Pathfinder – New Attack Steals Sensitive Data From Modern Processors

Pathfinder – New Attack Steals Sensitive Data From Modern Processors

Microarchitectural side-channel attacks misuse shared processor state to transmit information between security domains. 

Although they can be used in isolation, they are frequently employed as building blocks for more sophisticated attacks such as Spectre, which uses side channels to achieve controlled speculative execution and data exfiltration. 

The following cybersecurity analysts recently discovered a new attack dubbed “Pathfinder,” that steals sensitive data from the modern processor:-

  • Hosein Yavarzadeh from UC San Diego
  • Archit Agarwal from UC San Diego
  • Max Christman from UNC Chapel Hill
  • Christina Garman from Purdue University
  • Daniel Genkin from Georgia Tech
  • Andrew Kwong from UNC Chapel Hill
  • Daniel Moghimi from Google
  • Deian Stefan from UC San Diego
  • Kazem Taram from Purdue University
  • Dean Tullsen from UC San Diego

Pathfinder Attack Steals Sensitive Data

Caches, branch predictors, and translation buffers are among the many shared microarchitectural components that these attacks target.

Most previous branch predictor attacks have focused on attacking the conditional branch predictor, which is a simple model.

Due to this, their ability has been limited to manipulating coarse control flow only. 

The branch predictor is thought of as a read/write scratchpad. Advanced attack primitives let you exploit the Pattern History Register (PHR) and Pattern History Tables (PHTs) so that one can leak their values after a victim program.

They also allow you to perform new Spectre attacks by overwriting them before calling the victim.


Document


Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:



These primitives abstract away the complicated manipulation of complex branch prediction structures and their indexing functions.

Pathfinder is a program that, given an executable code and observed values of a Pattern History Register (PHR), reconstructs the control flow graph of the victim function at runtime.

The PHR is complex because it combines branch outcomes with multiple addresses, which helps capture control flow, which differs from capturing control flow alone.

Binary analysis coupled with an algorithm allows Pathfinder to determine all possible paths of control flow corresponding to the observed PHR.

Due to the size and complexity of the update function used by PHR, one path is usually found.

This tool shows what happens during execution, helps analyze leak attacks, and helps discover the new Spectre variations.

JPEG is a widely used lossy image compression standard, and libjpeg is a library for JPEG encoding and decoding.

The IDCT implementation in libjpeg simplifies computation by optimizing for constant rows and columns in the coefficient matrix. 

This optimization discloses the original image by making known the constancy of particular rows and columns through runtime control flow analysis.

Recovered Images by Pathfinder (Source – CPUSec)

The research shows how easily the Pattern History Register state can be leaked, thus giving away information about global branch ordering and runtime control flow.

By precise poisoning of PHT through read-and-write attacks that target specific loop iterations, it becomes important to take into account non-deterministic speculative control flows in Spectre mitigations.

This attack differs from others that were restricted by biases or recent branch outcomes, as it covers all branches made throughout the program’s execution, which involves thousands of branches.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

Source: Original Post