Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Detail New CPU Side-Channel Attack Named SpectreRSB (bleepingcomputer.com)

Posted by BeauHD on from the expect-the-unexpected dept.

An anonymous reader writes: "Scientists from the University of California, Riverside (UCR) have published details last week about a new Spectre-class attack that they call SpectreRSB," reports Bleeping Computer. "Just like all 'Spectre-class' attacks, SpectreRSB takes advantage of the process of speculative execution -- a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data. The difference from previous Spectre-like attacks is that SpectreRSB recovers data from the speculative execution process by attacking a different CPU component involved in this 'speculation' routine, namely the Return Stack Buffer (RSB)." In a research paper, academics say they've used SpectreRSB attacks to recover data belonging to other processes, and have even tricked the RSB into spilling SGX secrets. The attack works on Intel, AMD, and ARM processors, known to use RSB. The attack can also bypass all the mitigations put in place for the original Spectre/Meltdown flaws.

3 of 39 comments (clear)

  1. OpenBSD by jmccue · · Score: 5, Interesting

    Because the RSB is shared among hardware threads that execute on the same virtual processor, this pollution enables inter-process, and even inter-VM, pollution of the RSB.

    Well I guess there is a reason OpenBSD folks did this:

    https://arstechnica.com/civis/...

  2. Javascript and virtualisation as vectors by Anonymous Coward · · Score: 5, Informative

    Javascript in browsers means EVERY workstation is running insecure remote code. Being this far from the hardware limits some attacks, but it basically gives the attackers all day, every day on every machine to work at it.

    Cloud services (virtualisation) gives every attacker the opportunity to run their code on the same hardware as any number of potential victims. Again, they can attack all day, every day. They will win some, often enough to matter. It's like a giant bad guy lottery.

  3. "The attack works on Intel, AMD, and ARM ..." by Megol · · Score: 5, Informative

    Citation needed. I'll provide the one in the paper: "Although we did not demonstrate attacks on AMD and ARM processors, they also use RSBs to predict return addresses"

    I'll also note that the only demonstrated working attack is against Intel SGX enclaves, something that is Intel specific. There are demonstrations that do not expose information within a process and between two co-operating processes however those are normally not a security problem.

    No doubt some type of attack using the return address stack is possible on AMD, ARM, and other processors with branch prediction. However that isn't demonstrated and it isn't claimed in the linked paper.