Prior security research has primarily focused on exploiting the branch target buffer (BTB) and return stack buffer (RSB), two components of the CPU’s branch predictor. However, the Indirector attack focuses on a third component called the indirect branch predictor (IBP), which computes the target address of indirect branches.
“Indirect branches are control flow instructions whose target address is computed at runtime, making them challenging to predict accurately,” the UCSD researchers wrote. “The IBP uses a combination of global history and branch address to predict the target address of indirect branches. By analyzing the structure and operation of the IBP, we identify vulnerabilities that can be exploited to launch precise branch target injection (BTI) attacks.”
The researchers reverse-engineered the IBP mechanism in high-end Intel CPUs and then devised a tool called the iBranch Locator that can identify where a target process’ indirect branch is located in the IBP set. This allowed them to develop two attacks that could accurately inject arbitrary target addresses in either the IBP or the BTB.