Giorgi Maisuradze and Prof. Dr. Christian Rossow discovered that the ret2spec (return-to-speculation) vulnerability again enables attackers to read data without authorization. At least all Intel processors of the past ten years are affected by the vulnerabilities. Similar attack mechanisms could probably also be derived for ARM and AMD processors.
This fifth and hitherto unknown vulnerability in CPUs will be presented at the ACM Conference on Computer and Communications Security (CCS) in Toronto (Canada) in October. “The security gap is caused by CPUs predicting a so-called return address for runtime optimization,” says Rossow. “If an attacker can manipulate this prediction, he gains control over speculatively executed program code. It can read out data via side channels that should actually be protected from access.”
It is therefore possible, for example, for malicious web pages to read the memory of the browser to steal critical data such as stored passwords or to accept browser sessions. A slight variation of the attack even makes it possible to read the memory contents of other processes, for example to read password entries from other users. “Both variations can be understood as an inverse spectre attack, since return addresses are now also used in ret2spec – instead of forward jump addresses as in spectre,” says Rossow.
Manufacturers were notified of the weaknesses in May 2018 and were granted 90 days to remedy them before the results were published. That deadline has now expired. While operating systems already protect processes from reading memory from each other, many known browsers are still potentially vulnerable to malicious websites. In January 2018, two prominent vulnerabilities in computer cores (CPUs) were announced in Meltdown and Spectre, which allow attackers to read out data protected from access on a computer. Since then, hardware and software manufacturers have been working at full speed to close the four known vulnerabilities.
CISPA white paper: https://christian-rossow.de/publications/ret2spec-ccs2018.pdf