Spectre Returns! Speculation Attacks using the Return Stack Buffer

Koruyeh, Esmaeil Mohammadian; Khasawneh, Khaled; Song, Chengyu; Abu-Ghazaleh, Nael

doi:10.48550/arxiv.1807.07940

Cited by 2 publications

(3 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Koruyeh et al mentions in SpectreRSB paper [32] that the microcode patch "RSB-refilling" is not specifically applied for SGX enclaves. Based on this we draw the conclusion that RSB-refilling ought to be implemented either the SDKs or compilers, if they wish to ensure protection against the SpectreRSB.…”

Section: Discussion On the Current Status Of Mitigationsmentioning

confidence: 99%

“…The authors presented the SgxPectre attack and used it to extract the secret seal keys and attestation keys from Intel signed quoting enclaves. In [32] Koruyeh et al proposed the SpectreRSB attack which alternatively uses the return stack buffer which is a structure in modern CPUs used to speculatively predict the return address of execution frames (functions). SgxSpectre in [33] (not to be confused with SgxPectre [31]) also demonstrated a successful attack on SGX enclaves using a slight modification of the Spectre variant 1 attack.…”

Section: Speculative Execution Attacks [31]-[33]mentioning

confidence: 99%

See 1 more Smart Citation

A Survey of Published Attacks on Intel SGX

Nilsson,

Bideh,

Brorsson

2020

Preprint

View full text Add to dashboard Cite

Intel Software Guard Extensions (SGX) provides a trusted execution environment (TEE) to run code and operate sensitive data. SGX provides runtime hardware protection where both code and data are protected even if other code components are malicious. However, recently many attacks targeting SGX have been identified and introduced that can thwart the hardware defence provided by SGX. In this paper we present a survey of all attacks specifically targeting Intel SGX that are known to the authors, to date. We categorized the attacks based on their implementation details into 7 different categories. We also look into the available defence mechanisms against identified attacks and categorize the available types of mitigations for each presented attack.

show abstract

Section: Discussion On the Current Status Of Mitigationsmentioning

confidence: 99%

Section: Speculative Execution Attacks [31]-[33]mentioning

confidence: 99%

A Survey of Published Attacks on Intel SGX

Nilsson,

Bideh,

Brorsson

2020

Preprint

View full text Add to dashboard Cite

show abstract

“…With a decreasing number of available targets for software attacks, the attention of adversaries is more frequently drawn to exploitable weaknesses in hardware. Although hardware attacks such as microarchitectural side channels [1], [3], [6], [19], [26], [44], [56], [57], covert channels [17], [24], [49], [54], and power analysis [2], [34], [48], [50], [55] attacks have been known for a long time, only recently did researchers demonstrate the true power of microarchitectural attacks with newly discovered speculative execution attacks, such as Meltdown [42], [73] and Spectre [13], [32], [33], [35], [47], [67]. These attacks are based on speculative (transient) execution, a performance optimization technique present in nearly all of today's processors.…”

Section: Introductionmentioning

confidence: 99%

STBPU: A Reasonably Secure Branch Prediction Unit

Zhang¹,

Lesch²,

Koltermann³

et al. 2021

Preprint

View full text Add to dashboard Cite

Modern processors have suffered a deluge of dangerous side channel and speculative execution attacks that exploit vulnerabilities rooted in branch predictor units (BPU). Many such attacks exploit the shared use of the BPU between unrelated processes, which allows malicious processes to retrieve sensitive data or enable speculative execution attacks. Attacks that exploit collisions between different branch instructions inside the BPU are among the most dangerous. Various protections and mitigations are proposed such as CPU microcode updates, secured cache designs, fencing mechanisms, invisible speculations. While some effectively mitigate speculative execution attacks, they overlook BPU as an attack vector, leaving BPU prone to malicious collisions and resulting critical penalty such as advanced micro-op cache attacks. Furthermore, some mitigations severely hamper the accuracy of the BPU resulting in increased CPU performance overhead. To address these, we present the secret token branch predictor unit (STBPU), a branch predictor design that mitigates collision-based speculative execution attacks and BPU side channel whilst incurring little to no performance overhead. STBPU achieves this by customizing inside data representations for each software entity requiring isolation. To prevent more advanced attacks, STBPU monitors hardware events and preemptively changes how STBPU data is stored and interpreted.

show abstract

Spectre Returns! Speculation Attacks using the Return Stack Buffer

Cited by 2 publications

References 17 publications

A Survey of Published Attacks on Intel SGX

A Survey of Published Attacks on Intel SGX

STBPU: A Reasonably Secure Branch Prediction Unit

Contact Info

Product

Resources

About