A group of researchers from the Swiss Higher Technical School of Zurich revealed a new option for an attack on the mechanism of speculative execution of indirect ones Transitions to CPU, which allows you to extract information from the nucleus memory or organize an attack on the host system of virtual machines. Vulnerability received the code name retleed (CVE-2022-29900, CVE-2022-29901) and are inherently close To the attacks Spectre-V2. The difference is reduced to the organization of speculative execution of the arbitrary code when processing the instruction “Ret” (Return), which extracts the address for the transition from the stack, instead of indirect transition using the “JMP” instructions with the uploading address or the CPU register.
The attacker can create conditions for an incorrect prediction of the transition and organize a targeted speculative transition to the code block, not provided for by the logic of the program. Ultimately, the processor will determine that the prediction of branching has not been justified and will roll back the operation to its original state, but the data processed in the process of speculative execution will settled in the cache and microarchitectural buffers. If an erroneously executed block transfers memory, then its speculative execution will lead to settlement in the general cache and data read from memory.
To determine the data remaining in the cache after speculative operations, the attacking can use methods for determining residual data by third -party channels, for example, to analyze changes in access time to damned and not cursed data. For targeted extraction of information from the regions in a different level of privileges (for example, from the nucleus memory), “gadgets” are used – the commands present in the core, suitable for speculative reading of data from memory, depending on the external conditions, which the attacking may influence.
To protect the classic attacks of the Specter class, which uses the instructions of the conditional and indirect transition, in most operating systems applies technique “ retpoline “, based on replacing indirect transition to the instruction “Ret”, for which in processors in processors A separate block of the stack condition is used that does not use the transitional prediction unit. During the introduction of Retpoline in 2018, it was believed that Spectre similar to addresses with addresses are not applicable in practice for a speculative transition using the instruction “RET”.