New Spectre-Class Attack Found by UCR Scientists

July 28, 2018


One more side-channel weakness has been found that might be abused in a Spectre-Class attack. This attack technique is not stopped by earlier patches that tackle the original Spectre faults. The weakness was found by scientists at the University of California, Riverside (UCR), which recently distributed particulars of the attack technique which they call Spectre-RSB.

The attack utilizes the speculative execution characteristic of contemporary CPUs which increase working of the CPU by carrying out calculating jobs in advance.

Contrary to earlier Spectre attacks, this technique utilizes the Return Stack Buffer (RSB) speculation routine instead of the branch forecaster unit. RSB is utilized to forecast return addresses in the speculation procedure with a high level of correctness. Nevertheless, the scientists have shown that it’s possible to carry out attacks that “abuse the Return Stack Buffer (RSB) to cause speculative implementation of the payload gadget that reads and discloses confidential information.”

The scientists showed that it’s possible to contaminate the RSB and get access to data from other apps on the same CPU and, in one more attack, were able to cause a misspeculation that disclosed data outside an SGX section.

Although the Retpoline and Intel’s microcode patches stop the original Spectre flaw from being abused, the scientists say these patches don’t tackle the RSB fault. Intel has issued a patch known as RSB refilling for a few of its CPUs, which disrupt Spectre-RSB attacks that change into the kernel. The patch was issued to tackle a separate weakness but was just rolled out to Core-i7 Skylake and newer computers, not Intel’s Xeon processor line. The scientists suggested the patch be applied on all machines to safeguard against Spectre-RSB attacks.

Intel replied to a request from Beeping Computer concerning the faults and declared that the Spectre-RSB attack technique is linked to the Branch Target Injection weakness (CVE-2017-5715) and that current alleviations can avoid these Spectre-RSB attacks.

The UCR scientists note that although they have not tried the attack technique on AMD and ARM computers, they both use RSB to forecast return addresses and are likely to also be vulnerable to this attack technique.