A group of researchers from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google discovered that a feature in the branch predictor called the Path History Register (PHR) can be tricked to expose sensitive data.

"Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks," Hosein Yavarzadeh, the lead author of the paper, told The Hacker News.

"This includes extracting secret images from libraries like libjpeg and recovering encryption keys from AES through intermediate value extraction."

For those who came in late,  Spectre was a side-channel attack that exploited branch prediction and speculative execution in processors, allowing attackers to read sensitive data in the memory.

PHR’s job is to keep a record of the last branches taken. It can be fooled to induce branch mispredictions and thus cause a victim program to run unintended code paths. As a result, sensitive data gets exposed.

In the research paper, the academics demonstrated extracting the secret AES encryption key, and leaking secret images during libjpeg image library processing.

Intel was tipped off in November last year and released a security advisory addressing the findings in April this year. In the advisory, Intel said that Pathfinder builds on Spectre v1 and added that the previously released mitigations address this problem as well.

AMD’s silicon seems to be immune to Pathfinder, the researchers concluded.