New Spectre flaw compromises return stack buffer
Another speculative execution side-channel flaw has been found enabling attackers to access sensitive data at the CPU level. The new Spectre class exploit is called SpectreRSB. The flaw still targets the process of speculative execution, but unlike other variants, it manipulates a new part of the process called the return stack buffer. New research introduce a new attack vector for Spectre-like attacks that are not prevented by deployed defenses. Specifically, the attacks exploit the return stack buffer ( RSB ) to cause speculative execution of the payload gadget that reads and exposes sensitive information. RSB is a common predictor structure in CPUs used to predict return addresses during the speculative execution process. It does this by pushing the return address from a call instruction on an internal hardware stack making predictions with very high accuracy.
Speculative execution is used in microprocessors so that memory can read before the addresses of all prior memory writes are known. This enables a hacker with local user access using a side-channel analysis to gain unauthorized data. Since the disclosure of Spectre in January, various variants have consequently been disclosed by researchers but they all have targeted the branch predictor unit or cache within the CPU. The RSB is another branch predictor used for the return instructions whereas the primary branch predictor is used for branch instructions. The attack is similar to Spectre, but with a different entry point that have different properties.
RSB can be manipulated through user code and direct pollution of the RSB, where a hacker inserts a call instruction as a value pushed to the RSB and the software stack. The stack is subsequently manipulated by the user so that the return address no longer matches the RSB, allowing the hacker to recover data running on the CPU. To launch the attack, the hacker poison the RSB and then cause a return instruction without a preceding instruction in the victim . SpectreRSB should be thought of as a variant of Spectre, with about the same order of difficulty and capabilities as the original. SpectreRSB also enables an attack against the SGX compartment, where malicious OS pollutes the RSB to cause wrong predictions that exposes data outside an SGX compartment. This bypasses all software and microcode patches on the SGX machine. Researchers have reported SpectreRSB to Intel, AMD and ARM, all of which use RSBs to predict return addresses.
The new flaw is not prevented by any of the previous defenses against Spectre, including Google's software fix, Retpoline, and Intel's microcode patches. Intel claims that this is not the case, according to a statment by Intel, SpectreRSB is related to branch target injection, and the exploits are resolved in the same manner. Regardless of the patches, there is a defense to protect against SpectreRSB, RSB stuffing. This currently exists on Intel's Core i7 processors starting from Skylake. With RSB stuffing, every time there is a switch into the kernel, the RSB is intentionally filled with the address of a benign delay gadget to avoid the possibility of misspeculation. For some of the more dangerous attacks, the attack starts from the user code, but its trying to get the OS to do the return to the poisoned address. Refilling overwrites the entries in the RSB whenever we switch to the kernel. So, the user can't get the kernel to return to its poisoned addresses in the RSB.
Since the two original side-channel analysis vulnerabilities, Meltdown and Spectre, were found earlier this year in Intel server and desktop processors, more Spectre-like flaws have surfaced. In May, a new vulnerability was found called Variant 4, disclosed by Google Project Zero and Microsoft's Security Response Center. It enables hackers to read privileged data across trust boundaries. Other Spectre like attacks targeting RSB may crop up in the future. Variants on other processors and other operating systems are likely to appear.