Back in 2018 when Spectre was found, you could exploit its second and most dangerous variant (Spectre-v2) to easily leak arbitrary data across privilege levels. As a result, OS developers initially deployed various stopgap software mitigations—with non-negligible performance overhead. Luckily Intel and Arm released more efficient hardware defenses which now are the de-facto solutions on every modern system.
In this talk, we introduce “Branch History Injection” (BHI): a new attack primitive that bypasses Intel's eIBRS and Arm's CSV2 hardware mitigations against cross-privilege Spectre-v2 attacks. In particular, we will discuss our black-box reverse engineering approach of these complex mitigations, sharing both the successful and failed attempts towards understanding their inner-workings. We will then use BHI to build an end-to-end exploit leaking arbitrary kernel memory on the fully patched Intel 11th gen CPUs. Finally, we will conclude by describing the latest Spectre defense deployed after our BHI disclosure, showing how software and hardware can mitigate these new attacks.