Litcius/Paper detail

Spectre Returns! Speculation Attacks Using the Return Stack Buffer

Esmaeil Mohammadian Koruyeh, Khaled N. Khasawneh, Chengyu Song, Nael Abu‐Ghazaleh

2024IEEE Design and Test97 citationsDOIOpen Access PDF

Abstract

Modern microprocessors frequently use speculative execution, which can be exploited to exfiltrate sensitive data across protection boundaries. This paper introduces SpectreRSB, a new Spectre-class attack that exploits the return stack buffer (RSB). Unlike previous attacks, SpectreRSB does not rely on the branch predictor unit. Through proof of concept attacks, we demonstrate that SpectreRSB enables both local attacks within the same process and attacks on SGX. The paper also analyzes additional types of attacks on the kernel and shows that they are possible under widely used conditions. Importantly, Retpoline and Intel’s microcode patches do not stop all SpectreRSB attacks. We recommend the use of RSB refilling patches on all machines, especially on Core-i7 Skylake and newer processors, to protect against SpectreRSB. In conclusion, system developers must consider SpectreRSB when developing defenses against speculation attacks.

Topics & Concepts

ExploitComputer scienceVulnerability (computing)SpeculationBuffer overflowBranch predictorMicrocodeXeonComputer securityKernel (algebra)Operating systemXeon Phix86Speculative executionSoftwareBusinessCombinatoricsFinanceMathematicsSecurity and Verification in ComputingAdvanced Malware Detection TechniquesPhysical Unclonable Functions (PUFs) and Hardware Security
Spectre Returns! Speculation Attacks Using the Return Stack Buffer | Litcius