It was just yesterday that Training Solo was made public as a new speculative execution CPU vulnerability affecting some Intel and Arm CPUs… Today another one is now public for Intel processors: Branch Privilege Injection.
Branch Privilege Injection comes out of research by ETH Zurich Computer Security Group “COMSEC” that has discovered other interesting vulnerabilities in the past too.
Branch Privilege Injection brings back branch target injection attacks (a.k.a. Spectre-BTI) on Intel processors. The existing Intel Spectre-BTI mitigations by Intel can be broken due to a race condition within Intel processors. In turn Branch Privilege Injection can leak arbitrary memory at around 5.6 KiB/s on a default Ubuntu 24.04 installation with default mitigations.
The ETH Zurich researchers uncovered that current enhanced Indirect Branch Restricted Speculation “eIBRS” and IBPB mitigations are insufficient, which is a blow with eIBRS being commonly used on all Intel processors going back to the Coffee Lake Refresh CPU days.
Addressing Branch Privilege Injection doesn’t require any kernel changes but does require new Intel CPU microcode. Unfortunately, that microcode is expected to come with a performance cost:
“Intel has developed a microcode update for affected processors and provided us with one to evaluate on Alder Lake. We were able to verify that the microcode update stops our primitives that we use in the paper to detect the vulnerabilities. Our performance evaluation shows up to 2.7% overhead for the microcode mitigation on Alder Lake. We have also evaluated several potential alternative mitigation strategies in software with overheads between 1.6% (Coffee Lake Refresh) and 8.3% (Rocket lake).”
Branch Privilege Injection affects all Intel CPUs since the 9th Gen Core CPUs (Coffee Lake Refresh) while the Indirect Branch Prediction Barrier vector goes back to 7th Gen Core (Kaby Lake) processors.
Between Training Solo and Branch Privilege Injection, interesting times ahead for some fresh CPU benchmarking with up-to-date software stacks.
More details on Branch Privilege Injection via comsec.ethz.ch.
