Wednesday, March 28th 2018

New "BranchScope" Side-channel CPU Vulnerability Threatens Modern Processors

In the age of cyber-security vulnerabilities being named by their discoverers, much like incoming tropical storms, the latest, which exploits speculative execution of modern processors, is named "BranchScope," discovered by academics from four US universities, Dmitry Evtyushkin, Ryan Riley, Nael Abu-Ghazaleh, and Dmitry Ponomarev. The vulnerability has been successfully tested on Intel "Sandy Bridge," "Haswell," and "Skylake" micro-architectures, and remains to be tested on AMD processors. It bears similarities to "Spectre" variant 2, in that it is an exploit of the branch prediction features of modern CPUs.

BranchScope differs from Spectre variant 2, in that while the latter exploits the branch target buffer, BranchScope goes after the directional branch predictor, a component that decides which speculative operations to execute. By misdirecting it, attackers can make the CPU read and spit out data from the memory previously inaccessible. The worst part? You don't need administrative privileges to run the exploit, it can be run from the user-space. Unlike CTS-Labs, the people behind the BranchScope discovery appear to have alerted hardware manufacturers significantly in advance, before publishing their paper (all of it, including technicals). They will present their work at the 23rd ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2018), later today.
Source: BleepingComputer
Add your own comment

18 Comments on New "BranchScope" Side-channel CPU Vulnerability Threatens Modern Processors

#1
Vya Domus
If they don't make a fancy website and some buzzfeed type videos about this it ain't worth our time. :laugh:

Joking aside , I wonder just how many of these things will be found out until no one will care anymore.
Posted on Reply
#2
windwhirl
I predict this whole "vulnerabilities everywhere" thing won't stop anytime soon.

At least it seems like they told Intel in advance..
Posted on Reply
#3
Patriot
"windwhirl said:
I predict this whole "vulnerabilities everywhere" thing won't stop anytime soon.

At least it seems like they told Intel in advance..
Hopefully they will develop better design and coding practices...
Posted on Reply
#4
dorsetknob
"YOUR RMA REQUEST IS CON-REFUSED"
"windwhirl said:
At least it seems like they told Intel in advance..
Again time to pull on the Chamber pot i have covered in tinfoil to wear as a security Hat :)
To me this smacks of the PAST 3 letter Agency Activity in Action and their pet BackDoors now useless coming to the fore.
The Full body Armor living in a faraday cage nutters Said those 3 l A had paid Intel to Bake in Back Doors

Time for me to go i can feel something dripping down my neck :)
Posted on Reply
#5
hat
Enthusiast
"windwhirl said:
I predict this whole "vulnerabilities everywhere" thing won't stop anytime soon.

At least it seems like they told Intel in advance..
Sure seems to be the trend doesn't it... I guess we can no longer trust win xp on an unprotected network anymore... :laugh:
Posted on Reply
#6
Fatalfury
An Another day... an another security vulnerability/ hack / data breach/ data exploits....

its just a normal day guyz... people will forget in 1 or 2 days..until the next major security breach comes in..

its a normal businees day for intel/AMD/facebook/yahoo etc...
people will still buy them & use them....no matter what..for there's nothing a normal consumer can do...
end of the story
Posted on Reply
#7
mcraygsx
"Fatalfury said:
An Another day... an another security vulnerability/ hack / data breach/ data exploits....

its just a normal day guyz... people will forget in 1 or 2 days..until the next major security breach comes in..

its a normal businees day for intel/AMD/facebook/yahoo etc...
people will still buy them & use them....no matter what..for there's nothing a normal consumer can do...
end of the story
"You don't need administrative privileges to run the exploit, it can be run from the user-space."
Posted on Reply
#8
the54thvoid
This announcement so clearly demonstrates the very bad PR extravaganza that was CTS-Labs. This has no inflammatory statements, it is not derogatory and it does not make predictions of gloom and doom. This is how these things are meant to be released, as far as we can see, and also, more importanly, how news outlets should cover them.

As far as this breach, I assume it means you can read the cached RAM data remotely? Not as dangerous as a BIOS infected system but as it does not require admin rights, possibly far more likely to happen.
Posted on Reply
#9
ikeke
This looks bad. In essence , because intel has made its branch prediction logic so good (the reason Intel CPUs are as good as they are at what they do) , it knows too much and tells anyone (on the same host) who knows how to ask everything.

We demonstrate BranchScope on three recent Intel x86_64
processors — Sandy Bridge, Haswell and Skylake. To perform
BranchScope, the attacker does not need to reverse-engineer
the details of the branch predictor operation, and only needs
to perform simple manipulations with the prediction state
machines from the user space. We also demonstrate how
BranchScope can be extended to attack SGX enclaves even if
recently-proposed protections are implemented. We show
that BranchScope can be performed across hyperthreaded
cores, advancing previously demonstrated BTB-based attacks
which leaked information only between processes scheduled
on the same virtual core [21].
Posted on Reply
#11
Easo
How much performance loss this time? :/
Posted on Reply
#12
ikeke
Any "fixes" on branch predictor logic come with performance cost.

Couple percent up to double digits on edge cases.
Posted on Reply
#13
xkm1948
Wait a minute. No green screened video? No flashy "XXX Flaws" websites? No "CPU Companies should file chapter 11"? What is wrong with this?

Oh wait, this is from actual security researcher, not some attention whore.
Posted on Reply
#14
Readlight
Is that mean Sandy Bridge needs to run in offline (no internet) mode.
Posted on Reply
#15
TheDeeGee
So at the end with all 139875945 patches applied our CPUs will perform like a Pentium 3.
Posted on Reply
#16
PowerPC
The only lesson from this is: never trust your personal data to any computer that is even remotely online. Have a separate PC at home without any access to the internet. Probably until the end of time, this is the only truth about data security. Only way you can stop reading these news and sleep tight.
Posted on Reply
#17
R-T-B
"PowerPC said:
The only lesson from this is: never trust your personal data to any computer that is even remotely online.
That's extreme.

I've always been more partial to the philosophy of "make your data harder to access than it's worth"

That can be acomplished, even today.
Posted on Reply
#18
KarymidoN
So this guys actually sent an advanced warning to Intel? No Intelflaws.com? hmmm :laugh:
Jokes aside, what a good reading on their paper, really a professional work on finding a explaining the Vulnerability.
Posted on Reply
Add your own comment