{"id":341,"date":"2026-04-07T12:01:39","date_gmt":"2026-04-07T12:01:39","guid":{"rendered":"https:\/\/haco.club\/?p=341"},"modified":"2026-04-07T12:01:39","modified_gmt":"2026-04-07T12:01:39","slug":"black-hat-usa-2025-racing-for-privilege","status":"publish","type":"post","link":"https:\/\/haco.club\/?p=341","title":{"rendered":"Black Hat USA 2025 | Racing for Privilege"},"content":{"rendered":"\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Black Hat USA 2025 | Racing for Privilege\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/ULXuhxj-WgA?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p><a href=\"https:\/\/www.usenix.org\/conference\/usenixsecurity25\/presentation\/ruegge\">https:\/\/www.usenix.org\/conference\/usenixsecurity25\/presentation\/ruegge<\/a><\/p>\n\n\n\n<p>The main point is that Intel\u2019s modern Spectre v2 defenses, especially eIBRS, can fail because branch predictor updates happen asynchronously. The researchers show that this timing creates \u201cBranch Predictor Race Conditions\u201d (BPRC), where branch predictions can be learned or applied with the wrong privilege context. In practice, that breaks intended isolation boundaries such as user-to-kernel, guest-to-hypervisor, and even barriers meant to flush unsafe predictions.<\/p>\n\n\n\n<p>The talk\u2019s key attack is called <strong>Branch Privilege Injection (BPI)<\/strong>. In plain English: an unprivileged process can trick the CPU into treating attacker-controlled branch predictions as if they belonged to a more privileged context, then use a Spectre-v2-style side channel to read privileged memory. The researchers say they built an end-to-end exploit that leaks arbitrary kernel memory from up-to-date Linux systems across six Intel CPU generations.<\/p>\n\n\n\n<p>The practical results are the scary part. In their evaluation, they report arbitrary kernel-memory leakage at <strong>5.6 KiB\/s<\/strong> with <strong>99.8% byte accuracy<\/strong> on Intel Raptor Cove, fast KASLR derandomization, and an end-to-end demo that leaked the root password hash from <code>\/etc\/shadow<\/code> with a median runtime of <strong>21 seconds<\/strong>. The repository also notes there was a dedicated Black Hat demo for this work.<\/p>\n\n\n\n<p>So the big takeaway of the video is not just \u201chere\u2019s a new exploit,\u201d but \u201chardware security boundaries are fragile when asynchronous microarchitectural state gets integrated incorrectly.\u201d The talk argues that even protections widely treated as hardware-backed and robust can be undermined by race conditions inside the predictor machinery itself.<\/p>\n\n\n\n<p>On mitigations, the researchers discuss software and hardware responses: replacing exploitable indirect branches with Retpoline-style defenses, disabling alternate return prediction where relevant, or disabling indirect branch prediction in supervisor mode on supported CPUs. They also evaluate Intel-provided microcode updates, and note that in their tested AMD and ARM processors they saw no indication of the same BPRC issue.<\/p>\n\n\n\n<p>A one-sentence summary: <strong>the video explains how a race condition in Intel branch prediction can let user code \u201csmuggle\u201d privileged branch predictions across protections like eIBRS, enabling real leakage of kernel memory on fully patched modern systems.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>https:\/\/www.usenix.org\/conference\/usenixsecurity25\/presentation\/ruegge The main point is that Intel\u2019s modern Spectre v2 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[4,27,5,31],"class_list":["post-341","post","type-post","status-publish","format-standard","hentry","category-black-hat","tag-hardware","tag-microarchitecture","tag-security","tag-speculative-execution"],"_links":{"self":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/341","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=341"}],"version-history":[{"count":1,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/341\/revisions"}],"predecessor-version":[{"id":342,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/341\/revisions\/342"}],"wp:attachment":[{"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=341"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}