Researchers have released details of another entry in the Spectre family of speculative execution attacks on modern microprocessors, dubbed SpectreRSB, though there is disagreement over whether it is mitigated by protections introduced for earlier vulnerabilities.
Announced earlier this year following private disclosure in 2017, the Spectre and Meltdown families of vulnerabilities broke open the floodgates on attacks against features added directly in silicon to modern processors as a means of improving performance. With software patches proving problematical, fully-secured silicon not yet on the cards, and increasing numbers of variants being discovered all the time, 2018 has been a tough year for Intel, AMD, and Arm, all of whom have products affected by one or more of the vulnerabilities.
Hopes that the worst may be over, though, appear to be in vain, with a research paper spotted by Bleeping Computer detailing yet another variant on the Spectre theme: SpectreRSB.
Based on attacking the return stack buffer (RSB), SpectreRSB has been proven to allow attacks across processes and virtual machines, while also allowing access to private data supposedly protected by Intel's Software Guard Extensions (SGX) functionality - including passwords and security keys.
There is some disagreement, however, in whether existing protections against prior speculative execution attacks extend to SpectreRSB. The University of California at Riverside (UCR) researchers who discovered the flaw claim that 'none of the known defences including Retpoline and Intel's microcode patches stop all SpectreRSB attacks;' Intel, by contrast, says that 'SpectreRSB is related to Branch Target Injection (CVE-2017-5715), and we expect that the exploits described in this paper are mitigated in the same manner.' The attack has also yet to be proven against AMD and Arm processors, though the researchers have warned both companies as their implementations of RSB are expected to be vulnerable with little to no modification to the attack itself.
More information on SpectreRSB is available in the research paper Spectre Returns! Speculation Attacks using the Return Stack Buffer (PDF warning.)