The BTB provides a history of branches taken by the processor as it runs through its code: after the CPU is told to make a decision, it usually jumps to another part of the program based on the outcome of that decision. For example, if something fetched from memory has a value greater than zero, then jump to location A or jump to location B if not.

If a jump location is in the history buffer then the CPU knows this branch is usually taken so can start priming itself with instructions from the jump landing point. That means branches routinely taken execute with minimal delay.

By flooding the BTB with a range of branch targets, hackers can observe the BTB refilling with values of regularly taken jumps. This allows the miscreants to work out where in memory the operating system has randomly placed the application’s vital components. It takes a few tens of milliseconds to perform, we’re told. The eggheads say this allows an “attacker to identify the locations of known branch instructions in the address space of the victim process or kernel.”

Source: Boffins exploit Intel CPU weakness to run rings around code defenses