Since Meltdown and Spectre was disclosed by Google in January, Intel has shored up the kernel-level vulnerability with patches. However, 11 more spectre-related flaws have been discovered in the following months. As Intel attempts to keep control of the situation another two Return Stack Buffer (RSB) vulnerabilities have been found.
SpectreRSB and ret2spec are two Intel CPU-level flaws that abuse the Return Stack Buffer but use different potential attack procedures.
Looking at ret2spec first, it was discovered by researchers at the University of Saarland and the University of California. Security experts showed how a flaw in the RSB of Intel CPUs can be tricked into handing information from protected memory locations. Intel and AMD have admitted the vulnerability is real and could be exploited through speculative executions.
Attackers could exploit the ret2spec flaw through an infested website or email with malware code installed. Since the Spectre flaw was disclosed, companies, including web browser developers, have patched services to fend off attacks. Browsers would potentially protect against ret2spec exploits and even trying an attack would not be easy.
Attackers would also need to have an accurate time measurement for executing. Still, the research team managed to create a proof-of-concept (PoC) in Mozilla’s Firefox 59. They achieved this by using a modified time, adjusting it to a more precise 2 millisecond resolution. In fact, the team points out it would be possible to make timers even more accurate.
“The security gap arises because processors predict a so-called return address for runtime optimization,” says Prof. Dr. Rossow. “If an attacker can manipulate this prediction, he gains control over speculatively executed program code. It can read out data via side channels that should actually be protected from access.”
Malware could trick the system into providing information from the memory, such as critical data or browser passwords. The attack could be varied to read the memory of other processes on a machine.
A separate Spectre flaw that targets the Return Stack Buffer was discovered by the University of California, Riverside (UCR). The team behind the discovery published their paper on Arxiv (PDF). This exploit also uses speculative attempts to manipulate execution, but the attack procedure differs from ret2spec.
Modern PCs typically has a gap between the actual potential speed of CPU and memory and what the PC is producing at any moment. Speculative execution is there to ensure the machine runs at optimal level. However, to do this, the CPU is used to run batch instructions.
That’s fine, but the CPU will not always check whether batches are accessing privileged memory once an instruction is sent. This period of time when the CPU sends the infrastructure is a window that attackers can use to exploit the system.
Researchers who found the vulnerability say SpectreRSB differs from previous attacks with a similar M.O.
Targeting the RSB, a proof-of-concept (PoC) shows the flaw could lead to normal RSB functionality being compromised. Researchers infiltrated this routine and corrupted it by forcing speculative execution of code. Asa result, persistent attackers could access full system memory and other processes.
“This attack bypasses all software and microcode patches on our SGX machine,” the team says. “We believe that SpectreRSB is as a dangerous speculation attack, that in some instances is not mitigated by the primary defenses against Spectre.”