Researchers have uncovered novel attack techniques, codenamed “Pathfinder,” that exploit conditional branch predictors found in high-end Intel processors.
These Pathfinder attacks could put billions of devices at risk of exposing confidential data. A team of cybersecurity researchers from UC San Diego, UNC Chapel Hill, Purdue, Google, and Georgia Tech discovered new attack methods. Their findings were disclosed at the 2024 ACM ASPLOS Conference earlier this year.
What are the Pathfinder attacks?
The Pathfinder attacks target the Path History Register (PHR) feature found in the branch predictors of Intel processors. The PHR keeps track of the last branches taken by the processor.
The researchers found they could manipulate the PHR to induce false predictions in the branch predictor. Introducing inaccuracies in the branch prediction process makes it possible to trick the processor into executing unintended code paths speculatively.
This inadvertent execution exposes confidential data typically protected by security barriers between applications. In essence, the Pathfinder attacks allow attackers to read and manipulate critical components of the branch predictor, according to lead researcher Hosein Yavarzadeh.
Reconstructing Control Flow And Launching Spectre Attacks
The Pathfinder techniques enable two main types of attacks on Intel CPUs:
- Reconstructing program control flow history – By manipulating the PHR, attackers can discern a victim process’s previously taken code branches. This reveals sensitive execution details.
- Launching high-resolution Spectre attacks – Inducing false predictions via the PHR initiates speculative execution vulnerabilities. Using Spectre techniques, attackers can extract secrets like encryption keys from the transiently exposed microarchitectural state.
In demonstration attacks, the researchers could extract AES encryption keys and secret images processed by the libjpeg image library. Such extraction occurs by leaking intermediate computational values through Spectre-style side channels.
Mitigations and Responses
Intel was notified of the Pathfinder vulnerabilities in November 2023 through coordinated disclosure. In April 2024, Intel publicly acknowledged the Pathfinder builds on Spectre v1 attacks in an advisory.
The chipmaker stated that previously deployed mitigations for Spectre v1 and traditional side channels should also help minimize risks from Pathfinder. These include retooling compiler optimizations, adding memory fences/barriers, and applying microcode updates.
While the researchers found no evidence Pathfinder affects AMD processors, Intel and AMD have released security updates to help address the issue proactively.
However, the team notes the PHR is vulnerable to leakage and reveals data unavailable through other branch predictor structures like the prediction history table (PHT). It also makes more code vulnerable to side-channel attacks than known PHT techniques. Complete mitigation may not be possible.
Significance And Impact Of Pathfinder Research
This recent research demonstrates that branch predictors like the PHR contain richer sources of side-channel leaks than appreciated to date. By focusing exploitation on the PHR, the Pathfinder methods access a broader attack surface and reveal control flow history in unprecedented detail.
Ongoing Concern for Intel CPUs
As the researchers cannot be mitigated (cleared, obfuscated) like the PHT, the PHR represents an ongoing leakage concern for Intel CPUs. Billions of devices worldwide rely on Intel processors vulnerable to Pathfinder-based side channels.
Moving Forward with Defenses
Microarchitectural side-channel defenses need to consider broader prediction structures and their leakage potentials. Hardening branch predictors against manipulation aims to close off Pathfinder attack avenues.
Nevertheless, the work underscores remaining security challenges around unpredictable microarchitectural flaws.
With innovations regularly shrinking transistor geometries, unexpected instruction leakage paths may persist as an inherent tradeoff.
Developers must proceed carefully to minimize the risks of new exploits through ongoing defenses and scrutiny of future designs.
Coordinated Disclosure is Paramount
The policy implications are essential, too. As systemic vulnerabilities regularly impact vast numbers of systems, coordinated vulnerability disclosure will be paramount. Close collaboration between academia and industry helps securely upgrade defenses across billions of jeopardized devices worldwide.
In Conclusion
In conclusion, Pathfinder research makes a significant scientific contribution through its novel exposure to Intel Processor leakage vectors.
While mitigations exist, the work highlights remaining challenges in securing modern processors against unpredictable side effects of branch prediction. Continued scrutiny and cooperation will help minimize future widespread security impacts.
