Researchers have found a new speculative execution attack, “Retbleed,” impacting CPU security. The attack becomes possible due to vulnerabilities in AMD and Intel chips, allowing sensitive data to be intercepted.
Retbleed Attack Threatens Chip Security
A team of researchers from the Department of Information Technology and Electrical Engineering (D-ITET) at ETH Zürich has discovered Retbleed attack targeting computer chips. This Spectre-like attack affects the Retpoline software mitigation against the original Spectre vulnerabilities.
As elaborated, the Retbleed attack becomes possible in two conditions. First, the researchers demonstrated how, under specific microarchitecture conditions, the return instructions could behave as indirect branches. Reverse-engineering them allowed the researchers to discover numerous exploitable instructions in the Linux kernel. Next, the researchers demonstrated how an underprivileged adversary could “control the predicted target of return instructions by branching into the kernel memory.”
Specifically, on Intel chips, the attack scenario forms when return instructions start behaving like indirect jumps – branches where the target is determined at the runtime. This behavior happens upon underflowed Return Stack Buffer state. In contrast, for AMD CPUs, returns behave as indirect branches regardless of the Return Address Stack state.
The researchers have shared the details of their findings in a research paper that they plan to present at the USENIX Security 2022 to be held in August. Besides, they have demonstrated the PoC exploit in the following video.
Recommended Mitigations
According to the researchers, the Retbleed attack affects AMD Zen 1, Zen 1+, Zen 2 CPUs, and Intel Core Gen 6, 7, and 8. Following this discovery, the researchers reached out to Intel and AMD, which have shared detailed lists of vulnerable Intel and AMD chips.
The Retbleed attack exists as the Retpoline mitigations fail to detect return instructions as an attack vector. Hence, their mitigation strategies for preventing Retbleed focus on preventing speculation and isolation. Nonetheless, the researchers fear a performance overhead upon applying these mitigations.
Since Intel and AMD have addressed this problem with software updates, researchers urge all users to update their device OS to receive the fixes.