Transcription of Speculative Buffer Overflows: Attacks and Defenses
{{id}} {{{paragraph}}}
Speculative Buffer Overflows: Attacks and DefensesVladimir Attacks that exploit Speculative execution can leakconfidential information via microarchitectural side chan-nels. The recently-demonstrated Spectre Attacks leveragespeculative loads which circumvent access checks to readmemory-resident secrets, transmitting them to an attackerusing cache timing or other covert communication , a new Spectre-v1 variant thatleverages speculativestoresto createspeculative Buffer over-flows. Much like classic Buffer overflows, Speculative out-of-bounds stores can modify data and code pointers. Data-valueattacks can bypass some Spectre-v1 mitigations, either di-rectly or by redirecting control flow. Control-flow attacksenable arbitrary Speculative code execution, which can by-pass fence instructions and all other software mitigationsfor previous Speculative -execution Attacks . It is easy to con-struct return-oriented-programming (ROP) gadgets that canbe used to build alternative attack also : on CPUs that do not enforceread/write protections, Speculative stores can overwriteread-onlydata and code pointers to breach highlight new risks posed by these vulnerabilities,discuss possible software mitigations, and sketch microarchi-tectural mechanisms that could serve as hardware have not yet evaluated the performance impact of ourproposed
1.1 Spectre1.1: Bounds Check Bypass on Stores Code vulnerable to Spectre1.1 is shown in Listing 2. During speculative execution, the processor may ignore the bounds
Domain:
Source:
Link to this page:
Please notify us if you found a problem with this document:
{{id}} {{{paragraph}}}