Post

RETbleed

Posted Updated
By Filippo Visconti 4 min read

Microarchitectural conditions to exploit Retbleed Intel. On Intel, returns start behaving like indirect jumps when the Return Stack Buffer, which holds return target predictions, is underflowed. This happens upon executing deep call stacks. In our evaluation, we found over a thousand of such conditions that can be triggered by a system call. The indirect branch target predictor for Intel CPUs has been studied in previous work.

AMD. On AMD, returns will behave like an indirect branch regardless of the state of their Return Address Stack. In fact, by poisoning the return instruction using an indirect jump, the AMD branch predictor will assume that it will encounter an indirect jump instead of a return and consequentially predict an indirect branch target. This means that any return that we can reach through a system call can be exploited — and there are tons of them.

Phantom JMPs We also found that AMD CPUs exhibit phantom jumps (CVE-2022-23825): branch predictions that occur even in the absence of any corresponding branch instruction. Using the same technique we used to exploit Retbleed, we could omit the return instruction completely and observe branch target prediction on any given instruction. This has significant implications for the exposed attack surface and mitigations. Read our addendum to the Retbleed paper if you want to know more.

The Retbleed attack exploits the following two vulnerabilities:

Return instructions can behave like indirect branches. This is because return instructions can be used to implement indirect jumps and calls. For example, the following code shows how to implement an indirect jump using a return instruction: jmp *rax This code will jump to the address stored in the rax register. If the rax register contains the address of a return instruction, then the code will effectively perform an indirect jump to the target of the return instruction.

The CPU can predict the target of a return instruction, even if the return instruction is not reachable through normal execution. This is because the CPU uses a history of previous return instructions to predict the target of the next return instruction. An attacker can exploit these two vulnerabilities to leak arbitrary kernel memory by using a return instruction to speculatively jump to a kernel address that the attacker controls. The attacker can then use the speculative execution to read data from the kernel memory and write it to a location that the attacker can access.

The following is a more detailed explanation of how the Retbleed attack works:

The attacker prepares a gadget that contains a return instruction to a kernel address that the attacker controls. The attacker trains the CPU’s branch prediction system to predict the return instruction in the gadget. This can be done by repeatedly executing the gadget in a loop. The attacker executes the gadget once more. This time, the CPU will speculatively execute the gadget, even though it is not reachable through normal execution. The attacker uses the speculative execution to read data from the kernel memory and write it to a location that the attacker can access. The attacker repeats steps 3 and 4 until all of the desired data has been leaked. The Retbleed attack is a serious vulnerability that could be exploited by attackers to gain access to sensitive kernel data. However, there are a number of mitigations that can be used to protect against the attack, including:

Retpoline implementation: AMD should implement the retpoline mitigation in a way that converts all indirect branches to return instructions, as Intel does. Return target prediction: CPU vendors should disable return target prediction. Kernel memory protection: The kernel should be protected from speculative execution using a technique such as IBRS or STIBP. Users can also mitigate Retbleed by keeping their systems up to date with the latest security patches.

Example Attack Scenario

The following is an example of how the Retbleed attack could be exploited to leak the contents of a kernel memory address:

The attacker prepares a gadget that contains a return instruction to the kernel memory address that they want to leak. The attacker trains the CPU’s branch prediction system to predict the return instruction in the gadget. The attacker executes the gadget once more. This time, the CPU will speculatively execute the gadget, even though it is not reachable through normal execution. The attacker uses the speculative execution to read the data at the kernel memory address and write it to a location that the attacker can access. The attacker repeats steps 3 and 4 until all of the data at the kernel memory address has been leaked. Once the attacker has leaked the contents of the kernel memory address, they can use the data to their advantage. For example, the attacker could use the data to escalate their privileges or to steal sensitive information.

Conclusion

The Retbleed attack is a serious vulnerability that could be exploited by attackers to gain access to sensitive kernel data. However, there are a number of mitigations that can be used to protect against the attack, including retpoline implementation, return target prediction, and kernel memory protection. Users can also mitigate Retbleed by keeping their systems up to date with the latest security patches.

hardware-security, lecture-notes
lecture-notes hardware-security Meltdown
This post is licensed under CC BY 4.0 by the author.