Spectre attacks induce a victim to speculatively perform operations that would not occur during strictly serialized in-order processing of the program’s instructions. It abuses the conditional Branch Prediction mechanism of modern CPUs like
jx instruction.Spectre Attack Scenario
Reuse existing program code like Code Reuse Attack
- Exfiltrate secrets within a process address space and can also be used to attack the kernel
- Could use attacker provided code (JIT) or could coopt existing program code (aka Spectre gadgets akin to ROP gadgets)
Spectre attack could obtain more diverse scenarios than Meltdown Attack.
A Spectre Gadget
Modern microprocessors may speculate beyond a bounds check condition, meaning that the target of conditional branches could be mispredicted. And Spectre gadget at the predicted target will transiently execute.
Spectre-v1
Bounds Check Bypass
Spectre-v2
Branch Target Injection, Branch Predictor Poisoning
Rogue application trains the indirect predictor to predict branch to gadget code
In other words, processor incorrectly speculates down indirect branch into existing code but offset of the branch is under malicious user control, since the branch prediction hardware not fully disambiguating branch targets.
Virtual address of branch in malicious user code constructed to use same predictor entry as a branch in another application or the OS kernel running at higher privilege. (demonstrated cross-process attacks on x86)
Branch History injection (May 2022)
Reuses existing entries in the BTB. It’s no longer poisoning the destination address. Strictly speaking, it’s not a Branch TARGET Injection. It injects history to force the speculation use an existing entry to a gadget.
There are a lot of shared buffers in CPU. Sadly, still an ongoing story.
such as BHI Attack against Kernel using eBPF gadget to get a BTB entry.
Flush the predictor state (CPU buffer)on context switch to a new application (process)
Other Variants
- Variant 3a/3b
- Variant 4: Speculative Store Buffer Bypass
