Occupy_Probe

January 27, 2026 · View on GitHub

Introduction

This repository contains the following components:

  1. Code to prove the hardware isolation in the BTB from the 11th generation Intel Core CPUs. (ref. Section III-A in the paper)
  2. Code to investigate the BTB indexing address. (ref. Section IV-A)
  3. PoC Code to validate the feasibility and accuracy of Occupy+Probe. (ref. Section V-B and V-C)
  4. An KASLR-breaking attack on Intel Core i7-11700K. (ref. Section V-D)
  5. An end-to-end attack example targeting Linux Kernel Crypto API. (ref. Section VI)

Each directory contains a more detailed README, including the description, building and executing instructions, and results explanation.

Occupy+Probe Attack

Occupy+Probe is a cross-privilege side-channel attack, which exploits the Branch Target Buffer (BTB) as the leakage source to infer the control-flow of kernel programs from user mode. Specifically, a user BTB entry can be directly replaced by a kernel entry with the same index, tag, and offset, even though the BTB is logically isolated between user space and kernel space. This mechanism is supported on Intel Core processors from 9th to 14th generations. Based on this finding, a user program can obtain the execution result of a targeted kernel branch. And if the execution outcome of this branch depends on a secret value, the secret can be leaked.

The threat model of Occupy+Probe is similar to those of other control-flow leakage side-channel attacks. The attacker is a user-level program capable of executing arbitrary unprivileged code, while the victim runs in kernel mode and contains a branch whose behavior depends on secret data. Both the attacker and the victim execute concurrently on the same logical core, enabling the attacker to exploit the microarchitectural side effect described above. Moreover, the attacker has prior knowledge of the victim's code layout, including the address of the secret-dependent branch, which allows for precise targeting. The attacker's goal is to infer the execution outcome of this branch and thereby leak information about the underlying secret.

The attack process is illustrated in the figure below. In the Occupy+Probe attack, the attacker first constructs an occupy branch whose address is carefully aligned with that of a secret-dependent victim branch. Executing this branch inserts a crafted entry into the BTB. When the victim process runs and executes the target branch, the BTB state may be altered depending on whether the branch is taken or not. Finally, the attacker probes the BTB using an aliased branch: if the victim branch was taken, it replaces the occupy entry; if not taken, the entry remains. By observing this behavior, the attacker can infer the victim’s control flow and recover the underlying secret.

Research Paper

For more detailed research on Occupy+Probe, please refer to the paper Occupy+Probe: Cross-Privilege Branch Target Buffer Side-Channel Attacks at Instruction Granularity, which has been accepted to the Proceedings of Network and Distributed System Security (NDSS) Symposium 2026.

License

This project is licensed under the terms of the GNU General Public License v3.0 (GPLv3).