Ret2Spec: Speculative Execution Using Return Stack Buffers

Maisuradze, Giorgi and Rossow, Christian
(2018) Ret2Spec: Speculative Execution Using Return Stack Buffers.
In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 15-19 Oct 2018, Toronto, Canada.
Conference: CCS ACM Conference on Computer and Communications Security

[img]
Preview
 Text
ret2spec-ccs2018.pdf
Download (766kB) | Preview
Official URL: http://doi.acm.org/10.1145/3243734.3243761

Abstract

Speculative execution is an optimization technique that has been part of CPUs for over a decade. It predicts the outcome and target of branch instructions to avoid stalling the execution pipeline. However, until recently, the security implications of speculative code execution have not been studied. In this paper, we investigate a special type of branch predictor that is responsible for predicting return addresses. To the best of our knowledge, we are the first to study return address predictors and their consequences for the security of modern software. In our work, we show how return stack buffers (RSBs), the core unit of return address predictors, can be used to trigger misspeculations. Based on this knowledge, we propose two new attack variants using RSBs that give attackers similar capabilities as the documented Spectre attacks. We show how local attackers can gain arbitrary speculative code execution across processes, e.g., to leak passwords another user enters on a shared system. Our evaluation showed that the recent Spectre countermeasures deployed in operating systems can also cover such RSB-based cross-process attacks. Yet we then demonstrate that attackers can trigger misspeculation in JIT environments in order to leak arbitrary memory content of browser processes. Reading outside the sandboxed memory region with JIT-compiled code is still possible with 80% accuracy on average.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Uncontrolled Keywords: hardware security, javascript, side channel attacks
Divisions: Christian Rossow (System Security Group, SysSec)
Conference: CCS ACM Conference on Computer and Communications Security
Depositing User: Giorgi Maisuradze
Date Deposited: 23 Oct 2018 09:19
Last Modified: 15 Oct 2022 11:58
Primary Research Area: NRA3: Threat Detection and Defenses
URI: https://publications.cispa.saarland/id/eprint/2730

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.