Key points are not available for this paper at this time.
Speculative execution is an optimization technique that has been part of CPUs over a decade. It predicts the outcome and target of branch instructions to stalling the execution pipeline. However, until recently, the security of speculative code execution have not been studied. In this paper, we investigate a special type of branch predictor that is for predicting return addresses. To the best of our knowledge, we the first to study return address predictors and their consequences for the of modern software. In our work, we show how return stack buffers (RSBs), the core unit of return address predictors, can be used to trigger. Based on this knowledge, we propose two new attack variants RSBs that give attackers similar capabilities as the documented Spectre. We show how local attackers can gain arbitrary speculative code across processes, e. g. , to leak passwords another user enters on a system. Our evaluation showed that the recent Spectre countermeasures in operating systems can also cover such RSB-based cross-process. Yet we then demonstrate that attackers can trigger misspeculation in environments in order to leak arbitrary memory content of browser. Reading outside the sandboxed memory region with JIT-compiled code still possible with 80\\% accuracy on average.
Maisuradze et al. (Mon,) studied this question.