April 3, 2018

UC Riverside research compels response in cyber-security breach

Bourns professor's paper exposed a new microprocessor vulnerability

Author: Sophia Stuart
April 3, 2018

Hackers look for vulnerabilities within computer systems, which are constructed for high performance to meet consumer demand. Tensions between systems administrators protecting the network, and those seeking to attack it, run high.

If the issue is in the software layer, then fixes, patches, and repairs are installed and the public rarely hears about security breaches. If the vulnerability is in the hardware, fixes are expensive, or worse, not completely fixable by software. Then the situation escalates, as in the case of the Meltdown and Spectredata-stealing attacks earlier this year.

Semiconductor chip giants, such as Intel, Qualcomm and Samsung Electronics, employ massive teams to ensure instantaneous detection of cyber-security breaches, and deliver counter-virus measures to protect customers (and market share). But this goes on behind the scenes, so it’s rare when one responds publicly to new academic research that exposes faults inside systems – as Intel did to coverage last week.

The paper that caused the Intel response is BranchScope: A New Side-Channel Attack on Directional Branch Predictor, co-authored by Nael Abu-Ghazaleh, who holds joint appointments in the Computer Science and Engineering and Department of Electrical and Computer Engineering at UCR; along with Dmitry Evtyushkin, College of William and Mary; Ryan Riley, Carnegie Mellon University in Qatar; and Dmitry Ponomarev, Binghamton University. Their findings were presented at ASPLOSthe top multidisciplinary systems research symposium recently.  

Abu-Ghazaleh is a renowned expert in the field of cyber-security vulnerabilities and computer architecture support for security. His co-authored BranchScopepaper exposes a new type of branch predictor attack, similar to the Spectre attacks that hit the news in January, but, this time, exposing a different vulnerability within a microprocessor’s computer architecture, as he explained:  

“A branch predictor is a digital circuit that uses the ‘if-then’ nature of computer architecture, guessing which way to go next, based on the user command, or requirements of an app or program running on the network,” Abu-Ghazaleh said. “It’s a computer architectural design that builds in the ability to achieve high performance. However, there are issues, as we found in our research.”

The researchers carried out their extensive tests, showing how the vulnerability was exposed, on both Intel CPUs (central processing units) and against an Intel SGX (software guard extension) enclave. The latter, as indicated by its name, is designed to withstand such an attack. The manufacturer inserts it at a hardware level, as an isolated execution system, to protect application secrets from compromised system software.

After press exposure around the release of the paper at the ASPLOS symposium, Intel was swift to respond, releasing the following statement, which was reproduced, in part, by Ars Technica:

“We have been working with these researchers and we have determined the method they describe is similar to previously known side channel exploits,” the statement read. “We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper.”  

In their paper, the researchers showed that the BranchScope attacks were significantly different in form, intent and execution to both Meltdown and Spectre, and so require immediate restorative and protective action from manufacturers.

“Despite patches which were rolled out to combat earlier attacks, like Spectre, in Jan 2018, we believe BranchScope can still read data that should be protected, and is capable of defeating address space randomization (ASLR). In our paper, we demonstrated that this vulnerability remains on several Intel processors with an error rate of less than 1 percent. What Intel have said is generally correct with respect to Branchscope being a side-channel attack,” Abu-Ghazaleh said.

“Branchscope also allows the attacker to pollute the branch predictor and control the victim’s branch outcome, which is a capability similar in flavor to the attack that enabled Spectre 2, which our group was also instrumental in identifying. It is likely to be less powerful, because it controls only the direction of the branch (taken or not taken) but still it is critical for CPU manufacturers to close vulnerabilities such as this that enable attackers to control speculation. For this effect of BranchScope, the defenses Intel has suggested are ineffective.”

Alongside exposing significant issues in modern microprocessor architecture, the researchers have illustrated the significant contribution higher education can provide to tech giants.

In its statement to the press, Intel wrapped up by acknowledging the work of the senior academics behind this paper: “We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers,” the statement read.

Media Contacts