[GTALUG] ret2spec: Speculative Execution Using Return Stack Buffers

David Collier-Brown davec-b at rogers.com
Thu Aug 9 14:34:54 EDT 2018 

For any instruction that can be executed during speculation, if it has 
an effect, it's arguably usable as a covert channel (;-))

--dave


On 2018-08-09 10:03 a.m., Russell Reiter via talk wrote:
> More Intel woes.
>
> http://www.digitaljournal.com/tech-and-science/technology/new-security-flaw-with-intel-processors/article/529077
>
> Quote from the whitepaper link in the article.
>
> 3 GENERAL ATTACK OVERVIEW
>
> Before detailing specific attack scenarios, in this section, we 
> introduce the basics of how RSB-based speculative execution can be 
> achieved and be abused. We explore whether and how attackers may 
> manipulate the RSB entries in order to leak sensitive data using 
> speculative execution that they could not access otherwise. Similar to 
> recent microarchitectural attacks [8, 10, 22, 26, 29], we trick the 
> CPU to execute instructions that would not have been executed in a 
> sequential execution. The goal is to leak sensitive information in 
> speculation, e.g., by caching a certain memory area that can be 
> detected in a normal (non-speculative) execution. The general idea of 
> our attack can be divided into three steps:
>
> (A1) trigger misspeculations in the return address predictor, i.e., 
> enforce that returns mispredict
>
> (A2) divert the speculative execution to a known/controlled code 
> sequence with the required context
>
> (A3) modify the architectural state in speculation, such that it can 
> be detected from outside
>
> (A1) Triggering Misspeculation: From an attacker’s perspective, 
> enforcing that the return predictor misspeculates upon function return 
> is essential to reliably divert speculative execution to 
> attacker-controlled code (see A2 for how to control the speculated 
> code). Misspeculations can be achieved in several ways, depending on 
> the RSBs underflow behavior (as discussed in Section 2.3).
>
> ---
> Talk Mailing List
> talk at gtalug.org
> https://gtalug.org/mailman/listinfo/talk


-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb at spamcop.net           |                      -- Mark Twain

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20180809/a9295672/attachment.html>

More information about the talk mailing list