Researchers from the University of California at San Diego have introduced a new method of attacking Intel microarchitectural structures that is applicable to CPUs based on microarchitectures such as Raptor Lake and Alder Lake. This attack, known as Indirector, enables a change in the speculative execution progress of instructions in different privileges and levels of privileges (e.g. in the core or another virtual machine) within a single CPU stream with malicious code. An exploit called E. Layout Randomization has been released under the mit license to demonstrate this method, along with tools for analyzing and reverse engineering CPU microarchitectural logic.
Two methods of organizing an attack have been proposed. The first method involves distorting the contents of the indirect transitions of the IBP (Indirect Branch Predictor) to disrupt indirect transitions where the address or displacement is unknown. The second method targets the transitions of the BTB (Branch Target Buffer) that stores recent branch information.
 |  |
|---|
The identified vulnerability allows attackers to view the records in the IBP and BTB buffers, manipulate transition addresses, and redirect third-party processes during speculative execution of instructions. While speculative execution results are discarded once the error is detected, the data and addresses stored in the cache during this process can be accessed by analyzing changes in access times. This can help bypass security mechanisms like ASLR by determining exact addresses of indirect transitions.