RETBLEED: Arbitrary Speculative Code Execution with Return Instructions presented at USENIX Security 2022

by Johannes Razavi,

Tags: Hardware Security III


Summary : Modern operating systems rely on software defenses
against hardware attacks. These defenses are, however,
as good as the assumptions they make on the underlying
hardware. In this paper, we invalidate some of the key
assumptions behind retpoline, a widely deployed mitigation
against Spectre Branch Target Injection (BTI) that converts
vulnerable indirect branches to protected returns. We present
RETBLEED, a new Spectre-BTI attack that leaks arbitrary
kernel memory on fully patched Intel and AMD systems.
Two insights make RETBLEED possible: first, we show that
return instructions behave like indirect branches under certain
microarchitecture-dependent conditions, which we reverse
engineer. Our dynamic analysis framework discovers many
exploitable return instructions inside the Linux kernel, reachable
through unprivileged system calls. Second, we show how
an unprivileged attacker can arbitrarily control the predicted
target of such return instructions by branching into kernel
memory. RETBLEED leaks privileged memory at the rate of
219 bytes/s on Intel Coffee Lake and 3.9 kB/s on AMD Zen 2.