Spectre Rises Again With A Vulnerability In Return Stack Buffer

The Spectre class of vulnerabilities keep rising due to the mechanism used in the speculative execution in most of the modern processor chips. There are a lot of patches provided by the chipmakers that claim to have solved the Spectre’s first variant and companies also proposed a design fix called SafeSpec although new variants of Spectre keep showing up.

These findings keep raising questions about whether the old vulnerabilities were fixed or not. A researcher named Vladimir Kiriansky and Carl Waldspurger had previously disclosed new data-stealing exploits named as Spectre 1.1 and 1.2.

Now a new vulnerability has been announced named SpectreRSB which exploits and the return stack buffer (RSB). The system is used in the modern CPUs to predict the return address which will point to the data usually this work is done by the branch predictor unit.

There has been a paper published titled “Spectre Returns! Speculation Attacks using the Return Stack Buffer“. The paper was published using a pre-print server ArXiv, boffins Esmaeil Mohammadian Koruyeh, Khaled Khasaweh, Chengyu Song and Nael Abu-Ghazaleh. The details mentioned in the new Spectre class vulnerability shows that these researchers have obtained the same data as the Spectre Variant 1. The latest way of data-theft requires a forcing for the processor to miss-speculate using the RSB using call instruction on the x86 architecture. The SpectreRSB allows the attacker to push different values to the RSB so that the return address for the call instruction is changed and no longer matches the actual RSB.

The paper has also provided some sample code that gives you an understanding of the vulnerability.


Function gadget()
 {
   push %rbp
   mov %rsp, %rbp
   pop %rdi //remove frame/return address
   pop %rdi //from stack stopping at
   pop %rdi //next return address
   nop
   pop %rbp
  clflush (%rsp) //flush the return address
  cpuid
  retq //triggers speculative return to 17
 } //committed return goes to 23
 Function speculative(char *secret_ptr)
 {
  gadget(); //modify the Software stack
  secret = *secret_ptr; //Speculative return here
  temp &= Array[secret * 256]; //Access Array
 }
 Function main()
 {
  speculative(secret_address);
  for (i = 1 to 256) //Actual return to here
  {
   t1 = rdtscp();
   junk = Array[i * 256]; //check cache hit
   t2 = rdtscp();
  }
 }

This latest vulnerability shows that the Spectre threat is far from over and the chip makers may need to return to the drawing board.

Take your time to comment on this article.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients