When researchers from Google’s Project Zero team and other academic teams published the Spectre/Meltdown research earlier this year, it was clear there was a lot of research energy focused on the speculative execution feature in modern processors. It was inevitable that more issues were going to be found.
BranchScope focuses on the processor's branch prediction system and is “a new side-channel attack where the attacker infers the direction of an arbitrary conditional branch instruction in a victim program by manipulating the shared directional branch predictor,” wrote researchers from the College of William and Mary, Carnegie Mellon, the University of California Riverside, and Binghamton University. The paper was presented at the ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS).
Speculative execution is a feature added to modern processors to boost performance. The processor tries to guess what instructions the program wants to call next and starts executing potential paths so that by the time the program gets to that point, the results are already available. The processor's branch predictor is a core piece in speculative execution because it uses history to do a better job of making those guesses. The branch predictor tracks the address of all possible instructions (branches), whether or not that branch was taken, and the address of the next instruction that should execute if that branch is chosen.
“Every time you get a branch instruction, you can branch to that new address, or just continue executing,” said Joe FitzPatrick, a hardware security researcher and trainer. “With no historical data, either way is a fair guess. Once the right answer is figured out, the CPU can keep a cheat sheet for next time, recording the address of the branch and whether it was taken or not. Every additional time the branch is reached, the CPU checks its cheat sheet to guide it to choose which way to go, and keeps track of whether its guess was right or wrong.”
With Spectre, researchers found the processor doesn't completely throw away the results generated from these guesses, notably if those results had been loaded into the processor’s cache. So an attacker who already had access to the system could read the cache, which could contain sensitive information such as passwords and encryption keys, and use that information to craft a second attack. With BranchScope, researchers found that it was possible to look at the likelihood of whether that branch will be taken to infer sensitive information.
"Every additional time the branch is reached, the CPU checks its cheat sheet to guide it to choose which way to go, and keeps track of whether its guess was right or wrong."
FitzPatrick provided the following test-taking analogy where a friend (the processor) creates a crib sheet (the branch prediction unit) to explain BranchScope. “You prep your friend with a crib sheet and let them take the test. They catch all the errors in the crib sheet, score 100%, and update the crib sheet in case they have to take the same test again.”
Since the friend won’t provide the crib sheet, the friend needs to be tricked into providng the answers. “You convince them to take another test, where you know all the answers, and they use the same crib sheet. Your friend will again notice if the crib sheet is wrong, and take longer to calculate the right answers.”
By timing how long it takes the friend to take that second test, you can tell if the crib sheet was right or wrong, and “also infer what the right answer to the previous test was,” FitzPatrick said.
A BranchScope attack would involve an attacker running multiple programs to put branch predictors in a known state before the victim executes the targeted program. The follow-up attack code will time each of the branches to infer what the processor did previously.
The academic researchers found that when multiple processes execute on the same physical core, they share a single branch prediction unit. An attacker can manipulate the shared unit to create a side-channel and figure out the direction or target of a branch instruction executed by the victim’s code. They said Intel processors leaked encrypted code and data protected using Intel’s SGX (Software Guard Extensions) feature. BranchScope could also be used against address space layout randomization (ASLR) to infer data in encryption and image libraries.
This isn't a straightforward attack and requires careful understanding of how processors work. It's also not clear at this point how much software is truly vulnerable to BranchScope. Much like Spectre, BranchScope requires the attacker to already have the ability to run code on the targeted system.
Spectre highlighted the need for changes in both the operating system as well as hardware. While the researchers suggested both hardware changes and software fixes would be necessary to address BranchScope, Intel said that would not be necessary.
We have determined the method they [the researchers] describe is similar to previously known side channel exploits," Intel said in a statement. "We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper.
It should be no surprise that a feature meant to boost processor performance has security implications. New features means modifying existing code, which creates potential avenues of attack. Spectre and Meltdown were found because many researchers were already looking at the processor architecture and thinking about side-channel exploits. BranchScope is a continuation of that research, and shows that there are other ways to abuse speculative execution.
Spectre was “an acknowledgement that CPU architectural side-channels are real threats,” FitzPatrick said. Spectre and Meltdown are the first examples of a new category of micro-architectural vulnerabilities, proving that just because the data is isolated on the processor doesn't mean the data is safe.
Increased scrutiny in this area means more attacks exploiting the speculative execution hardware to leak information will be found. The current situation is very similar to what happened after the Stagefright vulnerability was uncovered in Android several years ago. Months after the initial Stagefright vulnerability was disclosed and addressed, Google was busy stomping out related vulnerabilities in Android’s mediaserver component.
“I have been meaning to dedicate some time to going through each CPU performance feature and brainstorm how it could be used as a side channel,” FitzPatrick said. “I can only assume others have already done this.”