Indirector: High-Precision Branch Target Injection Attacks Exploiting the Indirect Branch Predictor

Authors: 

Luyi Li, Hosein Yavarzadeh, and Dean Tullsen, UC San Diego

Distinguished Paper Award Winner

Abstract: 

This paper introduces novel high-precision Branch Target Injection (BTI) attacks, leveraging the intricate structures of the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs. It presents, for the first time, a comprehensive picture of the IBP and the BTB within the most recent Intel processors, revealing their size, structure, and the precise functions governing index and tag hashing. Additionally, this study reveals new details into the inner workings of Intel's hardware defenses, such as IBPB, IBRS, and STIBP, including previously unknown holes in their coverage. Leveraging insights from reverse engineering efforts, this research develops highly precise Branch Target Injection (BTI) attacks to breach security boundaries across diverse scenarios, including cross-process and cross-privilege scenarios and uses the IBP and the BTB to break Address Space Layout Randomization (ASLR).

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {299742,
author = {Luyi Li and Hosein Yavarzadeh and Dean Tullsen},
title = {Indirector: {High-Precision} Branch Target Injection Attacks Exploiting the Indirect Branch Predictor},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {2137--2154},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/li-luyi},
publisher = {USENIX Association},
month = aug
}

Presentation Video