The Spectre Looms Over Us Still

The Spectre attack has been an unexpected danger to our security since January of this year. It’s an attack on most modern processors that use speculative execution to leak sensitive information to a potential attacker. Speculative execution allows processors to execute instructions in parallel, and in cases where instructions are dependent upon the results of other instructions, tries to predict which instructions are likely to take place. When there are hundreds of instructions to run, predictions provide a significant gain in performance. The Spectre attack starts by miss training the processor with processes that will cause erroneous speculative executions which also create covert side channels for exfiltration. Then the attacker has the victim perform an action that usually is allowed and requests sensitive information. Permissions are not checked until the instructions are committed so it has no problem reading the sensitive information and modifying the cache state in a vulnerable way. The attacker then retrieves that information despite the erroneous instructions being discarded.

Researchers at University of California, Riverside (UCR) have discovered a new form of the attack named SpectreRSB that uses the Return Stack Buffer (RSB) instead of the Branch target Buffer to acquire and smuggle sensitive information. Instead of causing the Branch Predictor to miss speculate onto a poisoned branch, SpectreRSB poisons the return address of the RSB. 

Intel already has a patch but only on the Core-i7 Skylake and later processors. The patch is called RSB refilling and it fills the RSB with a benign address whenever there is a switch to the Kernel. Some of the proposed attacks in the UCR paper can bypass RSB refilling, but the researchers believe their proof of concept attacks are unlikely to be practical because of the difficulty in implementing the gadget that smuggles the return address to a recoverable cache. 
Sources: 