Abstract
Branch Target Injection (BTI or Spectre v2) is one of the most dangerous transient execution vulnerabilities, as it allows an attacker to abuse indirect branch mispredictions to leak sensitive information. Unfortunately, it also has proven difficult to mitigate, with vendors originally resorting to inefficient software mitigations like retpoline. Recently, efficient hardware mitigations such as Intel eIBRS and Arm CSV2 have been deployed as a replacement in production, isolating the branch target state across privilege domains. The assumption is that this is sufficient to deter practical BTI exploitation. In this paper, we challenge this belief and disclose fundamental design flaws in both Intel and Arm solutions. We introduce Branch History Injection (BHI or Spectre-BHB), a new primitive to build cross-privilege BTI attacks on systems deploying isolation-based hardware defenses. BHI builds on the observation that, while the branch target state is now isolated across privilege domains, such isolation is not extended to other branch predictor elements tracking the branch history state-ultimately re-enabling cross-privilege attacks. We further analyze the guarantees of a hypothetical isolation-based mitigation which also isolates the branch history and show that, barring a collision-free design, practical same-predictor-mode attacks are still possible. To instantiate our approach, we present end-to-end exploits leaking kernel memory from userland on Intel systems at 160 bytes/s, in spite of existing or hypothetical isolation-based mitigations. We conclude software defenses such as retpoline remain the only practical BTI mitigations in the foreseeable future and the pursuit for efficient hardware mitigations must continue.
Original language | English |
---|---|
Title of host publication | Proceedings of the 31st USENIX Security Symposium, Security 2022 |
Publisher | USENIX Association |
Pages | 971-988 |
Number of pages | 18 |
ISBN (Electronic) | 9781939133311 |
Publication status | E-pub ahead of print - 10 Aug 2022 |
Event | 31st USENIX Security Symposium, Security 2022 - Boston, United States Duration: 10 Aug 2022 → 12 Aug 2022 |
Conference
Conference | 31st USENIX Security Symposium, Security 2022 |
---|---|
Country/Territory | United States |
City | Boston |
Period | 10/08/22 → 12/08/22 |
Bibliographical note
Funding Information:We thank the anonymous reviewers for their valuable comments. We also thank Alyssa Milburn and Andrew Cooper for their feedback. This work was supported by the EU's Horizon 2020 research and innovation programme under grant agreement No. 825377 (UNICORE), by Intel Corporation through the Side Channel Vulnerability ISRA, and by Netherlands Organisation for Scientific Research through projects “TROPICS”, “Theseus”, and “Intersect”. This paper reflects only the authors' view. The funding agencies are not responsible for any use that may be made of the information it contains.
Publisher Copyright:
© USENIX Security Symposium, Security 2022.All rights reserved.