BTB) attacked by previous work."
The security researchers said that BranchScope is the first fine-grained attack on the directional branch predictor, which has helped to expand their understanding of the side channel vulnerability of the branch prediction unit.
They demonstrated how the attack works by testing it on several Intel processors and found that the root cause of the branch-based attacks is the execution of branch instructions that are conditioned on the state of secret data.
"Our attack targeted complex hybrid branch predictors with unknown organisation. We demonstrated how an attacker can force these predictors to switch to a simple 1-level mode to simplify the direction recovery," the researchers' report stated.
The university professors said there are several possible solutions in mitigating the attack, including "algorithmically removing" dependencies of branch outcomes on secret data.
However, they concluded that it is challenging to apply such protection to large code bases as this mechanism can only be limited to the key parts of programs operating with sensitive data.
As a result, it seems it could take quite a number of years to fully discover and patch the bugs associated with this specific branch speculative execution.
Geoengineering on the sea floor near glaciers would form a new ice shelf to prevent melting
Alterations in capillary blood flow can be caused by body position change
Curiosity rover is in 'normal mode' but not transmitting scientific data back to base
NatWest outage comes a day after Barclays' IT systems shut out customers and staff