TL;DR
This paper uncovers security vulnerabilities in return stack buffers (RSBs) used for speculative execution, demonstrating new attack methods that can leak sensitive data across processes and within JIT environments, despite existing countermeasures.
Contribution
It is the first to analyze return address predictors' security implications and introduce RSB-based attack variants similar to Spectre, expanding understanding of speculative execution vulnerabilities.
Findings
RSB-based attacks can leak cross-process data.
Countermeasures for Spectre also mitigate RSB attacks.
JIT environments are vulnerable to RSB-triggered memory leaks.
Abstract
Speculative execution is an optimization technique that has been part of CPUs for over a decade. It predicts the outcome and target of branch instructions to avoid stalling the execution pipeline. However, until recently, the security implications of speculative code execution have not been studied. In this paper, we investigate a special type of branch predictor that is responsible for predicting return addresses. To the best of our knowledge, we are the first to study return address predictors and their consequences for the security of modern software. In our work, we show how return stack buffers (RSBs), the core unit of return address predictors, can be used to trigger misspeculations. Based on this knowledge, we propose two new attack variants using RSBs that give attackers similar capabilities as the documented Spectre attacks. We show how local attackers can gain arbitrary…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
