Computer scientists at ETH Zurich have uncovered a serious flaw in Intel processors that could let attackers steal sensitive information by exploiting how modern chips predict upcoming actions. Using specially designed sequences of instructions, hackers can bypass security boundaries and gradually read the entire memory of a shared processor. This vulnerability affects a wide range of Intel chips used in personal computers, laptops, and cloud servers.
- Researchers identified a new class of vulnerabilities in Intel CPUs linked to speculative execution — a technique that helps processors work faster by predicting the next steps.
- The flaw allows attackers to break down barriers between users sharing the same processor, potentially accessing private data stored in memory.
- By repeating the attack at high speed, hackers can extract memory content byte by byte until the full contents are revealed.
- The vulnerability affects all Intel processors released in the past six years, across devices from personal computers to large-scale data center servers.
- This discovery highlights the growing security risks tied to performance-boosting features in modern chip designs.
Prediction Technology: Speed Comes at a Cost
Anticipating what comes next gives us an edge every day. Computers harness the same trick. Modern chips employ speculative execution, a feature that runs instructions they predict will be needed. By making these smart guesses, processors dramatically accelerate performance.
Now an exciting discovery from ETH Zurich’s Computer Security Group reveals a major downside. Researchers have uncovered a vulnerability class that can weaponize the CPU’s prediction engine. By feeding the chip carefully crafted instruction sequences, attackers can slip past security boundaries and access data belonging to other users.
Widespread Impact on Intel Processors
“The security vulnerability affects all Intel processors,” emphasizes Kaveh Razavi, head of COMSEC. “We can use the vulnerability to read the entire contents of the processor’s buffer memory (cache) and the working memory (RAM) of another user of the same CPU.” The CPU uses the RAM (random access memory) and cache to temporarily store calculation steps and information that is likely to be needed next.
The implications for data security are serious, especially in cloud environments where many people share the same hardware resources. From personal laptops to large scale data center servers, Intel chips worldwide demand new protections to keep sensitive information safe.
The Nanosecond Loophole
The so-called BPRC (Branch Predictor Race Conditions) emerge during a brief period of a few nanoseconds when the processor switches between prediction calculations for two users with different permissions, explains Sandro Rüegge, who has been examining the vulnerability in detail over the past few months.
Breaking through the built-in protective barriers between users, known as privileges, is possible because the permissions for individual activities are not stored at the same time as the calculations. With special inputs, it is now possible to cause ambiguity in the sequence of events when changing users, resulting in incorrect assignment of privileges. An attacker could exploit this in order to read an information byte (a unit consisting of eight binary 0/1 pieces of information).
From a Byte to the Entire Memory
The disclosure of a single byte would be negligible. However, the attack can be repeated in quick succession, allowing the contents of the entire memory to be read over time, explains Rüegge. “We can trigger the error repeatedly and achieve a readout speed of over 5000 bytes per second.” In the event of an attack, therefore, it is only a matter of time before the information in the entire CPU memory falls into the wrong hands.
A Legacy of CPU Vulnerabilities
The vulnerability that the ETH Zurich researchers have now identified is not the first to be discovered in the speculative CPU technologies introduced in the mid-1990s. In 2017, Spectre and Meltdown were the first two vulnerabilities of this kind to hit the headlines, and new variants have been appearing regularly ever since. Johannes Wikner, a former PhD student in Razavi’s group, already identified a vulnerability known as Retbleed back in 2022. He exploited traces of speculatively executed instructions in the CPU’s cache to access information from other users.
Tracing Signals: A Clue Hidden in the Cache
The starting point for the discovery of the new vulnerability class was work that followed on from the Retbleed investigations. “I examined the functions of the protective measures that Intel had introduced to patch up the Retbleed vulnerability,” says Johannes Wikner.
In doing so, he discovered an unusual signal from the cache memory that appeared regardless of whether the protective measures were enabled or disabled. Rüegge then took over detailed analysis of the cause of the signal and, based on this work, was able to uncover the new attack vector.
A Deeper Problem in Chip Architecture
The vulnerability was discovered back in September 2024. Since then, Intel has implemented protective measures to secure its processors. Nevertheless, there are many indications that the problem is more serious. “The series of newly discovered vulnerabilities in speculative technologies is an indication of fundamental flaws in the architecture,” Razavi points out. “The gaps have to be found one by one and then closed.”
Closing these sorts of gaps requires a special update to the processor’s microcode. This can be done via a BIOS or operating system update and should therefore be installed on our PCs in one of the latest cumulative updates from Windows.
Reference: “Branch Privilege Injection: Compromising Spectre v2 Hardware Mitigations by Exploiting Branch Predictor Race Conditions” by S. Rüegge, J. Wikner and K. Razavi, 20205, 34th USENIX Security Symposium.
Never miss a breakthrough: Join the SciTechDaily newsletter.
Follow us on Google and Google News.
4 Comments
Before everyone freaks out about this, unless you use cloud services this shouldn’t keep you up at night. If cloud services allow different tenants on the same processor core, that’s on them. This could affect a desktop user system infected with malware or a virus, but you don’t need to exploit the branch prediction to exploit a system using malware/viruses.
Intel/AMD/ARM all have exploits like these. You can have either slow processors lacking branch prediction and out of order execution that are difficult to exploit, or fast computers that are easier to exploit, take your pick.
Get out of here with your reasonable and well thought out response. We’re here to get irrationally angry over things we don’t understand!
Article has error. I think my 8088 is safe.
Or… How about it be determined whether this is a design flaw that cannot be fixed or an implementation flaw that can?
According to the article, they have fixed similar flaws in the past. Did they just not review enough of the implementation to see if they have fixed everything, or are we D-o-o-o-o-m-e-d?
Also, I don’t know about the original paper, but this article does not make clear what a “user” is. What a processor thinks a user is, and what an operating system thinks a user is, is different. This article does hint that individual users on a laptop could be affected, not only cloud-based workloads.