Discover how the Indirector BTI attack targets Intel's Raptor and Alder Lake CPUs, exploiting IBP and BTB flaws to steal sensitive data. Mitigation strategies included.

Continue reading
Modern Intel processors, particularly those from the Raptor Lake and Alder Lake generations, have recently been found to be susceptible to a high-precision Branch Target Injection (BTI) attack known as 'Indirector.'
This vulnerability in these modern Intel processors, discovered by researchers from the University of California, San Diego, leverages flaws in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB) to manipulate speculative execution and extract sensitive data from the CPU.
This Threatfeed analyzes the technical intricacies of the Indirector attack, its mechanisms, potential impacts, and proposed mitigations.
Speculative execution is a performance enhancement technique used by modern CPUs to execute instructions before the final determination of their necessity. This process relies heavily on branch prediction mechanisms like the IBP and BTB.
The IBP predicts the target addresses of indirect branches using historical execution information. In contrast, the BTB predicts the target addresses of direct branches through a set-associative cache structure.
Both systems have inherent flaws in indexing, tagging, and entry-sharing mechanisms, making them vulnerable to high-precision manipulation.
The iBranch Locator is a custom tool developed by the researchers to identify the indices and tags of victim branches. It uses eviction-based techniques to accurately determine the IBP entries for specific branches. This step is crucial for setting up targeted injections.
By performing targeted injections into the prediction structures, the attacker can execute speculative code. This speculative execution can be manipulated to access sensitive data through indirect branches.
The Indirector attack can break Address Space Layout Randomization (ASLR) by determining the exact locations of indirect branches and their targets. This significantly simplifies the prediction and manipulation of the control flow of protected processes.
Alongside speculative execution, the attacker can use cache side-channel techniques, such as measuring access times, to infer accessed data. This method enhances the attack's precision and effectiveness.
The IBP and BTB are designed to predict branch targets to enhance CPU performance. However, the researchers found that these components have predictable structures, which can be exploited.
The predictable nature of the indexing and tagging mechanisms in the IBP and BTB allows the iBranch Locator tool to identify specific entries. By evicting certain entries and observing the resulting behavior, the attacker can pinpoint the indices and tags of victim branches.
The entry-sharing mechanisms, meant to optimize resource utilization, inadvertently make the system more predictable. This predictability is a critical factor in the success of the Indirector attack.
Speculative execution, when manipulated through targeted injections, allows the attacker to execute code paths that are not intended to be executed. By carefully crafting these code paths, the attacker can force the CPU to access sensitive data.
Cache side-channel techniques play a pivotal role in data extraction. By measuring the access times to specific cache lines, the attacker can infer which data was accessed during speculative execution.

*Modern CPUs IBP Structure source*
// Example code to measure cache access times
uint64_t start, end;
char *addr = /* target address */;
start = __rdtscp(&junk);
maccess(addr); // Access the target address
end = __rdtscp(&junk);
uint64_t access_time = end - start;
if (access_time < CACHE_HIT_THRESHOLD) {
// The address is in the cache
}More details about the indirector can be found here.
The researchers propose two primary mitigations: aggressive use of the Indirect Branch Predictor Barrier (IBPB) and enhancing the Branch Prediction Unit (BPU) design.
The IBPB is designed to mitigate speculative execution attacks by restricting indirect branch predictions. While effective, its implementation can result in significant performance trade-offs.
Improving the BPU design involves incorporating more complex tags, encryption, and randomization. These enhancements aim to make the prediction structures less predictable, thus mitigating the attack.
Implementing these mitigations requires a delicate balance between security and performance. For instance, using IBPB during transitions to SECCOMP mode on Linux can cause a performance hit of up to 50%.
On Linux systems, IBPB is activated by default during transitions to SECCOMP mode or tasks with restricted indirect branches in the kernel. This activation helps mitigate the risk of Indirector attacks but comes with performance penalties.
By exploiting these flaws, attackers can perform high-precision speculative execution attacks to extract sensitive data. While proposed mitigations like IBPB and enhanced BPU designs offer potential solutions, they come with notable performance trade-offs.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.