Researchers Revealed New Spectre-Class Attack

Illustration of cyber security concept on meltdown and spectre attacks.
Researchers report that a new Spectre-type attack has emerged. It exploits the return stack buffer to expose memory in the targeted system.

Ever since Spectre was discovered at the beginning of this year, the hardware vulnerability has been giving sleepless nights to processor makers like Intel and AMD.

This is because Spectre has invariably exploited the vulnerabilities in CPUs to mount destructive cyberattacks.

Now, a similar attack named “SpectreRSB” has been found by researchers, and the nature of the attack has been shared with Intel.

“RSB” stands for Return Stack Buffer. This new kind of attack has been described and demonstrated by a research team at the University of California Riverside.

The other major chipset maker, AMD, has been taken into confidence as well, since their processors too exhibit the same vulnerability on the return stack buffer. The third affected manufacturer is ARM.

“SpectreRSB” Attack Follows a Different Path

The curious thing about this new form of attack being reported is that it does not follow the same path that the previous Spectre attacks were seen to be following.

At the heart of this vulnerability is the technology added to the processors by the chip makers to enhance the performance of the machines they are installed in.

This is described as speculative execution and denotes the tendency of the CPUs to carryout a task even before the instructions have been received at its end.

There is then a gap while the return address accesses the memory, and this short time lag is sufficient for the attacker to plant malicious execution codes and pry open the computer’s privileged memory.

Three Types of Attacks Mentioned

The researchers have published a report [PDF] detailing the work they did and their findings. In that paper, they have specified that there are three types of SpectreRSB attacks they could identify.

The first two attacks focus on the manipulation of the return stack buffer to make changes to the user code and then plant false execution codes, thereby exposing content maintained in confidence.

The research team has done a mock exercise to demonstrate this vulnerability by actually poisoning the routine followed by the CPU and how data gets exposed to the attacker.

The other attack, the third one, happens in the Intel Software Guard Extension (SGX) compartment.

A Formidable Attack

man using a smartphone with a Meltdown and Spectre processor attack with network connection - 3d render
Ever since Spectre was discovered at the beginning of this year, the hardware vulnerability has been giving sleepless nights to processor makers like Intel and AMD.

The paper published by the researchers further contains the details on how the SpectreRSB attack is capable of bypassing the different patches that Intel had released earlier.

It can be concluded that the changes Intel brought in, after the Spectre attacks were reported earlier, have proven to be inadequate to stop this attack.

Intel may have to go back to the drawing board and resolve the new threat now discovered, since all their repair patches to avoid facing the Spectre attack released earlier have not been able to stop the SpectreRSB attacks.

The fact that the exploit is able to access the memory through code execution tactics once it’s linked through the above vulnerability makes this clear.

Intel had already said that the next generation of processors that it has designed will take care of some of the anomalies pointed out ever since the Spectre attacks were first reported by researchers in January.

The device makers will be suitably informed of the patches being released and they will have these uploaded on the devices they are going to build.

This will be a transition arrangement until the new processors are manufactured and they hit the markets.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.