Researchers from University of California San Diego/Purdue University/UNC Chapel Hill/Georgia Institute of Technology/Google have published a research paper titled “Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor.”
In this paper, they describe primitives for observing (Read PHR1) and controlling (Write PHR) conditional branch predictions by manipulating branch history, building on previous research in this area.
The conditional-branch-predictor-based transient execution techniques described in the Pathfinder paper are included in the original Spectre variant 12. Spectre variant 1 mitigations are already described in the Spectre variant 1 advisory guidance. The paper also describes how conditional branch predictors can allow inferring control flow, similar to other existing traditional side channels (for example, cache, TLB, and prefetcher-based side channels). Traditional side channel mitigations are already described in Best Practices for Side Channel Resistance.
The specific techniques discussed in the paper do not appear to add any new practical security concerns though this area of research is still evolving. Thus, Intel does not plan to issue a new CVE and is not providing new guidance.
Footnotes
- PHR stands for Path History Register.
- Spectre variant 1 attacks involve transient execution due to conditional-branch-predictors.