利用分支预测器竞争条件 - 计算机安全组

Branch Privilege Injection (CVE-2024-45332) on Intel: Intel's hardware mitigations against branch target injection attacks (Spectre-BTI) have held for 6 years. But a race condition in Intel CPUs can break these mitigations.
- Main insights: Branch predictors on Intel processors are updated asynchronously to the instruction stream and there is insufficient synchronization during security critical operations. This leads to Branch Predictor Race Conditions.
- End-to-end attack: An end-to-end Branch Privilege Injection attack leaks arbitrary memory at 5.6KiB/s on up-to-date Ubuntu 24.04 with all default mitigations enabled.
Affected Mitigations:
- eIBRS: Introduced since 9th generation (Coffee Lake Refresh) to separate indirect branch prediction between different security domains.
- IBPB: Provides a mechanism to invalidate all indirect branch predictions in certain scenarios. But both mitigations have race conditions that can invalidate their security guarantees.
Mitigations against Branch Predictor Race Conditions: Intel developed a microcode update for affected processors (evaluated on Alder Lake with up to 2.7% overhead). Also evaluated several software mitigation strategies with overheads between 1.6% and 8.3%.
Resources: A paper about Branch Privilege Injection will be presented at [USENIX Security 2025] and there will be a talk at [Black Hat USA 2025]. Source code on github.
FAQ:
- All Intel processors since 9th generation (Coffee Lake Refresh) are affected. Observations of predictions bypassing IBPB on 7th generation (Kaby Lake) processors.
- No, only Intel CPUs are affected. Analyses on AMD and ARM systems found no issues.
- While the proof-of-concept attack is for Linux, the underlying hardware issue affects all operating systems on affected hardware.
- Install the latest operating system and BIOS updates.