Skip to content

New BTI attack ‘Indirector’ targets modern Intel CPUs

  • by
  • 2 min read

Modern Intel processors, including Raptor Lake and Alder Lake generations, are vulnerable to a new high-precision Branch Target Injection (BTI) attack known as ‘Indirector.’ This sophisticated attack can potentially steal sensitive information from the CPU by exploiting flaws in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB).

The IBP is designed to predict target addresses of indirect branches using historical execution data, while the BTB predicts target addresses of direct branches via a set-associative cache structure. Researchers identified flaws in indexing, tagging, and entry-sharing mechanisms, making them susceptible to targeted, high-precision manipulations.

As reported by BleepingComputer, the Indirctor attack primarily operates through three mechanisms:

  • iBranch Locator: This custom tool uses eviction-based techniques to identify indices and tags of victim branches, accurately determining IBP entries for specific branches.
  • IBP/BTB Injections: Targeted injections into prediction structures facilitate speculative code execution.
  • ASLR Bypass: By pinpointing the exact locations of indirect branches and their targets, the attack can break Address Space Layout Randomisation (ASLR), making it easier to manipulate the control flow of protected processes.

Combined with cache side-channel techniques like measuring access times, attacking can infer accessed data, thus enabling the extraction of sensitive information.

Proof of Concept code of the BTB Injection Attack.

Researchers notified Intel in February 2024 and have since informed affected hardware and software vendors.

The researchers propose two primary mitigation strategies:

  • Increased use of Indirect Branch Predictor Barrier (IBPB): While effective, this approach involves significant performance trade-offs, notably a 50% performance hit on Linux systems where IBPB is activated by default during transitions to SECCOMP mode or tasks with restricted indirect branches in the kernel.
  • Enhanced BPU Design: Incorporating more complex tags, encryption, and randomisation can bolster the Branch Prediction Unit (BPU) design, providing a more robust defence against Indirector attacks.

The Indirector attack underscores the persistent vulnerabilities within modern CPU architectures and the ongoing arms race between attackers and defenders in cybersecurity.

In April 2024, 2000 Intel and Lenovo devices were exposed to a six-year-old flaw.

In the News: Pakistan-based APT-36 distributes CapraRAT via malicious APKs

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: