RASSLE: Return Address Stack based Side-channel LEakage

Abstract: Microarchitectural attacks on computing systems often stem from simple artefacts in the underlying architecture. In this paper, we focus on the Return Address Stack (RAS), a small hardware stack present in modern processors to reduce the branch miss penalty by storing the return addresses of each function call. The RAS is useful to handle specifically the branch predictions for the RET instructions which are not accurately predicted by the typical branch prediction units. In particular, we envisage a spy proce… Show more

“…In our proposed covert channel, the error rate is equal to 8.6E-5%, which is considerably lower than previous work and therefore, no error correction technique is required. Our covert channel increases the bandwidth compared to [38], by 3.76×. Moreover, [38] has a 15% to 25% error rate.…”

“…Our covert channel increases the bandwidth compared to [38], by 3.76×. Moreover, [38] has a 15% to 25% error rate. Our method can send more bits per context switch by increasing the number of gadgets.…”

“…These attacks introduce effective covert channels based on commonly targeted system components. Recently, Chakraborty et al [38] proposes a covert channel based on RSB. In this method, the receiver first fills the RSB, then the sender executes a function or does nothing to push or not to push an irrelevant address to the RSB structure to transfer 1 or 0 to the receiver.…”

“…Our method can send more bits per context switch by increasing the number of gadgets. For instance, with four gadgets, in one context switch, the sender can transmit 00/01/10/11 to the receiver, and this increases the bandwidth, while [38] sends one bit for each context switch. Furthermore, the receiver in [38] should call N nested functions in a for loop to determine the transmitted value, which reduces the bandwidth and increases the error rate.…”

“…For instance, with four gadgets, in one context switch, the sender can transmit 00/01/10/11 to the receiver, and this increases the bandwidth, while [38] sends one bit for each context switch. Furthermore, the receiver in [38] should call N nested functions in a for loop to determine the transmitted value, which reduces the bandwidth and increases the error rate. Furthermore, unlike the cache-based covert channel, our covert channel on RSB does not rely on assumptions such as memory deduplication.…”

Comprehensive Evaluation of RSB and Spectre Vulnerability on Modern Processors

“…In our proposed covert channel, the error rate is equal to 8.6E-5%, which is considerably lower than previous work and therefore, no error correction technique is required. Our covert channel increases the bandwidth compared to [38], by 3.76×. Moreover, [38] has a 15% to 25% error rate.…”

“…Our covert channel increases the bandwidth compared to [38], by 3.76×. Moreover, [38] has a 15% to 25% error rate. Our method can send more bits per context switch by increasing the number of gadgets.…”

“…These attacks introduce effective covert channels based on commonly targeted system components. Recently, Chakraborty et al [38] proposes a covert channel based on RSB. In this method, the receiver first fills the RSB, then the sender executes a function or does nothing to push or not to push an irrelevant address to the RSB structure to transfer 1 or 0 to the receiver.…”

“…Our method can send more bits per context switch by increasing the number of gadgets. For instance, with four gadgets, in one context switch, the sender can transmit 00/01/10/11 to the receiver, and this increases the bandwidth, while [38] sends one bit for each context switch. Furthermore, the receiver in [38] should call N nested functions in a for loop to determine the transmitted value, which reduces the bandwidth and increases the error rate.…”

“…For instance, with four gadgets, in one context switch, the sender can transmit 00/01/10/11 to the receiver, and this increases the bandwidth, while [38] sends one bit for each context switch. Furthermore, the receiver in [38] should call N nested functions in a for loop to determine the transmitted value, which reduces the bandwidth and increases the error rate. Furthermore, unlike the cache-based covert channel, our covert channel on RSB does not rely on assumptions such as memory deduplication.…”

Comprehensive Evaluation of RSB and Spectre Vulnerability on Modern Processors

Side-Channeling the Kalyna Key Expansion

Spectre Declassified: Reading from the Right Place at the Wrong Time