First Spectre, now BranchScope — another vulnerability in Intel processors

Researchers from four universities discovered a new vulnerability in Intel’s processors dubbed as BranchScope. The problem resides in the method a processor uses to predict where its current computational task will end, aka speculative execution. By exploiting this flaw, hackers with access to the PC could pull data stored from memory that’s otherwise inaccessible to all applications and users. 

The speculative execution process enhances the CPU’s speed by enabling the chip to “speculate” what needs to be done later in the chain of commands to finish the overall task as quickly as possible. This feature explores options in advance, taking different avenues in various branches to get to the final destination in the shortest amount of time. With the path laid out, the CPU completes its task and moves on to the next. 

The BranchScope exploit enables attackers to take control of this “think ahead” decision-making component and steer the upcoming path in the wrong direction. Hackers can then grab sensitive data stored in memory not generally accessible by users and applications. The vulnerability is similar to Spectre Variant 2, only BranchScope targets the process that decides which branch the CPU will take next whereas Spectre Variant 2 resides in the cache component associated with branch prediction. 

“BranchScope works reliably and efficiently from user space across three generations of Intel processors in the presence of system noise, with an error rate of less than one percent,” the paper states. “BranchScope can be naturally extended to attack SGX (Software Guard Extensions) enclaves with even lower error rates than in traditional systems.” 

The researchers specifically tested BranchScope on three Intel processors: The sixth-generation Core i5-6200U chip, the fourth-generation Core i7-4800MQ chip, and the second-generation Core i7-2600 chip. As the paper suggests, hackers don’t need administrator privileges to execute the attack. Data can even be pulled from private regions of memory, aka enclaves, that’s locked away by the processor’s Software Guard Extensions. 

The researchers believe Intel’s updates addressing Meltdown and the two Spectre vulnerabilities won’t mitigate the security hole seen in the BranchScope discovery. The problem resides in a different part of speculative execution thus Intel will need to conjure up new software fixes for current chips, and a hardware fix for future processors. But Intel believes it’s current patches should address the BranchScope issue. 

“We have been working with these researchers and have determined the method they describe is similar to previously known side channel exploits,” the company states. “We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper.” 

According to Intel, one of the best ways to protect customers is to have a close relationship with the research community. But the company likely wasn’t quite so enthusiastic after researchers went public with the Meldown and Spectre vulnerabilities earlier this year. The company is likely bracing for additional criticism given BranchScope is now out in the open.