RETBLEED: New Spectre-BTI Attack (ETH Zurich)


New Spectre-BTI attack that “leaks arbitrary kernel memory.” It’s detailed in this research paper titled “RETBLEED: Arbitrary Speculative Code Execution with Return Instructions” from researchers at ETH Zürich. Mitigations are available.

“Modern operating systems rely on software defenses against hardware attacks. These defenses are, however, as good as the assumptions they make on the underlying hardware. In this paper, we invalidate some of the key assumptions behind retpoline, a widely deployed mitigation against Spectre Branch Target Injection (BTI) that converts vulnerable indirect branches to protected returns. We present RETBLEED, a new Spectre-BTI attack that leaks arbitrary kernel memory on fully patched Intel and AMD systems. Two insights make RETBLEED possible: first, we show that return instructions behave like indirect branches under certain microarchitecture-dependent conditions, which we reverse engineer. Our dynamic analysis framework discovers many exploitable return instructions inside the Linux kernel, reachable through unprivileged system calls. Second, we show how an unprivileged attacker can arbitrarily control the predicted target of such return instructions by branching into kernel memory. RETBLEED leaks privileged memory at the rate of 219 bytes/s on Intel Coffee Lake and 3.9 kB/s on AMD Zen 2.”

Find the technical paper here and ETH Zurich COMSEC related materials are here, including a demo, affected machines, mitigations and FAQs. Published 2022.

Authors: Johannes Wikner and Kaveh Razavi, COMSEC group at ETH Zurich.

More Security Reading
Security Risks Widen With Commercial Chiplets
Choosing components from a multi-vendor menu holds huge promise for reducing costs and time-to-market, but it’s not as simple as it sounds.
Hiding Security Keys Using ReRAM PUFs
How two different technologies are being combined to create a unique and inexpensive security solution.
Making PUFs Even More Secure
New sources of entropy could significantly improve robustness of physically unclonable functions.

Leave a Reply

(Note: This name will be displayed publicly)