Academic researchers from multiple universities recently discovered a new Spectre-like method of extracting secrets from modern Intel processors. However, Intel says that the original Spectre mitigation fixes these flaws, too.
A group of researchers from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google, discovered that a feature in the branch predictor called the Path History Register (PHR) can be tricked to expose sensitive data.
Thus, they dubbed the vulnerability “Pathfinder”.
Extracting AES encryption keys
"Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks," Hosein Yavarzadeh, the lead author of the paper, told The Hacker News.
"This includes extracting secret images from libraries like libjpeg and recovering encryption keys from AES through intermediate value extraction."
For those with shorter memory, Spectre was a side-channel attack that exploited branch prediction and speculative execution in processors, allowing attackers to read sensitive data in the memory.
PHR’s job is to keep a record of the last branches taken. It can be fooled to induce branch mispredictions and thus cause a victim program to run unintended code paths. As a result, sensitive data gets exposed.
In the research paper, the academics demonstrated extracting the secret AES encryption key, and leaking secret images during libjpeg image library processing.
Intel was tipped off in November last year, and released a security advisory addressing the findings, in April this year. In the advisory, Intel said that Pathfinder builds on Spectre v1, adding that the previously released mitigations address this problem, as well.
AMD’s silicon seems to be immune to Pathfinder, the researchers concluded.
Those interested in learning more can read the entire paper on this link.
More from TechRadar Pro
- A customer managed to get the DPD AI chatbot to swear at them, and it wasn’t even that hard
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now