Intel Processors Vulnerable To Spectre-Like BranchScope Side-Channel Attack
When word finally spread about Spectre and Meltdown, it seemed only a matter of time before attackers would try to leverage the side-channel vulnerabilities. That is not the only concern, however. A team of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamtom University say they have discovered a new side-channel attack that affects Intel processors, and that patches released for Spectre and Meltdown might prove ineffective against the exploit.
Researchers are calling the newly discovered vulnerability "BranchScope." While not the same as Spectre or Meltdown, it works similarly to expose potentially sensitive information that normally would be inaccessible from direct access. As for how serious it really is, that depends on how you ask. According to the researchers, an attacker needs to have access to a targeted system to execute the arbitrary code. To them, BranchScope is "on par with other side-channel attacks."
"BranchScope is the first fine-grained attack on the directional branch predictor, expanding our understanding of the side channel vulnerability of the branch prediction unit," the researchers explained in their paper.
The researchers believe that existing patches and microcode updates related to Spectre and Meltdown are only partially effective in protecting against attacks like BranchScope, and that further mitigations are needed. Intel does not necessarily agree with that assessment.
"We have been working with these researchers and we have determined the method they describe is similar to previously known side channel exploits," Intel told SecurityWeek. "We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper. We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers."
The good news for users is that side-channel attacks have not become commonplace in the wake of Spectre and Meltdown. That said, BranchScope is not the only CPU side-channel attack method to surface in recent weeks. Another one, called SgxPectre, demonstrates how Spectre can be used to compromise SGX enclaves. So far, however, there has not been an outbreak of any side-channel attacks in the wild that we are aware of.