Training Solo: New Spectre-v2 Attack Bypasses Kernel and Hypervisor Defenses
Researchers at VUSec have unveiled Training Solo, a study that calls into question the very foundations of defenses against Spectre-v2 attacks. Where isolation of prediction domains was long believed to eliminate the possibility of training a branch predictor across privilege boundaries, the authors demonstrate that, even with ostensibly flawless isolation, an adversary can self-train the predictor within the same privileged domain—such as the kernel—and exfiltrate sensitive data.
The paper presents three novel classes of Spectre-v2 attacks predicated on this self-training paradigm, wherein both the training phase and speculative execution occur inside a single privileged context. The consequence is the renewed feasibility of classic Spectre-v2 scenarios: attackers may hijack control flow within the kernel or hypervisor and read protected memory regions.
The first class, history-based, leverages special “historical” gadgets in the kernel to forge the branch predictor’s context. Experiments reveal that, even with domain isolation enabled, an attacker can sculpt branch prediction chains via accessible interfaces such as seccomp system calls. On Intel Tiger Lake and Lion Cove processors, this technique yielded kernel data exfiltration rates of 1.7 KB/s.
The second category, IP-based, exploits address collisions in the Branch Target Buffer (BTB) where the predictor operates solely on instruction pointers. Under such conditions, two branches with colliding addresses may inadvertently train one another; empirical analysis across many kernel gadgets indicates this collision can underpin practical, large-scale attacks.
The third—and most destructive—variant, direct-to-indirect, shows that on certain chips direct branches can train indirect branch prediction, contrary to architectural intent. This arises from two hardware defects—Indirect Target Selection and a flaw in Lion Cove microarchitectures. Leveraging these issues, the researchers read arbitrary kernel memory at rates up to 17 KB/s, and produced a prototype capable of extracting hypervisor memory at 8.5 KB/s.
In response, Intel has published microcode updates, introduced new indirect-branch mitigations and the IBHF (Indirect Branch History Fence) instruction to purge branch history. In some platforms vendors recommend explicit BHB-clearing sequences; IBPB mechanisms have been reworked to resist circumvention, and new cache-placement schemes for branches reduce the attack surface. ARM has issued corresponding guidance, and fixes are propagating via firmware and Linux kernel updates. VUSec has released a comprehensive toolkit for testing and auditing vulnerable predictors on its GitHub repository.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
