The talk discusses how memory corruption defenses can be bypassed using speculative execution attacks, with a focus on stack protectors, control flow integrity, and bounds checks in Go. The speakers demonstrate how information can be leaked by redirecting the speculative control flow of the victim to a gadget accessing secret data and acting as a side-channel send. They also show how this can be achieved by stitching together multiple gadgets in a speculative return-oriented programming attack.
- Memory corruption defenses can be bypassed using speculative execution attacks
- Stack protectors, control flow integrity, and bounds checks in Go can be bypassed under certain conditions
- Information can be leaked by redirecting the speculative control flow of the victim to a gadget accessing secret data and acting as a side-channel send
- Multiple gadgets can be stitched together in a speculative return-oriented programming attack
The speakers provide an example of a speculative execution attack, specifically the Spectre version 101 attack which leverages a buffer overflow. The attack accesses a buffer and a bounds check is performed before making a write. However, the attacker can use speculative execution to bypass the bounds check and access secret data through a side channel.
The prevalence of memory corruption bugs in the past decades resulted in numerous defenses, such as stack canaries, control flow integrity (CFI), and memory-safe languages. These defenses can prevent entire classes of vulnerabilities, and help increase the security posture of a program. In this talk, we show that memory corruption defenses can be bypassed using speculative execution attacks. We study the cases of stack protectors, CFI, and bounds checks in Go, demonstrating under which conditions they can be bypassed by a form of speculative control flow hijack, relying on speculative or architectural overwrites of control flow data. Information is leaked by redirecting the speculative control flow of the victim to a gadget accessing secret data and acting as a side-channel send. We also demonstrate, for the first time, that this can be achieved by stitching together multiple gadgets, in a speculative return-oriented programming attack.