This post is also available in: Italian

Now that Meltdown and Spectre vulnerabilities are almost fixed, there is a new critical vulnerability for several Intel CPU called BranchScope, discovered by some researchers from four universities.

It’s again a speculative execution issue, in the method a processor uses to predict where its current computational task. By exploiting this flaw, attackers with local access could pull data stored from memory that’s otherwise inaccessible to all applications and users.

The vulnerability is similar to Spectre Variant 2, but BranchScope targets the process that decides which branch the CPU will take next whereas Spectre Variant 2 resides in the cache component associated with branch prediction. Branch prediction units (BPUs) are used to improve the performance of pipelined processors by guessing the execution path of branch instructions. The problem is that when two processes are executed on the same physical CPU core, they share a BPU, potentially allowing a malicious process to manipulate the direction of a branch instruction executed by the targeted application.

The BranchScope attack has been demonstrated on devices with three types of Intel i5 and i7 CPUs based on Skylake, Haswell and Sandy Bridge microarchitectures. Again the latest Intel CPU generation is fully affected by this problem.

Some previous patches can partially mitigate this problem, but new patches (and probably also microcode) should be expected soon.

Note that AMD CPU has also other different types of vulnerabilities.

See also:

This post has already been read 641 times.

Andrea MauroAbout Andrea Mauro (2695 Posts)

Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-18. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-18. Nutanix NTC 2014-18. PernixPro 2014-16. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.


Related Post:

Share