Redazione RHC : 19 October 2025 08:47
VUSec researchers have presented a paper titled “Training Solo,” which challenges the fundamental principles of protection against Spectre-v2 attacks. Previously , the domain isolation mechanism was believed to completely eliminate the ability to train a branch predictor using code from multiple privileged domains.
However, the authors demonstrated that even with a flawless implementation of these mechanisms, an attacker can exploit the same domain , such as the system kernel, to independently train a predictor and extract sensitive data.
The study describes three new types of Spectre-v2 attacks based on so-called “self-training,” in which both training and speculative execution occur in the same privileged context. This allows for control flow hijacking within the kernel or hypervisor and accessing private memory regions, effectively replicating classic Spectre-v2 scenarios previously thought impossible.
The first category of attacks, called history-based, uses special “history” gadgets within the kernel to create the desired branch context. Experiments have shown that , even with domain isolation enabled, an attacker can generate a branch predictor using the SECCOMP system call , accessible to any user. This technique allowed researchers to extract kernel data at a speed of 1.7 KB/s on Intel Tiger Lake and Lion Cove processors.
The second group, IP-based, relies on address matches in the Branch Target Buffer (BTB), where the predictor has no history and operates exclusively on IP addresses. Under these conditions, two branches can inadvertently “learn” from each other if their addresses match. Analysis of multiple system devices has shown that this collision can become a practical basis for mass attacks.
The third variant, the direct-indirect one, proved to be the most destructive. The researchers discovered that on some chips, direct jumps can train the prediction of indirect jumps, which was not intended by design . This is due to two hardware flaws: indirect target selection and a bug in Lion Cove processors. Thanks to these flaws, the researchers were able to read arbitrary data from kernel memory at up to 17 KB/s and create a prototype that fetches hypervisor memory at 8.5 KB/s.
To address the vulnerabilities, Intel has released microcode updates, new “indirect branches,” and the Indirect Branch History Fence (IBHF) instruction, which clears branch history. Some systems recommend using a special BHB clear sequence. The IBPB mechanisms have also been redesigned to prevent protection bypasses, and new branch cache placement schemes have been introduced, reducing the attack surface.
The issues have affected a wide range of Intel processors, from 9th-generation Core processors to the latest Lion Cove processors from the Lunar Lake and Arrow Lake series . ARM has also issued its own advisory. Fixes are gradually being rolled out via firmware and Linux kernel updates. A comprehensive set of tools for testing, analyzing, and validating vulnerable predictors has been publicly released on VUSec’s GitHub .
Redazione