“Pathfinder” Exploit Unveiled: New Threat to Billions of Devices
An international team of scientists, led by specialists from the University of California, San Diego, has identified a new type of attack targeting the branch prediction component at the microarchitectural level. The findings, which could potentially affect billions of devices, will be presented at the ACM ASPLOS 2024 conference scheduled from April 27 to May 1 of this year.
The study, titled “Pathfinder,” revealed vulnerabilities in the so-called Path History Register, which records the order and addresses of conditional branches. This is the first attack that intentionally exploits this feature to extract information with remarkable precision.
Modern processors use the mechanism of branch prediction to optimize program execution. However, the new research demonstrated that entries in the Path History Register not only track recent branches but also reconstruct a significantly longer history of branch sequences.
Hosein Yavarzadeh, a Ph.D. candidate in computer science at the University of California, San Diego, and the lead author of the study reported, “We demonstrate the implications of these attacks with two case studies: We demonstrate a speculative execution attack against AES that returns intermediate values at multiple steps to recover the AES key. We also steal secret images by capturing the complete control flow of libjpeg routines.”
Professor Dean Tullsen from the same university added, “attack unveils an exceptionally high-resolution Spectre-style exploit, capable of generating intricate patterns of mispredictions to steer the victim into executing a specific code path unintended by the programmer.”
Furthermore, the researchers demonstrated an attack in which they caused an encryption algorithm to prematurely terminate its operation, leading to the exposure of encrypted data at early stages of processing. This enabled them to extract the secret AES encryption key.
Kazem Taram, an associate professor of computer science at Purdue University, noted, “Pathfinder can reveal the outcomes of nearly any conditional branch in any program, making it the most precise and powerful attack at the microarchitectural level that we have seen so far.”
In response to the publication of the research results, companies Intel and AMD have issued security bulletins, which, however, state that previously released patches aimed at mitigating the Spectre v1 vulnerability are sufficient to secure their devices.