Exploiting Inaccurate Branch History in Side-Channel Attacks
Exploiting Inaccurate Branch History in Side-Channel Attacks
Check the latest version at Github: zhuyuhui97/sec25-inaccurate-br-hist-artifact Modern out-of-order CPUs heavily rely on speculative execution for performance optimization, with branch prediction serving as a cornerstone to minimize pipeline stalls and maximize efficiency. When shared branch prediction resources lack proper isolation and sanitization methods, they can introduce security vulnerabilities that expose sensitive data across different software contexts. This artifact evaluates the behavior of two underdocumented features of the Branch Predictor Unit: Bias-Free Branch Prediction and Branch History Speculation. These discoveries expose previously unknown cross-privilege attack surfaces for Branch History Injection (BHI). Based on these findings, we present three novel attack primitives: two Spectre attacks, namely Spectre-BSE and Spectre-BHS, and a cross-privilege control flow side-channel attack called BiasScope. This artifact evaluates the presence of these primitives using user-mode intra-process proof-of-concepts, then evaluates their capability for mounting cross-privilege attacks using custom syscall handlers. Finally, we demonstrate the Chimera snippet using eBPF to achieve end-to-end exploitation. This artifact contains proof-of-concept (PoC) code demonstrating the vulnerabilities discovered in the paper. The project is organized into several submodules, each addressing different attack scenarios: intra-ctx: Intra-process PoCs demonstrating the relevant microarchitectural behaviors and primitives to perturb and exploit their side effects. This module covers BHB/PHT mistraining (Section 3.3), Spectre-BSE (Section 5.4), Spectre-BHS (Section 6.2), and Chimera snippets (Section 7). cross-ctx: Cross-context PoCs showcasing how these primitives can manipulate branch prediction in kernel mode or another process. This module covers BiasScope (Section 5.3), Spectre-BSE (Section 5.4), and Spectre-BHS (Section 6.2). chimera-ebpf: End-to-end Chimera attack (Section 7) implemented as an eBPF program, demonstrating practical kernel memory leakage.
citations This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).0 popularity This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.Average influence This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).Average impulse This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.Average
Citations provided by BIP!Popularity provided by BIP!