英特尔CPU遭遇新的Pathfinder攻击

Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm.

研究人员发现了两种针对高性能英特尔CPU的新型攻击方法，可以利用这些方法对高级加密标准（AES）算法进行关键恢复攻击。

The techniques have been collectively dubbed Pathfinder by a group of academics from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google.

这些技术被加利福尼亚大学圣地亚哥分校、普渡大学、北卡罗来纳大学教堂山分校、佐治亚理工学院和谷歌的一群学者共同称为Pathfinder。

"Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks," Hosein Yavarzadeh, the lead author of the paper, said in a statement shared with The Hacker News.

“Pathfinder允许攻击者读取和操纵分支预测器的关键组件，从而实现两种主要类型的攻击：重建程序控制流历史和启动高分辨率Spectre攻击，”《论文》的主要作者Hosein Yavarzadeh在与The Hacker News分享的声明中表示。

"This includes extracting secret images from libraries like libjpeg and recovering encryption keys from AES through intermediate value extraction."

“这包括从库（如libjpeg）中提取秘密图像和通过中间值提取从AES中恢复加密密钥。”

Spectre is the name given to a class of side-channel attacks that exploit branch prediction and speculative execution on modern CPUs to read privileged data in the memory in a manner that sidesteps isolation protections between applications.

Spectre是一个攻击类别的名称，利用现代CPU上的分支预测和推测执行来读取内存中的特权数据，从而绕过应用程序之间的隔离保护。

The latest attack approach targets a feature in the branch predictor called the Path History Register (PHR) – which keeps a record of the last taken branches -- to induce branch mispredictions and cause a victim program to execute unintended code paths, thereby inadvertently exposing its confidential data.

最新的攻击方法针对分支预测器中称为路径历史寄存器（PHR）的功能，该寄存器记录最后一个执行的分支，以引发分支错误预测并导致受害程序执行意外代码路径，从而无意中暴露其机密数据。

Specifically, it introduces new primitives that make it possible to manipulate PHR as well as the prediction history tables (PHTs) within the conditional branch predictor (CBR) to leak historical execution data and ultimately trigger a Spectre-style exploit.

具体地，它引入了新的基元，使得可以操纵PHR以及条件分支预测器（CBR）中的预测历史表（PHTs），以泄漏历史执行数据并最终触发类似Spectre的利用。

In a set of demonstrations outlined in the study, the method has been found effective in extracting the secret AES encryption key as well as leaking secret images during processing by the widely-used libjpeg image library.

在研究中概述的一系列演示中，该方法已被发现有效地提取秘密AES加密密钥，以及在被广泛使用的libjpeg图像库处理过程中泄漏秘密图像。

Following responsible disclosure in November 2023, Intel, in an advisory released last month, said Pathfinder builds on Spectre v1 attacks and that previously deployed mitigations for Spectre v1 and traditional side-channels mitigate the reported exploits. There is no evidence that it impacts AMD CPUs.

在2023年11月进行负责任的披露后，英特尔在上个月发布的一份公告中表示，Pathfinder建立在Spectre v1攻击的基础上，并且先前部署的Spectre v1和传统侧信道的缓解措施可以缓解报告的利用。没有证据表明它影响AMD CPU。

"[This research] demonstrates that the PHR is vulnerable to leakage, reveals data unavailable through the PHTs (ordered outcomes of repeated branches, global ordering of all branch outcomes), exposes a far greater set of branching code as potential attack surfaces, and cannot be mitigated (cleared, obfuscated) using techniques proposed for the PHTs," the researchers said.

研究人员表示：“[这项研究]表明PHR容易泄漏，揭示了通过PHTs不可获得的数据（重复分支的有序结果，所有分支结果的全局排序），将更多分支代码暴露为潜在攻击面，并且无法使用针对PHTs提出的技术进行缓解（清除，混淆）。

参考资料

[1]https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：英特尔CPU遭遇新的Pathfinder攻击