Researchers bypass Intel’s Spectre fixes — six years of CPUs at risk

Six years after Intel made architectural changes to its CPUs to mitigate speculative execution vulnerabilities, researchers have developed a new technique that can bypass some of those mitigations.

Called Branch Privilege Injection (BPI), the new attack method was developed by researchers from the ETH Zurich university in Switzerland and can leak information from privileged memory on up-to-date operating systems and Intel CPUs. It defeats the hardware mitigations built by Intel since 2018 in its CPUs for the Spectre v2 vulnerability, also known as Branch Target Injection (BTI).

“Our analysis reveals three variants, breaching the security boundaries between user and kernel, guest and hypervisor, and across indirect branch predictor barriers,” the ETH researchers wrote in their research paper.

The vulnerability, tracked as CVE-2024-45332, affects all Intel CPUs since the 9th generation, known as Coffee Lake Refresh, which were released in October 2018. Intel has now released a microcode update that includes new mitigations, but users can obtain them only via UEFI updates from their PC or motherboard manufacturers.

Spectre returns

Spectre variant 2, tracked as CVE-2017-5715, was one of three vulnerabilities disclosed by Google researchers in January 2018 that required arguably the biggest patch coordination effort in history, and sparked an entire new area of research that produced tens of other vulnerabilities in CPUs in the years since.

The attack, dubbed Branch Target Injection by Intel, abuses the speculative execution feature of modern CPUs that uses algorithms to attempt to predict what code path a program will likely take and execute instructions along that path in advance in order to provide the results instantly from cache when the execution flow reaches that point. If the CPU’s speculation proves incorrect, the results are discarded, but until that happens attackers can use various techniques to extract it from the CPU cache, essentially using it as a side-channel.

The impact of Spectre v2 is serious, because it violates some of the most fundamental security layers in operating systems and other systems: for example, the memory access separation between user-mode processes and kernel processes, the separation between hypervisor memory and guest virtual machines, the separation between OS memory and the memory of secure CPU execution environments like Intel SGX, and more. Many variants of Spectre followed after the initial publication, including Spectre-NG, SgxPectre, Spectre-PHT, Spectre-PHT-CA-OP, Spectre-PHT-CA-IP, Spectre-PHT-SA-OP, Spectre-BTB-SA-IP, Spectre-BTB-SA-OP, and Spectre-BHI.

The mitigations for speculative execution attacks like Spectre v2 that Intel introduced in new CPUs are called enhanced Indirect Branch Restricted Speculation (eIBRS) and the Indirect Branch Prediction Barrier (IBPB). These aim to separate branch prediction by different security domains at the hardware level, which means that processes from one domain cannot inject branch targets into the predictor for a different domain. Meanwhile IBPB can be used to disable all indirect branch predictions.

“While eIBRS appears to correctly restrict predictions to the security domain they are associated with, this association can be manipulated,” the ETH Zurich researchers wrote when describing their new attack. “Branch predictor updates that are in-flight while a privilege switch occurs are associated with the new security domain instead of the previous one. Furthermore, we have found that updates that are in-flight when the indirect branch predictor is invalidated (IBPB) are not flushed. As a result, these updates are stored in the branch predictor despite invalidating it.”

In other words, what Kaveh Razavi, Johannes Wikner, and Sandro Rüegge found are race conditions in these mechanisms that can be won by an attacker using their newly developed techniques. Their proof of concept successfully leaked arbitrary kernel memory at 5.6KB/s on an up-to-date Ubuntu 24.04 with all default mitigations running on an Intel Raptor Lake (13th gen) processor. However, they note that all operating systems are impacted, not just Linux.

AMD and ARM CPUs, however, are not affected by this class of attacks and race conditions because they have different mitigations strategies in place.

Mitigations

There are two ways to deploy CPU microcode updates. One is through UEFI during early boot stages, where the CPU will load the latest microcode version stored in the UEFI, or by the operating system bootloader later in the booting process, though this is a temporary patch that needs to be constantly reapplied.

For Spectre v2 there is also a software-based mitigation proposed by Google called retpoline that replaces indirect jumps and calls in code with returns because returns are not predicted as indirect branches. The ETH Zurich researchers have developed a similar software-based mitigation for their new BPI attack that combines retpoline with the disabling of alternate return target prediction in supervisor mode.

“For preventing harmful indirect branch prediction, we propose deactivating all indirect branch predictions in supervisor mode,” the researchers wrote in their paper. “While only supported on newer processors, this approach results in a lower overhead of up to 1.7 % in UnixBench and 6.4 % in lmbench.”

Meanwhile the microcode patch developed by Intel introduces a performance degradation of up to 2.7% on Alder Lake family CPUs when the researchers tested it. Since these attacks exploit a performance enhancing feature of the CPU — branch prediction and speculative execution — it is expected that any mitigation would have an impact on the CPU’s baseline performance. Measuring this impact is important, especially for servers and datacenter workloads.