The initial disclosure of Spectre in 2018 led to an unforeseen era of transient execution attacks. These attacks usually allow a lower-privileged attacker to leak arbitrary data from higher privileged security domains by observing the side-effects of transiently executed instructions. One especially powerful attack variant, Branch Target Injection (BTI), abuses misprediction and resulting mispeculation on indirect branches to transiently execute attacker-controlled instructions. To put a stop to this, affected vendors initially relied on a complicated set of software defenses and began only in the last two years to roll out in-silicon defenses to the consumer market.
The initial disclosure of Spectre in 2018 led to an unforeseen era of transient execution attacks. These attacks usually allow a lower-privileged attacker to leak arbitrary data from higher privileged security domains by observing the side-effects of transiently executed instructions. One especially powerful attack variant, Branch Target Injection (BTI), abuses misprediction and resulting mispeculation on indirect branches to transiently execute attacker-controlled instructions. To put a stop to this, affected vendors initially relied on a complicated set of software defenses and began only in the last two years to roll out in-silicon defenses to the consumer market.
To assess the security ramifications of this insight, we developed tooling to automatically test whether a userspace attacker can cause mispredictions in the kernel despite the enabled defenses. Using this tooling, we could verify that BHI, indeed, poses a threat to very recent systems, such as the Google Pixel 6 or systems with 12th generation Intel CPUs. Furthermore, we will also show that this threat is far from theoretical: We developed an end-to-end exploit leaking the contents of etc-shadow in under 10 minutes and provide a technical walk-through accompanied by live demos during this talk.