SpectreRSB - the new CPU side-channel attack that can bypass patches

• The new attack can steal passwords, keys and more.
• SpectreRSB can also impact Intel’s SXG.

Security researchers have uncovered a new Spectre-class CPU side-channel attack called SpectreRSB. The attack, like other Spectre-class attacks, also takes advantage of the speculative execution feature found in all modern CPUs. Speculation execution is a performance-enhancing feature.

According to researchers at the University of California, Riverside (UCR), who detailed the new attack in a white paper, SpectreRSB has one major difference from previous Spectre-class attacks. Unlike previous attacks, SpectreRSB attacks a different speculative component of the CPU - the Return Stack Buffer (RSB).

Why target the RSB?

The new Spectre attack comes just two weeks after researchers Vladimir Kiriansky and Carl Waldspurger uncovered two variants of the Spectre vulnerability dubbed Spectre 1.1 and Spectre 1.2.

The RSB is part of the speculation execution routine used to predict the return addresses of an operation. According to UCR researchers, SpectreRSB is capable of polluting the RSB code to control the return address and, in turn, poison a targeted CPU’s speculative execution routine.

In essence, SpectreRSB does the same thing that previous Spectre attacks accomplished. The attack is capable of stealing various sensitive information such as passwords, keys and more from the CPU’s memory, which it ideally shouldn’t be able to affect.

Attack can recover data from Intel SXG

UCR researchers explained that attackers can leverage SpectreRSB in three kinds of attacks to pollute the RSB and gain access to sensitive data. In two of the attacks detailed by the researchers, the RSB is polluted to expose and recover data from other CPU applications.

In the third attack, the RSB is polluted to hamper the speculative process and expose data outside an SXG compartment. Intel SXG (Software Guard eXtensions) are hardware-separated secure exclaves used to process data - one of the highest protections Intel CPUs offer to developers. SpectreRSB also affects this kind of protection which is a major cause for concern.

UCR researchers said they’ve reported the issue to Intel as well as ARM and AMD, both of which may potentially impacted by the attack.

SpectreRSB can bypass patches

One of the most concerning aspects of the SpectreRSB attack is that it is capable of bypassing nearly all of the patches created to mitigate previous Spectre attacks.

“Importantly, none of the known defenses including Retpoline and Intel’s microcode patches stop all SpectreRSB attacks,” UCR researchers said in their white paper. “We believe that future system developers should be aware of this vulnerability and consider it in developing defenses against speculation attacks.”