Exploiting Inaccurate Branch History in Side-Channel Attacks
Yuhui Zhu
34th USENIX Security Symposium (USENIX Security '25) · Day 2 · Hardware Security 1: Microarchitectures
In this compelling talk from USENIX Security, Yuhui Zhu of the Santana School of Advanced Studies presents a groundbreaking analysis of modern processor **Branch Prediction Units (BPUs)**, revealing new vulnerabilities that circumvent existing Spectre mitigations. The research, titled "Exploiting Inaccurate Branch History in Side-Channel Attacks," details how subtle, often undocumented, behaviors within BPUs can be manipulated to leak sensitive information, including arbitrary kernel memory. This work builds upon the understanding of prior Spectre attacks, particularly Spectre BHI, by demonstrating that current defenses are insufficient against more sophisticated forms of branch history manipulation.
AI review
Solid original microarchitectural research that advances the Spectre BHI conversation in meaningful ways — not just 'mitigations are incomplete' hand-waving, but concrete primitives (BST eviction, early BHP updates, fallback prediction) backed by per-processor empirical analysis. Chimera as a practical eBPF kernel-read exploit ties the theory to a real attack surface that defenders have to care about today.