A new technical paper titled “VMSCAPE: Exposing and Exploiting Incomplete Branch Predictor Isolation in Cloud Environments” was published by researchers at ETH Zurich.
Abstract
“Virtualization is a cornerstone of modern cloud infrastructures, providing the required isolation to customers. This isolation, however, is threatened by speculative execution attacks which the CPU vendors attempt to mitigate by extending the isolation to the branch predictor state. Our systematic analysis shows that this extension unfortunately is incomplete: while the most obvious case of the guest controlling branch prediction in the host has been addressed by existing hardware mitigations, we discover a number of new Spectre Branch Target Injection (Spectre-BTI) attack primitives on AMD Zen 1- 5 and Intel Coffee Lake CPUs that, among others, enable a malicious guest to control indirect branch prediction in the host when it is executing in userspace. Using the aforementioned primitive, we craft VMSCAPE, the first Spectre-BTI attack that enables a malicious KVM guest to leak arbitrary memory from an unmodified QEMU process running on an AMD Zen 4 host at the speed of 32 B/s, exposing cryptographic keys for disk encryption and decryption. Our analysis of possible mitigation strategies shows that it is possible to mitigate VMSCAPE by selectively flushing the branch predictor with minimal performance impact in common scenarios.”
Find the technical paper here. September 2025. Intel Corporation provided a related security announcement here and AMD’s here.
Graf, Jean-Claude, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi. “VMSCAPE: Exposing and Exploiting Incomplete Branch Predictor Isolation in Cloud Environments.”
Leave a Reply