ret2spec: Speculative Execution Using Return Stack Buffers (1807.10364v2)

Abstract: Speculative execution is an optimization technique that has been part of CPUs for over a decade. It predicts the outcome and target of branch instructions to avoid stalling the execution pipeline. However, until recently, the security implications of speculative code execution have not been studied. In this paper, we investigate a special type of branch predictor that is responsible for predicting return addresses. To the best of our knowledge, we are the first to study return address predictors and their consequences for the security of modern software. In our work, we show how return stack buffers (RSBs), the core unit of return address predictors, can be used to trigger misspeculations. Based on this knowledge, we propose two new attack variants using RSBs that give attackers similar capabilities as the documented Spectre attacks. We show how local attackers can gain arbitrary speculative code execution across processes, e.g., to leak passwords another user enters on a shared system. Our evaluation showed that the recent Spectre countermeasures deployed in operating systems can also cover such RSB-based cross-process attacks. Yet we then demonstrate that attackers can trigger misspeculation in JIT environments in order to leak arbitrary memory content of browser processes. Reading outside the sandboxed memory region with JIT-compiled code is still possible with 80\% accuracy on average.

• The paper introduces two novel attack variants that exploit RSBs to trigger speculative execution, leading to cross-process and in-process memory leaks.
• The paper demonstrates that RSB exploitation can bypass memory isolation in JIT-compiled code with up to 80% attack accuracy under simulated conditions.
• The paper evaluates current mitigations and advocates for comprehensive hardware-software defenses to address the emerging microarchitectural vulnerabilities.

Speculative Execution Using Return Stack Buffers: A Security Analysis

The paper "Speculative Execution Using Return Stack Buffers" presents critical research on the security implications of speculative execution in modern CPUs, focusing specifically on Return Stack Buffers (RSBs). Presented by Giorgi Maisuradze and Christian Rossow, this work explores the potential for exploiting RSBs in the context of microarchitectural attacks, expanding the understanding of this threat landscape beyond the previously identified Spectre techniques.

Research Overview

The concept of speculative execution has long been integrated into CPU design as a method to optimize performance. By predicting the outcomes and targets of branch instructions, CPUs can pre-emptively execute certain operations, thereby mitigating pipeline stalls. However, this optimization presents significant security risks. The widely known Spectre and Meltdown vulnerabilities highlighted some of these risks by demonstrating how speculative execution can lead to unauthorized data leaks across process boundaries.

This paper introduces and examines a new dimension of this vulnerability vector, examining the role of return address predictors, specifically RSBs, which are fundamental to the speculative execution process. The authors detail how RSBs, which are supposed to predict return addresses to improve performance on function returns, can be manipulated to trigger misspeculations. They demonstrate two novel attack vectors that parallel the capabilities of Spectre-type attacks but leverage RSBs instead of the branch target buffer (BTB).

Key Findings

1. Attack Techniques: Two attack variants are proposed—cross-process speculative execution and in-process arbitrary memory read. Both methods exploit RSBs to achieve speculative execution that leads to information leaks.
   • Cross-Process Attack: The authors present a scenario where an attacker can initialize their own process and manipulate the RSB, leading to speculative execution in a victim process, thus enabling the reading of arbitrary memory, like user-captured keystrokes.
   • In-Process Attack: Exploiting RSBs within a single process, this attack targets JIT-compiled code (e.g., WebAssembly) to read memory outside sandboxed regions, demonstrating up to an 80% accuracy in bypassing browser memory isolation.
2. Demonstration of RSB Vulnerability: The contribution of misspeculation vulnerabilities within RSBs provides evidence that speculative execution issues extend beyond known branch prediction channels.
3. Evaluation and Mitigation: The authors assert that current countermeasures against Spectre may coincidentally mitigate these RSB-based attacks, particularly through practices like context switch flushing. However, the depth of their analysis implies that such fixes are insufficient without a comprehensive understanding of RSB behavior.

Implications and Future Work

The implications of this research are profound both practically and theoretically. Practically, it identifies vulnerabilities in widely-used CPU designs that complicate the isolation assumptions critical to many security models. Meanwhile, theoretically, it challenges the industry to think beyond the Spectre model, urging a reconsideration of speculative execution safeguards, especially as they pertain to return predictions.

Moving forward, a holistic approach combining hardware and software measures appears necessary. At the hardware level, more sophisticated RSB flushing strategies could mitigate cross-process attacks. On the compiler and OS fronts, enhancing execution isolation and randomizing RSB entries might help curb speculative channels.

Moreover, the paper encourages further exploration into indirect effects of speculative execution optimizations, which may yield additional vulnerabilities. The authors’ foresight in dissecting RSB mechanics opens avenues for academia and industry to improve processor design and validation.

In sum, this paper not only extrapolates upon existing security research surrounding speculation-based attacks but also provides a crucial framework for understanding and mitigating emerging threat vectors linked to return stack buffers. The research impels the community towards advancing its strategies in handling the inherently risky yet performance-enhancing speculative execution in modern CPUs.