ETH Zurich researchers discover new security vulnerability in Intel processors

Anyone who speculates on likely events ahead of time and prepares accordingly can react quicker to new developments. What practically every person does every day, consciously or unconsciously, is also used by modern computer processors to speed up the execution of programs. They have so-called speculative technologies which allow them to execute instructions on reserve that experience suggests are likely to come next. Anticipating individual computing steps accelerates the overall processing of information.

However, what boosts computer performance in normal operation can also open up a backdoor for hackers, as recent research by computer scientists from the Computer Security Group (COMSEC) at the Department of Information Technology and Electrical Engineering at ETH Zurich shows. The computer scientists have discovered a new class of vulnerabilities that can be exploited to misuse the prediction calculations of the CPU (central processing unit) in order to gain unauthorised access to information from other processor users.

PC, laptop and server processors all affected

“The security vulnerability affects all Intel processors,” emphasises Kaveh Razavi, head of COMSEC. “We can use the vulnerability to read the entire contents of the processor’s buffer memory (cache) and the working memory (RAM) of another user of the same CPU.” The CPU uses the RAM (random access memory) and cache to temporarily store calculation steps and information that is likely to be needed next.

This vulnerability fundamentally undermines data security, particularly in the cloud environment where many users share the same hardware resources. It affects the processors of the world’s largest CPU manufacturer, which are used in PCs and laptops, as well as those used in data centre servers.                                       

Nanosecond gap in authority check

The so-called BPRC (Branch Predictor Race Conditions) emerge during a brief period of a few nanoseconds when the processor switches between prediction calculations for two users with different permissions, explains Sandro Rüegge, who has been examining the vulnerability in detail over the past few months.

Breaking through the built-in protective barriers between users, known as privileges, is possible because the permissions for individual activities are not stored at the same time as the calculations. With special inputs, it is now possible to cause ambiguity in the sequence of events when changing users, resulting in incorrect assignment of privileges. An attacker could exploit this in order to read an information byte (a unit consisting of eight binary 0/1 pieces of information).

Unlocking entire contents of memory byte by byte

The disclosure of a single byte would be negligible. However, the attack can be repeated in quick succession, allowing the contents of the entire memory to be read over time, explains Rüegge. “We can trigger the error repeatedly and achieve a readout speed of over 5000 bytes per second.” In the event of an attack, therefore, it is only a matter of time before the information in the entire CPU memory falls into the wrong hands.  

Part of a series of security vulnerabilities

The vulnerability that the ETH Zurich researchers have now identified is not the first to be discovered in the speculative CPU technologies introduced in the mid-1990s. In 2017, Spectre and Meltdown were the first two vulnerabilities of this kind to hit the headlines, and new variants have been appearing regularly ever since. Johannes Wikner, a former PhD student in Razavi's group, already identified a vulnerability known as Retbleed back in 2022. He exploited traces of speculatively executed instructions in the CPU’s cache to access information from other users.

Suspicious signal reveals vulnerability

The starting point for the discovery of the new vulnerability class was work that followed on from the Retbleed investigations. “I examined the functions of the protective measures that Intel had introduced to patch up the Retbleed vulnerability,” says Johannes Wikner.

In doing so, he discovered an unusual signal from the cache memory that appeared regardless of whether the protective measures were enabled or disabled. Rüegge then took over detailed analysis of the cause of the signal and, based on this work, was able to uncover the new attack vector.

Fundamental architectural problem

The vulnerability was discovered back in September 2024. Since then, Intel has implemented protective measures to secure its processors. Nevertheless, there are many indications that the problem is more serious. “The series of newly discovered vulnerabilities in speculative technologies is an indication of fundamental flaws in the architecture,” Razavi points out. “The gaps have to be found one by one and then closed.”

Closing these sorts of gaps requires a special update to the processor’s microcode. This can be done via a BIOS or operating system update and should therefore be installed on our PCs in one of the latest cumulative updates from Windows.