Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Retbleed: New Speculative Execution Attack Targets Intel, AMD Processors

Researchers at Swiss university ETH Zurich have devised a new speculative execution attack that can lead to information leaks and works against both Intel and AMD processors.

Researchers at Swiss university ETH Zurich have devised a new speculative execution attack that can lead to information leaks and works against both Intel and AMD processors.

Named Retbleed, the attack targets retpolines (return trampolines), one of the defenses that was proposed in 2018 to mitigate Spectre, a subset of microarchitectural timing side-channel attacks affecting modern microprocessors.

Spectre vulnerabilities existed because branch mispredictions could result in private data becoming visible to attackers. Reptolines were introduced to mitigate the attack by replacing indirect jumps and calls with returns. Despite concerns, the risk associated with the behavior of return prediction in deep call stacks was considered low and reptolines became the main mitigation against Spectre.

While returns were deemed impractical to exploit to leak memory – because returns should not be predicted as indirect branches under normal microarchitectural conditions – the ETH Zurich researchers discovered that exploitation is, in fact, practical.

After reverse engineering the behavior of return instructions, the academics devised Retbleed, which exploits return instructions because there are specific microarchitectural conditions that can be triggered to force returns to be predicted like indirect branches, on both AMD and Intel processors.

“Our reverse engineering results show that all return instructions that follow sufficiently-deep call stacks can be hijacked using a precise branch history on Intel CPUs. On AMD CPUs, we find that any return instruction can be hijacked, regardless of the previous call stack, as long as the previous branch destination is correctly chosen during branch poisoning,” the academics note in their research paper.

On Intel chips, the researchers underflowed the return stack buffer – where return target predictions reside – which resulted in returns behaving like indirect jumps. The academics also say they could hijack all returns coming after the underflow.

“This happens upon executing deep call stacks. In our evaluation, we found over a thousand of such conditions that can be triggered by a system call,” the researchers say.

Advertisement. Scroll to continue reading.

On AMD chips, the researchers note, it is not necessary to underflow the return stack buffer, as mispredictions appear whenever there is a colliding indirect branch. Essentially, they discovered that they could poison the return instruction using an indirect jump and trick the branch predictor into predicting an indirect branch target instead of a return.

“This means that any return that we can reach through a system call can be exploited — and there are tons of them,” the researchers say.

“We also found that AMD CPUs exhibit phantom jumps (CVE-2022-23825): branch predictions that occur even in the absence of any corresponding branch instruction. Using the same technique we used to exploit Retbleed, we could omit the return instruction completely and observe branch target prediction on any given instruction,” the academics continue.

The researchers also discovered that many microarchitectures allow for the creation of collisions on kernel return instructions from user mode, meaning that an unprivileged attacker could “arbitrarily control the predicted target of such return instructions by branching into kernel memory,” even on systems with all deployed mitigations enabled.

The academics built an analysis framework on top of Linux testing and tracing facilities to identify microarchitecture-dependent vulnerable return instructions that an attacker can exploit to gain sufficient control over registers or memory.

“We saw that retpoline-protected Intel and AMD CPUs are vulnerable to Retbleed. Retpoline, as a Spectre mitigation, fails to consider return instructions as an attack vector,” the researchers underline.

Intel, which tracks the security flaws as CVE-2022-29901 and CVE-2022-28693, will selectively enable Indirect Branch Restricted Speculation (IBRS) on Retbleed-vulnerable systems, to prevent software from controlling the predicted targets of indirect branches.

To mitigate the vulnerabilities — tracked as CVE-2022-29900 and CVE-2022-23825 — AMD has introduced jmp2ret, which replaces returns in the kernel with direct jumps to a return thunk. The proposed solutions introduce up to 28% overhead.

Related: Academics Devise New Speculative Execution Attack Against Apple M1 Chips

Related: New Side-Channel Attack Targets Intel CPU Ring Interconnect

Related: CrossTalk: First Speculative Execution Attack Allowing Data Leaks Across Intel CPU Cores

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.