Newer Intel CPUs vulnerable to new "Indirector" attack — Spectre-style attacks risk stealing sensitive data; Intel says no new mitigations required

Intel Alder Lake Mobile CPU
(Image credit: Intel)

Unprotected Intel Raptor Lake and Alder Lake CPUs are vulnerable to a newly discovered side-channel attack called "Indirector," which risks stealing sensitive data from the CPU. Indirector is closely related to the Spectre vulnerabilities, which set the tech world on fire in 2018, and the new paper presents for the first time a detailed diagram of two of the key components inside Intel processors that enable speculative execution. Intel told Tom's Hardware in a statement that these vulnerabilities are covered by its existing mitigation advice (more below). 

Luyi Li, Hosein Yavarzadeh, and Dean Tullsen, all researchers from the University of California, San Diego, first discovered the weakness and shared their initial findings here. A full presentation of the paper will be given at the USENIX Security Symposium in August. The attacks are high-precision Branch Target Injections (BTI), a family of side-channel attacks also referred to as "Spectre-V2". The Indirector name specifically refers to attacks targeting the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB), two pieces of hardware found on new high-end Intel processors. 

Spectre-like vulnerabilities are dangerous because they allow undetected and free access to information being processed inside a CPU through side-channel attacks. These attacks aren't detectable by anti-virus software, as the processor continues to operate as expected. The specific side-channel attack exploits branch prediction, a predictive operation inside the CPU trying to guess where if-then structures (branches) will go. If performed inefficiently, branch prediction leaves behind caches and other data, which may include encryption keys, passwords, or similar sensitive data. A more detailed explanation of Spectre can be found here

Indirector is a Spectre-V2 attack that hits on the flaws in the previously mentioned IBP and BTB. The IBP and BTB were previously mysterious parts of the new Intel microarchitecture. Still, the UCSD paper presents for the first time a comprehensive picture of the two components, including their size and structure and exactly how their inefficient flaws allow attackers access to sensitive data. 

Intel was informed by the paper authors of the vulnerability in February. Intel responded to our queries and provided the following statement:

“Intel reviewed the report submitted by academic researchers and determined previous mitigation guidance provided for issues such as IBRS, eIBRS and BHI are effective against this new research and no new mitigations or guidance is required.”

 Intel technical mitigation guidance:

·        BHI: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html

·        IBRS, eIBRS: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/speculative-execution-side-channel-mitigations.html#IBRS"

The authors also recommend two strategies for mitigating the attacks: more aggressive use of an Indirect Branch Predictor Barrier (IBPB) and boosting the randomization and encryption of the BTB. These are imperfect solutions, especially considering the IBPB is nerfed on the Linux kernel due to its negative effect on performance. According to the study, Intel has already incorporated parts of the fixes into newer CPU designs.

Those interested in the attacks, more specifically, can read the full technical paper here. The authors also provide their Github repo containing tools to reverse-engineer the vulnerability and attack proof-of-concepts. 

Dallin Grimm
Contributing Writer

Dallin Grimm is a contributing writer for Tom's Hardware. He has been building and breaking computers since 2017, serving as the resident youngster at Tom's. From APUs to RGB, Dallin has a handle on all the latest tech news. 

  • bit_user
    The article said:
    Intel says current fixes are just fine.
    Cynical take: the reason Intel doesn't want to mitigate is that they don't yet have any newer CPUs on the market. Once that changes, they might be all over mitigating this to slow down the older products, thus creating additional benefits for existing users who upgrade.
    Reply
  • Skramblr
    I was thinking, WTF is 'nerfed'? Had to google it. Never heard that slang term before. Is this a common term and I'm just clueless?
    Reply
  • t3t4
    bit_user said:
    Cynical take: the reason Intel doesn't want to mitigate is that they don't yet have any newer CPUs on the market. Once that changes, they might be all over mitigating this to slow down the older products, thus creating additional benefits for existing users who upgrade.
    That would be exceptionally evil, if ever proven true. And if ever proven, I'd ban Intel for life from all my friends and family!
    Reply
  • Skramblr
    Intel is going to sabotage their own product line to allow AMD to completely trounce them in benchmarks and completely dominate the CPU market. Really?
    Reply
  • bit_user
    Skramblr said:
    I was thinking, WTF is 'nerfed'? Had to google it. Never heard that slang term before. Is this a common term and I'm just clueless?
    It's certainly not new to me. I've even heard it used in this context, on multiple occasions.
    Reply
  • bit_user
    t3t4 said:
    That would be exceptionally evil, if ever proven true. And if ever proven, I'd ban Intel for life from all my friends and family!
    Maybe I'll look for it, but we've seen at least one example of when they've released a mitigation for a known vulnerability in previous-gen products sometime well after the vulnerability was known. I just don't recall if the announcement of the vulnerability happened before they launched anything newer. Even then, you can't ascribe intent just from that.

    Anyway, let's see what happens with this one.
    Reply