Branch Privilege Injection: Exploiting branch predictor race conditions

Branch Privilege Injection (CVE-2024-45332) brings back the full might of branch target injection attacks (Spectre-BTI) on Intel. Intel’s hardware mitigations against these types of attacks have held their ground for almost 6 years. In our work, we demonstrate how these mitigations can be broken due to a race condition in Intel CPUs. Our Branch Privilege injection attack is made possible by the following two main insights: Branch predictors on Intel processors are updated asynchronously to the instruction stream. We are the first to unveil this behavior and we can show that updates are delayed by tens or hundreds of cycles under certain conditions. These asynchronous updates are a feature and not a vulnerability by themselves. We find that there is insufficient synchronization between the branch predictor and the instruction stream during security critical operations. Branch predictor updates can still be in-flight when an affected processor switches privileges (e.g., user to kernel ... Read full article.