Previous security research has mainly focused on using the branch target buffer (BTB) and the return stack (RSB), two components of CPU branch prediction. However, the Indirector attack focuses on a third component called the indirect branch predictor (IBP), which includes the target address of indirect branches.
“Indirect branches are instructions for directed control flow whose address is calculated at runtime, making it challenging to predict accurately,” the UCSD researchers wrote. “IBP uses a combination of global history and branch address to predict the target address of indirect branches. By analyzing the structure and function of IBP, we identify vulnerabilities that can be used to launch a direct branch target attack (BTI).”
The researchers reverse-engineered the IBP method on high-end Intel CPUs and developed a tool called iBranch Locator that can pinpoint where a target process’ is located in the IBP set. This allowed them to develop two attacks that could accurately insert arbitrary target addresses into IBP or BTB.
Source link