There is a newer version of the record available.

Published June 7, 2025 | Version v1
Software Open

Exploiting Inaccurate Branch History in Side-Channel Attacks

Creators

  • 1. ROR icon Scuola Superiore Sant'Anna
  • 2. ROR icon IMT School for Advanced Studies Lucca

Description

Modern out-of-order CPUs heavily rely on speculative execution for performance optimization, with branch prediction serving as a cornerstone to minimize pipeline stalls and maximize efficiency. When shared branch prediction resources lack proper isolation and sanitization methods, they can introduce security vulnerabilities that expose sensitive data across different software contexts.

This artifact evaluates the behavior of two underdocumented features of the Branch Predictor Unit: Bias-Free Branch Prediction and Branch History Speculation. These discoveries expose previously unknown cross-privilege attack surfaces for Branch History Injection (BHI).

Based on these findings, we present three novel attack primitives: two Spectre attacks, namely Spectre-BSE and Spectre-BHS, and a cross-privilege control flow side-channel attack called BiasScope. This artifact evaluates the presence of these primitives using user-mode intra-process proof-of-concepts, then evaluates their capability for mounting cross-privilege attacks using custom syscall handlers. Finally, we demonstrate the Chimera snippet using eBPF to achieve end-to-end exploitation.

This artifact contains proof-of-concept (PoC) code demonstrating the vulnerabilities discovered in the paper. The project is organized into several submodules, each addressing different attack scenarios:

  • intra-ctx: Intra-process PoCs demonstrating the relevant microarchitectural behaviors and primitives to perturb and exploit their side effects. This module covers BHB/PHT mistraining (Section 3.3), Spectre-BSE (Section 5.4), Spectre-BHS (Section 6.2), and Chimera snippets (Section 7).
  • cross-ctx: Cross-context PoCs showcasing how these primitives can manipulate branch prediction in kernel mode or another process. This module covers BiasScope (Section 5.3), Spectre-BSE (Section 5.4), and Spectre-BHS (Section 6.2).
  • chimera-ebpf: End-to-end Chimera attack (Section 7) implemented as an eBPF program, demonstrating practical kernel memory leakage.

Files

sec25-artifact.zip

Files (82.8 kB)

Name Size Download all
md5:4f76e1390594978bca345e02b7d1b9a8
82.8 kB Preview Download