Intel processors vulnerable to Indirector attack

Processors from Intel, including the Alder Lake and Raptor Lake families, are facing a new type of attack called Indirector. This method is used to steal sensitive information.

Researchers at the University of California, San Diego have investigated it. Details will be released at the USENIX Security Symposium 08/2024 conference. The attacks pose a threat to Intel Raptor Lake and Alder Lake, the 12th and 13th generation of Core processors. Intel reported the problem as early as 02/2024 and sent out Indirector notices to other hardware and software vendors.

Indirector exploits vulnerabilities in Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB), two key components of Intel processor hardware, by manipulating speculative execution to extract data.

Researchers have identified problems in the functioning of the IBP and BTB systems related to the indexing, tagging, and data sharing processes. In addition, the systems have a predictable structure, which is another loophole for attackers.

Indirector uses several methods to conduct attacks:

• A custom iBranch Locator tool that identifies the indexes and tags of victim branches and accurately locates IBP records for specific branches.
• Directed IBP/BTB injections for speculative code execution.
• Violating the ASLR (Address Space Layout Randomization) mechanism by determining the exact location of indirect transitions and their targets, making it easier to predict and manipulate the control flow of protected processes.

Attackers can use side-channel cache attacks by measuring access times to gain information about the data the processor is working with.

There are two key methods to protect against Indirector: actively applying the Indirect Branch Predictor Barrier (IBPB) and strengthening the Branch Prediction Unit (BPU) using more sophisticated tagging, encryption, and randomization mechanisms. However, such measures can have a significant impact on performance, especially when IBPB is used, so the balance between security and performance must be carefully tuned.

IBPB in Linux is enabled automatically when switching to SECCOMP mode or when performing tasks with limited indirect transitions in the kernel, with a 50% performance degradation. Proof-of-concept and tools are available on GitHub to implement the types of protection described above.