Branch History Injection

Original Post:
Branch History Injection
We discussed this vulnerability as part of our weekly podcast on 16 March 2022

An attack which extends upon branch target injection, which is an attack where you train the branch predictor on an indirect branch to speculatively execute a branch erroneously and side-channel the cache to leak data. One of the various mitigations introduced by Intel and ARM were Enhanced Indirect Branch Restricted Speculation (eIBRS) and CSV2 respectively. There’s two key terms that are important to keep in mind, the Branch Target Buffer (BTB) and the Branch History Buffer (BHB). What this mitigation did was it would tag BTB entries, and that tag is calculated by taking the branch source address and combining it with the history of past branches (stored in the BHB).

Due to performance considerations, the BHB is not isolated across privilege boundaries, because this would have a significant impact on things like syscalls. This is a weakness that allows an attacker to get a degree of control over the tags that are calculated for BTB entries. This bypasses the “authentication” on the BTB entries that’s provided by eIBRS/CSV2.