New Specter-Style ‘Pathfinder’ Attack Targets Intel CPU, Leaks Encryption Keys and Data

May 8, 2024NewsroomData encryption/hardware security

Researchers have discovered two novel attack methods that target high-performance Intel CPUs and could be exploited in a key recovery attack against the Advanced Encryption Standard (AES) algorithm.

The techniques were collectively synchronized scout by a group of scientists from the University of California San Diego, Purdue University, UNC Chapel Hill, the Georgia Institute of Technology and Google.

“Pathfinder allows attackers to read and manipulate key components of the Branch Predictor, enabling two main types of attacks: reconstructing the history of program control flow and launching high-resolution Specter attacks,” Hosein Yavarzadeh, the lead author of the paper, said in a statement shared with The Hacker News.

“This includes extracting secret images from libraries such as libjpeg and recovering encryption keys from AES through intermediate value extraction.”

Specter is the name of a class of side-channel attacks that exploit branch prediction and speculative execution on modern CPUs to read privileged data in memory in a way that bypasses isolation protections between applications.

The latest attack approach targets a feature in the branch predictor called the Path History Register (PHR), which records the most recently taken branches to induce branch mispredictions and cause a victim program to execute unintended code paths, thereby unintentionally exposing its confidential data.

In particular, new primitives are introduced that allow PHR as well as the Prediction History Tables (PHTs) within the Conditional Branch Predictor (CBR) to be manipulated in order to leak historical execution data and ultimately trigger a Specter-style exploit.

In a series of demonstrations described in the study, the method was shown to be effective in extracting the secret AES encryption key, as well as leaking secret images during processing by the widely used libjpeg image library.

Following the responsible disclosure in November 2023, Intel said in an advisory released last month that Pathfinder is built on Specter v1 attacks and that previously deployed mitigations for Specter v1 and traditional side channels mitigate the reported exploits. There is no evidence that it has any impact on AMD CPUs.

“(This investigation) shows that the PHR is vulnerable to data leaks, exposes data not available via the PHTs (ordered results of repeated branches, global ordering of all branch results), exposes a far larger set of branch codes as potential attack surfaces, and cannot . “can be mitigated (cleared, obscured) using the techniques proposed for the PHTs,” the researchers said.