Researchers have disclosed a new technique that could be used to circumvent existing hardware mitigations in modern processors from Intel, AMD, and Arm and stage speculative execution attacks such as Spectre to leak sensitive information from host memory.
Attacks like Spectre are designed to break the isolation between different applications by taking advantage of an optimization technique called speculative execution in CPU hardware implementations to trick programs into accessing arbitrary locations in memory and thus leak their secrets.
Called Branch History Injection, it’s a new variant of Spectre-V2 attacks that bypasses both eIBRS and CSV2, with the researchers describing it as a “Neat end-to-end exploit” leaking arbitrary kernel memory on modern Intel CPUs.
“The hardware mitigations do prevent the unprivileged attacker from injecting predictor entries for the kernel,” the researchers explained.
BHI is likely to impact all Intel and Arm CPUs that were previously affected by Spectre-V2, prompting both companies to release software updates to remediate the issue.
“The mitigations work as intended, but the residual attack surface is much more significant than vendors originally assumed,” the researchers said.
