Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,177
- Points
- 113
Researchers from the University of California, San Diego have introduced a new method of attacking the microarchitectural structures of Intel processors, which is applicable, among other things, to CPUs based on the Raptor Lake and Alder Lake microarchitectures. The attack, which was codenamed Indirector, allows you to change the course of speculative execution of instructions in other processes and at other privilege levels (for example, in the kernel or other virtual machine), executed in the same CPU thread with the attacker's code. As a demonstration of the method, we prepared a prototype exploit that allows us to determine the layout of memory addresses to bypass the ASLR (Address Space Layout Randomization) protection mechanism. In addition, a toolkit developed for analyzing and reverse engineering CPU microarchitectural logic has been published under the MIT license.
Two methods of organizing an attack are proposed. The first method is based on distorting the contents of the Indirect Branch Predictor (IBP) buffer, which is used to predict indirect jumps when the address or offset for the jump is not yet known and is calculated in instructions preceding the jump instruction. The second method affects the Branch Target Buffer (BTB), which contains information about recent transitions.
The identified vulnerabilities allow an attacker to determine the contents of entries in the IBP and BTB buffers containing jump addresses used in third-party processes, as well as to perform substitution of an arbitrary jump address in the buffer data tables. As a result, an attacker can redirect the execution flow of a third-party process to the desired address in memory during speculative execution of instructions. After determining an erroneous prediction, the result of speculative execution is discarded, but addresses and data read from memory during speculative execution of instructions will settle in the cache and can be extracted using one of the methods for determining the cache content based on analyzing changes in access time to cached and uncached data. Determining the exact addresses of indirect hops in practice, for example, can be used to bypass the ASLR protection mechanism.
Two methods of organizing an attack are proposed. The first method is based on distorting the contents of the Indirect Branch Predictor (IBP) buffer, which is used to predict indirect jumps when the address or offset for the jump is not yet known and is calculated in instructions preceding the jump instruction. The second method affects the Branch Target Buffer (BTB), which contains information about recent transitions.
The identified vulnerabilities allow an attacker to determine the contents of entries in the IBP and BTB buffers containing jump addresses used in third-party processes, as well as to perform substitution of an arbitrary jump address in the buffer data tables. As a result, an attacker can redirect the execution flow of a third-party process to the desired address in memory during speculative execution of instructions. After determining an erroneous prediction, the result of speculative execution is discarded, but addresses and data read from memory during speculative execution of instructions will settle in the cache and can be extracted using one of the methods for determining the cache content based on analyzing changes in access time to cached and uncached data. Determining the exact addresses of indirect hops in practice, for example, can be used to bypass the ASLR protection mechanism.
