Researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University have identified and demonstrated (PDF file) an Intel CPU vulnerability they have dubbed 'BranchScope'. Like the previously well publicised Spectre flaws it is side-channel attack that takes advantage of the speculative execution feature in modern processors to unearth sensitive data. The vulnerability has been called BranchScope because it attacks the branch prediction operation, the same part of a CPU speculative execution process that the Spectre variant 2 (CVE-2017-5715) vulnerability targets, explains Bleeping Computer.
The academic team have a more wordy explanation of why BranchScope is a problem and it is useful to have the full text here to see into the heart of the problem:
"Modern microprocessors rely on branch prediction units (BPUs) to sustain uninterrupted instruction delivery to the execution pipeline across conditional branches. When multiple processes execute on the same physical core, they share a single BPU. While attractive from utilization and complexity considerations, the sharing potentially opens the door an attacker to manipulate the shared BPU state, create a side-channel, and derive a direction or target of a branch instruction executed by a victim process. Such leakage can compromise sensitive data."
An example is given where a branch instruction is conditioned on a bit of a secret key, then the key bits are leaked directly. This could happen in implementations of exponentiation algorithms and other key mathematical operations of modern cryptographic schemes, say the researchers.
BranchScope has been tested to work on Intel Sandy Bridge, Haswell and Skylake processors. On such computers attackers could obtain potentially sensitive information they normally would not be able to access directly. However they would need to have access to the targeted system and they must be able to execute arbitrary code, according to Security Week. It is unlikely that AMD processors will be affected by BranchScope as they are currently unaffected by the similar Spectre Variant 2.
Intel says previous microcode updates could patch BranchScope
Intel's statement regarding BranchScope, released to Security Week, says that the firm has been working with the researchers. Importantly Intel added that "We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper." However, one of the lead researchers says that Intel's existing microcode updates might only fix the BTB vector, which means BranchScope attacks could still be possible.
