Computer scientists uncover a previously unknown security feature in Intel processors that provides robust protection against attacks, including the notorious Spectre vulnerability, Cyber Security News learned from researchers at UC San Diego and Purdue University.
In a groundbreaking study titled “Half&Half: Demystifying Intel’s Directional Branch Predictors for Fast, Secure Partitioned Execution,” researchers from UC San Diego and Purdue University have successfully reverse-engineered Intel’s flagship processors, unraveling their conditional branch predictors spanning over a decade.
Conditional branch instructions play a crucial role in modern software, influencing the execution of instructions based on data values—approximately 10 to 20 percent of all instructions executed fall under this category.
Intel’s Branch Predictor
To optimize processing speed, modern processors employ branch predictors that anticipate the outcome of conditional branches, enabling uninterrupted execution until the branch’s result becomes known much later in the pipeline.
However, existing processors share the branch predictor among all threads and processes, resulting in severe security vulnerabilities
. Malicious actors can exploit these vulnerabilities to observe branch outcomes in targeted programs and gain access to confidential data such as passwords and encryption keys.
Furthermore, specific Spectre attacks leverage the branch predictor by injecting data to extract sensitive information stored in memory.
Despite no previous comprehensive analysis of Intel’s predictors, even those introduced over a decade ago, the researchers successfully reverse-engineered the predictors’ structures, sizes, and lookup functions.
Intel’s branch predictor consists of four tables, and the lookup functions employ complex hashing techniques based on data collected from up to 194 previous branch instances. Surprisingly, the researchers discovered that modifying a single bit of the branch address could partition the branch predictor into two parts.
Half&Half – Eliminating Data Leakage
“By making a minor change in code generation, we can now concurrently run two threads on the same processor core, eliminating data leakage through the branch predictor and thwarting Spectre attacks,” explained Hosein Yavarzadeh, the lead author of the paper and a PhD student in Computer Science and Engineering at UC San Diego, via report shared with Cyber Security News.
CSE Professor Dean Tullsen expressed his astonishment at this finding, noting the intricate nature of the indexing functions and the unlikely isolation of a single bit without interdependencies. He further stated, “While we would have been thrilled if Intel had planned such a feature intentionally for future processors, it was mind-boggling to discover that this security-enhancing capability has existed in every major Intel processor for more than a decade, with almost no awareness of its security implications.”
Kazem Taram, a professor at Purdue University and CSE alumnus, highlighted the conditional branch predictor’s mysterious nature, regarded as the most challenging component to reverse-engineer.
Taram expressed excitement over the newfound insights into the functionality and detailed structure of branch predictors, previously shrouded in secrecy for both security and performance researchers.
Previously, the prevailing software techniques for achieving conditional branch isolation between threads incurred a performance overhead ranging from 50 to 100 percent.
However, the Half&Half approach offers the same security protection against branch predictor leaks with a minimal 2 to 5 percent performance cost, achieved through a straightforward modification to compiler code generation.
The discovery of this hidden security feature in Intel processors marks a significant breakthrough in computer security, demonstrating how a small change can yield substantial results.
The Half&Half approach opens doors to enhanced protection against critical vulnerabilities, safeguarding sensitive data from malicious attacks like Spectre.