BranchScope attack successfully demonstrated on several Intel CPUs

Security researchers at several American universities have collectively discovered another attack that can expose sensitive system data by exploiting modern CPUs. The attack, known as BranchScope, uses some of the same predictive execution vulnerabilities that Spectre did and shows just how problematic they can be.

Modern processors are extremely complicated pieces of technology with many internal components like registers, caches and branch predictors to store internal states and to help speed up the execution of instructions. This type of security flaw exploits the branch predictors by using them to inadvertently leak sensitive information.

These branch predictors allow the processor to execute ahead of the current instruction in an attempt to guess what data the program will need in the future. For example, if a program was comparing two values and executing code based on the return value, the processor might speculatively execute the code for if the two values matched as well as the code for if they didn't match. When the program actually needed the result, the processor would already have the results stored and it could just get rid of the other, unneeded value.

Unfortunately, these unneeded values were not always cleared properly. By using specially crafted code, an attacker can leak sensitive information like encryption keys. While Spectre exploited the Branch Target Buffer, a buffer that stores the target of a branch, BranchScope takes advantage of the Pattern History Table. The PHT keeps a tally of how accurate the processor has been at guessing previous branches to help make the decision of whether or not to take a future branch.

Peter Bright from Ars Technica gives the following detailed explanation for the bug:

For Spectre 2, an attacker primes the BTB, carefully executing branch instructions so that the BTB has a predictable content with a target instruction that will, if speculatively executed, disturb the processor's cache in a detectable way. The victim program then runs and makes a branch. The attacker then checks to see if the cache was disturbed; the measurement of that disturbance leaks information.

In the new attack, an attacker primes the PHT and [runs] branch instructions so that the PHT will always assume a particular branch is taken or not taken. The victim code then runs and make a branch, which is potentially disturbing the PHT. The attacker then runs more branch instructions of its own to detect that disturbance to the PHT; the attacker knows that some branches should be predicted in a particular direction and tests to see if the victim's code has changed that prediction.

Engineers are really good at designing processors to be fast and efficient but implementing these designs is very difficult and can easily lead to bugs. The researchers aren't sure how widespread BranchScope will be, but just like with Spectre, it still requires the attacker to be able to execute code on the victim's computer.

It could take months or even years to fully discover and patch the bugs associated with speculative execution.