Academic researchers from several universities recently discovered a new Specter-like method for extracting secrets from modern Intel processors. However, Intel says that the original Specter mitigation also fixes these flaws.
A group of researchers from the University of California, San Diego, Purdue University, UNC Chapel Hill, the Georgia Institute of Technology and Google discovered that a function in the branch predictor called Path History Register (PHR) can be fooled to expose confidential data. .
For this reason, they named the vulnerability “Pathfinder.”
“Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing the program's control flow history and launching high-resolution Specter attacks,” said Hosein Yavarzadeh, lead author of the paper. Hacker News.
“This includes extracting secret images from libraries such as libjpeg and recovering AES encryption keys by extracting intermediate values.”
For those with shorter memories, Specter was a side-channel attack that exploited branch prediction and speculative execution on processors, allowing attackers to read sensitive data in memory.
PHR's job is to keep track of the latest branches taken. It can be tricked to induce erroneous branch predictions and thus cause a victim program to execute unwanted code paths. As a result, sensitive data is exposed.
In the research paper, scholars demonstrated how to extract the AES encryption secret key and leak secret images during processing of the libjpeg image library.
Intel received a notice in November of last year and published a security advisory addressing the findings in April of this year. In the advisory, Intel said Pathfinder is based on Specter v1 and added that previously released mitigations also address this issue.
The researchers concluded that AMD silicon appears to be immune to Pathfinder.
Those interested in learning more can read the full article at this link.