Branch History Injection / Spectre-BHB
This repository contains reverse-engineering and exploits source code regarding the Spectre-BHB/Branch History Injection vulnerability.
For more information about our work:
- Project page: https://vusec.net/projects/bhi-spectre-bhb
- Intel security advisory
- ARM Security advisory
Setup
Ensure that the required dependencies are installed depending on your system under test:
x86-64
sudo apt install gcc nasm msr-tools qemu-system-x86 debootstrap wget make
Arm-Android
- Download
android-ndk-r23b-linux.zipfrom https://developer.android.com/ndk/downloads/index.html unzip android-ndk-r23b-linux.zipin the top directory- Finally execute
source env.shto create theCC_ANDROIDenvironment variable.
How to compile
For every experiment/poc a corresponding Makefile is provided.
Depending on your target use:
make TARGET=INTEL_10_GEN #e.g. for the Intel i7-10700K
make TARGET=INTEL_11_GEN #e.g. for the Intel Xeon Silver 4310
make TARGET=PIXEL_6 #For the Pixel 6 Cortex-X1
In case the system under test is not supported, it is simply sufficient to edit common/targets.h to add the required micro-architectural parameters.
Repository organization
-
- ibrs_checker: utility to test the presence of IBRS and eIBRS mitigations
- fr_checker: tool to verify the the Flush+Reload timing threshold
THRpresent in tune.h is correctly selected (needed for the reverse engineering experiments).
-
pocs: end-to-end exploits demonstrating how Spectre-BHB primitive can be used to mount an attack to leak data from the Linux kernel.
- inter_mode: exploit based on Spectre-BHB/Branch History Injection demonstrates how the unprivileged history can be used to mount spectre-v2 attacks even in the presence of the ad-hoc hardware defense
eIBRS. - intra_mode: exploit that shows how same privilege mode exploitation (kernel to kernel) is not only possible but practical.
- inter_mode: exploit based on Spectre-BHB/Branch History Injection demonstrates how the unprivileged history can be used to mount spectre-v2 attacks even in the presence of the ad-hoc hardware defense
-
re: reverse engineering experiments to test the presence of Branch History Injection and to extrapolate the main parameter of the indirect branch predictor.
-
- bhi_test: Experiment to verify the presence of the Spectre-BHB/Branch History Injection primitive
- bhb_brute_force: Experiment to observe how often with a brute-force approach we obtain a BHB-collision
- bhb_size: Experiment to retrieve the size of the Branch History Buffer (BHB)
- bhb_control: Experiment to discover what is the minimum required control of the BHB to obtain reliable exploitation
-
- bhi_test: Experiment to verify the presence of the Spectre-BHB/Branch History Injection primitive
- bhb_brute_force: Experiment to observe how often with a brute-force approach we obtain a BHB-collision
-