"Older AMD, Intel Chips Vulnerable to Data-Leaking 'Retbleed' Spectre Variant"

Despite existing defenses, older AMD and Intel chips are vulnerable to another Spectre-based speculative-execution attack that exposes secrets within kernel memory. It is expected that mitigating this side-channel will have an impact on performance. The attack, dubbed Retbleed by ETH Zurich computer scientists Johannes Wikner and Kaveh Razavi, is an addition to the family of speculative-execution flaws known as Spectre-BTI (variant 2), which can be exploited by branch target injection. It is possible to manipulate which operations are carried out speculatively following a near indirect branch instruction by abusing a processor's indirect branch predictors. Training the indirect branch predictor allows the attacker to deduce secret data values. Rogue software on a machine can use Retbleed to obtain passwords, keys, and other secrets from memory. As with all Spectre flaws, if malware truly wants to steal data, there are usually plenty of vulnerabilities in operating systems and applications that can allow it to do so, or ways to socially engineer the user without compromising the host processor. Retbleed, unlike its siblings, exploits return instructions. Existing defenses against Spectre-BTI include kernel page-table isolation (KPTI), retpoline, user pointer sanitization, and disabling unprivileged eBPF. Retpoline works by replacing indirect branch instructions with return instructions, but since Retbleed relies on return instructions, it effectively bypasses this defense method. Retbleed is the result of an investigation into the behavior of a processor's branch predictor unit with indirect branches. According to the researchers, using a precise branch history on Intel CPUs, all return instructions that follow sufficiently deep call stacks can be hijacked. On AMD processors, they discovered that any return instruction, regardless of the previous call stack, can be hijacked as long as the previous branch destination is correctly chosen during branch poisoning. This article continues to discuss findings surrounding the Retbleed Spectre variant.

The Register reports "Older AMD, Intel Chips Vulnerable to Data-Leaking 'Retbleed' Spectre Variant"