Wednesday, March 28th 2018
New "BranchScope" Side-channel CPU Vulnerability Threatens Modern Processors
In the age of cyber-security vulnerabilities being named by their discoverers, much like incoming tropical storms, the latest, which exploits speculative execution of modern processors, is named "BranchScope," discovered by academics from four US universities, Dmitry Evtyushkin, Ryan Riley, Nael Abu-Ghazaleh, and Dmitry Ponomarev. The vulnerability has been successfully tested on Intel "Sandy Bridge," "Haswell," and "Skylake" micro-architectures, and remains to be tested on AMD processors. It bears similarities to "Spectre" variant 2, in that it is an exploit of the branch prediction features of modern CPUs.
BranchScope differs from Spectre variant 2, in that while the latter exploits the branch target buffer, BranchScope goes after the directional branch predictor, a component that decides which speculative operations to execute. By misdirecting it, attackers can make the CPU read and spit out data from the memory previously inaccessible. The worst part? You don't need administrative privileges to run the exploit, it can be run from the user-space. Unlike CTS-Labs, the people behind the BranchScope discovery appear to have alerted hardware manufacturers significantly in advance, before publishing their paper (all of it, including technicals). They will present their work at the 23rd ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2018), later today.
Source:
BleepingComputer
BranchScope differs from Spectre variant 2, in that while the latter exploits the branch target buffer, BranchScope goes after the directional branch predictor, a component that decides which speculative operations to execute. By misdirecting it, attackers can make the CPU read and spit out data from the memory previously inaccessible. The worst part? You don't need administrative privileges to run the exploit, it can be run from the user-space. Unlike CTS-Labs, the people behind the BranchScope discovery appear to have alerted hardware manufacturers significantly in advance, before publishing their paper (all of it, including technicals). They will present their work at the 23rd ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2018), later today.
18 Comments on New "BranchScope" Side-channel CPU Vulnerability Threatens Modern Processors
Joking aside , I wonder just how many of these things will be found out until no one will care anymore.
At least it seems like they told Intel in advance..
To me this smacks of the PAST 3 letter Agency Activity in Action and their pet BackDoors now useless coming to the fore.
The Full body Armor living in a faraday cage nutters Said those 3 l A had paid Intel to Bake in Back Doors
Time for me to go i can feel something dripping down my neck :)
its just a normal day guyz... people will forget in 1 or 2 days..until the next major security breach comes in..
its a normal businees day for intel/AMD/facebook/yahoo etc...
people will still buy them & use them....no matter what..for there's nothing a normal consumer can do...
end of the story
As far as this breach, I assume it means you can read the cached RAM data remotely? Not as dangerous as a BIOS infected system but as it does not require admin rights, possibly far more likely to happen.
We demonstrate BranchScope on three recent Intel x86_64
processors — Sandy Bridge, Haswell and Skylake. To perform
BranchScope, the attacker does not need to reverse-engineer
the details of the branch predictor operation, and only needs
to perform simple manipulations with the prediction state
machines from the user space. We also demonstrate how
BranchScope can be extended to attack SGX enclaves even if
recently-proposed protections are implemented. We show
that BranchScope can be performed across hyperthreaded
cores, advancing previously demonstrated BTB-based attacks
which leaked information only between processes scheduled
on the same virtual core [21].
Couple percent up to double digits on edge cases.
Oh wait, this is from actual security researcher, not some attention whore.
I've always been more partial to the philosophy of "make your data harder to access than it's worth"
That can be acomplished, even today.
Jokes aside, what a good reading on their paper, really a professional work on finding a explaining the Vulnerability.