TL;DR
SpectreRSB is a new class of speculative execution attack exploiting the return stack buffer in modern CPUs, capable of bypassing existing defenses and affecting local, SGX, kernel, and cross-address space scenarios.
Contribution
This paper introduces SpectreRSB, a novel Spectre-class attack exploiting the return stack buffer, demonstrating its effectiveness and limitations of current defenses.
Findings
SpectreRSB can attack local processes and SGX enclaves.
Existing defenses like Retpoline and microcode patches do not fully prevent SpectreRSB.
RSB refilling mitigates some SpectreRSB attacks on certain Intel CPUs.
Abstract
The recent Spectre attacks exploit speculative execution, a pervasively used feature of modern microprocessors, to allow the exfiltration of sensitive data across protection boundaries. In this paper, we introduce a new Spectre-class attack that we call SpectreRSB. In particular, rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses. We show that both local attacks (within the same process such as Spectre 1) and attacks on SGX are possible by constructing proof of concept attacks. We also analyze additional types of the attack on the kernel or across address spaces and show that under some practical and widely used conditions they are possible. Importantly, none of the known defenses including Retpoline and Intel's microcode patches stop all SpectreRSB attacks. We…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
