Academic researchers from multiple universities recently discovered a new Spectre-like method for extracting secrets from modern Intel processors. However, Intel says the original Specter mitigation also addresses these shortcomings.
A group of researchers from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google discovered that a feature in the industry forecaster called the Path History Register (PHR) can be tricked into exposing sensitive data.
That’s why they named the vulnerability ‘Pathfinder’.
“Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing the history of the program control flow and launching high-resolution Specter attacks,” said Hosein Yavarzadeh, the lead author of the article. The hacker news.
“This includes extracting secret images from libraries such as libjpeg and recovering encryption keys from AES via intermediate value extraction.”
For those with shorter memories, Specter was a side-channel attack that used branch prediction and speculative execution in processors, allowing attackers to read sensitive data into memory.
It is PHR’s job to keep track of the most recently taken branches. It can be fooled into causing branch mispredictions and thus causing a victim program to execute unintended code paths. As a result, sensitive data is exposed.
In the research paper, the academics demonstrated extracting the secret AES encryption key and leaking secret images during the processing of the libjpeg image library.
Intel was tipped off in November last year and released a security advisory addressing the findings in April this year. In the advisory, Intel said that Pathfinder builds on Specter v1, adding that the previously released fixes also address this issue.
AMD’s silicon appears to be immune to Pathfinder, the researchers concluded.
Those who want to know more can read the entire article at this link.