Spectre Returns! Speculation Attacks Using the Return Stack Buffer
Esmaeil Mohammadian Koruyeh, Khaled N. Khasawneh, Chengyu Song, Nael Abu‐Ghazaleh
Abstract
Modern microprocessors frequently use speculative execution, which can be exploited to exfiltrate sensitive data across protection boundaries. This paper introduces SpectreRSB, a new Spectre-class attack that exploits the return stack buffer (RSB). Unlike previous attacks, SpectreRSB does not rely on the branch predictor unit. Through proof of concept attacks, we demonstrate that SpectreRSB enables both local attacks within the same process and attacks on SGX. The paper also analyzes additional types of attacks on the kernel and shows that they are possible under widely used conditions. Importantly, Retpoline and Intel’s microcode patches do not stop all SpectreRSB attacks. We recommend the use of RSB refilling patches on all machines, especially on Core-i7 Skylake and newer processors, to protect against SpectreRSB. In conclusion, system developers must consider SpectreRSB when developing defenses against speculation attacks.