The Spectre class of vulnerabilities keep rising due to the mechanism used in the speculative execution in most of the modern processor chips. There are a lot of patches provided by the chipmakers that claim to have solved the Spectre’s first variant and companies also proposed a design fix called SafeSpec although new variants of Spectre keep showing up.
These findings keep raising questions about whether the old vulnerabilities were fixed or not. A researcher named Vladimir Kiriansky and Carl Waldspurger had previously disclosed new data-stealing exploits named as Spectre 1.1 and 1.2.
Now a new vulnerability has been announced named SpectreRSB which exploits and the return stack buffer (RSB). The system is used in the modern CPUs to predict the return address which will point to the data usually this work is done by the branch predictor unit.
There has been a paper published titled “Spectre Returns! Speculation Attacks using the Return Stack Buffer“. The paper was published using a pre-print server ArXiv, boffins Esmaeil Mohammadian Koruyeh, Khaled Khasaweh, Chengyu Song and Nael Abu-Ghazaleh. The details mentioned in the new Spectre class vulnerability shows that these researchers have obtained the same data as the Spectre Variant 1. The latest way of data-theft requires a forcing for the processor to miss-speculate using the RSB using call instruction on the x86 architecture. The SpectreRSB allows the attacker to push different values to the RSB so that the return address for the call instruction is changed and no longer matches the actual RSB.
The paper has also provided some sample code that gives you an understanding of the vulnerability.
Function gadget()
{
push %rbp
mov %rsp, %rbp
pop %rdi //remove frame/return address
pop %rdi //from stack stopping at
pop %rdi //next return address
nop
pop %rbp
clflush (%rsp) //flush the return address
cpuid
retq //triggers speculative return to 17
} //committed return goes to 23
Function speculative(char *secret_ptr)
{
gadget(); //modify the Software stack
secret = *secret_ptr; //Speculative return here
temp &= Array[secret * 256]; //Access Array
}
Function main()
{
speculative(secret_address);
for (i = 1 to 256) //Actual return to here
{
t1 = rdtscp();
junk = Array[i * 256]; //check cache hit
t2 = rdtscp();
}
}
This latest vulnerability shows that the Spectre threat is far from over and the chip makers may need to return to the drawing board.
Take your time to comment on this article.