Branch Privilege Injection (CVE-2024-45332) brings back the full might of branch target injection attacks (Spectre-BTI) on Intel. Intel’s hardware mitigations against these types of attacks have held their ground for almost 6 years. In our work, we demonstrate how these mitigations can be broken due to a race condition in Intel CPUs.
Our Branch Privilege injection attack is made possible by the following two main insights:
- Branch predictors on Intel processors are updated asynchronously to the instruction stream. We are the first to unveil this behavior and we can show that updates are delayed by tens or hundreds of cycles under certain conditions. These asynchronous updates are a feature and not a vulnerability by themselves.
- We find that there is insufficient synchronization between the branch predictor and the instruction stream during security critical operations. Branch predictor updates can still be in-flight when an affected processor switches privileges (e.g., user to kernel or guest to hypervisor) or performs an IBPB. Because these updates are still in-flight, they are associated with the wrong privilege mode once they land after the privilege switch. We call this new class of vulnerabilities Branch Predictor Race Conditions.
We use the above insights to build an end-to-end Branch Privilege Injection attack that leaks arbitrary memory at 5.6KiB/s on an up-to-date Ubuntu 24.04 with all default mitigations enabled. The following video demonstrates how Branch Privilege Injection leaks arbitrary memory on an Intel Raptor Lake (13th gen) processor.
Affected Mitigations
eIBRS: Intel has introduced enhanced Indirect Branch Restricted Speculation (eIBRS) as a Spectre-BTI mitigation on all its processors since the 9th generation (Coffee Lake Refresh).
eIBRS aims to separate indirect branch prediction between different security domains by associating each prediction with its originating domain and later only using predictions from the current domain.
IBPB: eIBRS only prevents cross-domain attacks between different hardware security domains.
This is insufficient in certain sandboxing scenarios or when separating distrusting virtual machines that run in the same hardware security domain.
For such use cases, the Indirect Branch Prediction Barrier (IBPB) provides a mechanism to invalidate all indirect branch predictions.
Both of these mitigations are recommended as the default mitigation strategy for their respective use-cases.
Branch Predictor Race Conditions
Our work demonstrates race conditions in the branch predictor which invalidate the security guarantees of eIBRS and IBPB. While eIBRS appears to correctly restrict predictions to the security domain they are associated with, this association can be manipulated. Branch predictor updates that are in-flight while a privilege switch occurs are associated with the new security domain instead of the previous one.
Furthermore, we have found that updates that are in-flight when the indirect branch predictor is invalidated (IBPB) are not flushed. As a result, these updates are stored in the branch predictor despite invalidating it.
Mitigations against Branch Predictor Race Conditions
Intel has developed a microcode update for affected processors and provided us with one to evaluate on Alder Lake. We were able to verify that the microcode update stops our primitives that we use in the paper to detect the vulnerabilities. Our performance evaluation shows up to 2.7% overhead for the microcode mitigation on Alder Lake. We have also evaluated several potential alternative mitigation strategies in software with overheads between 1.6% (Coffee Lake Refresh) and 8.3% (Rocket lake). Please refer to our paper for more details.
Resources
A paper about Branch Privilege Injection will be presented at USENIX Security 2025. There will also be a talk at Black Hat USA 2025 with a focus on vulnerability discovery and exploitation. You can find the source code for the attack and all our experiments on github.
FAQ
- Is my machine affected?
All intel processors since the 9th generation (Coffee Lake Refresh) are affected by Branch Privilege Injection. However, we have observed predictions bypassing the Indirect Branch Prediction Barrier (IBPB) on processors as far back as 7th generation (Kaby Lake). - Does Branch Privilege Injection affect non-Intel CPUs?
No. Our analysis has not found any issues on the evaluated AMD and ARM systems. - Are only Linux systems affected?
While we have built our proof-of-concept attack specifically for Linux, the underlying issue is present in the hardware. Any operating system running on affected hardware is therefore also affected by Branch Privilege Injection. - What should I do?
Install the latest operating system and BIOS updates.