BranchScope attack successfully demonstrated on several Intel CPUs

William Gayde

Posts: 381   +5
Staff member

Security researchers at several American universities have collectively discovered another attack that can expose sensitive system data by exploiting modern CPUs. The attack, known as BranchScope, uses some of the same predictive execution vulnerabilities that Spectre did and shows just how problematic they can be.

Modern processors are extremely complicated pieces of technology with many internal components like registers, caches and branch predictors to store internal states and to help speed up the execution of instructions. This type of security flaw exploits the branch predictors by using them to inadvertently leak sensitive information.

These branch predictors allow the processor to execute ahead of the current instruction in an attempt to guess what data the program will need in the future. For example, if a program was comparing two values and executing code based on the return value, the processor might speculatively execute the code for if the two values matched as well as the code for if they didn't match. When the program actually needed the result, the processor would already have the results stored and it could just get rid of the other, unneeded value.

Unfortunately, these unneeded values were not always cleared properly. By using specially crafted code, an attacker can leak sensitive information like encryption keys. While Spectre exploited the Branch Target Buffer, a buffer that stores the target of a branch, BranchScope takes advantage of the Pattern History Table. The PHT keeps a tally of how accurate the processor has been at guessing previous branches to help make the decision of whether or not to take a future branch.

Peter Bright from Ars Technica gives the following detailed explanation for the bug:

For Spectre 2, an attacker primes the BTB, carefully executing branch instructions so that the BTB has a predictable content with a target instruction that will, if speculatively executed, disturb the processor's cache in a detectable way. The victim program then runs and makes a branch. The attacker then checks to see if the cache was disturbed; the measurement of that disturbance leaks information.

In the new attack, an attacker primes the PHT and [runs] branch instructions so that the PHT will always assume a particular branch is taken or not taken. The victim code then runs and make a branch, which is potentially disturbing the PHT. The attacker then runs more branch instructions of its own to detect that disturbance to the PHT; the attacker knows that some branches should be predicted in a particular direction and tests to see if the victim's code has changed that prediction.

Engineers are really good at designing processors to be fast and efficient but implementing these designs is very difficult and can easily lead to bugs. The researchers aren't sure how widespread BranchScope will be, but just like with Spectre, it still requires the attacker to be able to execute code on the victim's computer.

It could take months or even years to fully discover and patch the bugs associated with speculative execution.

Permalink to story.



Posts: 1,960   +1,559
I work in a secure NOC - it’s my job to keep the systems of a FTSE 100 company secure and reading about this isn’t much different to when I go to bed and I pick up a science fiction book. As far as I am aware there have been zero confirmed breaches from any of the vulnerabilities that hit the headlines over the last few months. All it seems to be doing is fuelling the online mob that seem to want to have a deep irrational hatred for Intel, acting like social justice warriors of the tech community and usually wielding links to the rather obviously biased AdoredTV.

The fact is every single chip out there have potentially huge vulnerabilities in them. This includes AMD chips. We just haven’t discovered them yet.

The online community appear to be using vulnerabilities in the whole Intel vs AMD “war” and it bothers me. Buying any brand of CPU won’t matter if you don’t know how to keep your systems secure. As with most things in the IT world, 99 times out of 100 the issue is user error.

But finally, really we know these vulnerabilities aren’t anything to worry about because they are mainstream press. If it was an actual risk it would never have been public.

Then we get bizarre situations like amdflaws which was quite obviously a troll designed to mock the whole spectre/meltdown press debacle and trigger the AMD fans/bloggers. Something which we all should have found obvious. But what confused me is that AMD announced it was releasing patches? What? What exactly are they adressing here? Does the patch block access to the amdflaws webpage? Or was Ryzenfall (lmao) a legitimate flaw!?

I look forward to the next chapter of the media narrative on this, it certainly beats the walking dead. If only the press knew about the actual breaches that occur, they might get excited but probably not. Actually systems are more secure now than they have ever been.


Posts: 5,173   +4,039
TechSpot Elite
Just of curiosity, it's just affecting Intel?
Since it's in a way similar to Spectre 2 it might theoretically possible to target AMD CPUS although we have yet to see someone do it in the wild.
From what I've read it should be a fairly easy fix for Intel since it can be mitigated with patches for both the hardware side and software side.