cispa_all_2730.pdf (748.8 kB)

Ret2Spec: Speculative Execution Using Return Stack Buffers

Download (748.8 kB)
conference contribution
posted on 2023-11-29, 18:08 authored by Giorgi Maisuradze, Christian RossowChristian Rossow
Speculative execution is an optimization technique that has been part of CPUs for over a decade. It predicts the outcome and target of branch instructions to avoid stalling the execution pipeline. However, until recently, the security implications of speculative code execution have not been studied. In this paper, we investigate a special type of branch predictor that is responsible for predicting return addresses. To the best of our knowledge, we are the first to study return address predictors and their consequences for the security of modern software. In our work, we show how return stack buffers (RSBs), the core unit of return address predictors, can be used to trigger misspeculations. Based on this knowledge, we propose two new attack variants using RSBs that give attackers similar capabilities as the documented Spectre attacks. We show how local attackers can gain arbitrary speculative code execution across processes, e.g., to leak passwords another user enters on a shared system. Our evaluation showed that the recent Spectre countermeasures deployed in operating systems can also cover such RSB-based cross-process attacks. Yet we then demonstrate that attackers can trigger misspeculation in JIT environments in order to leak arbitrary memory content of browser processes. Reading outside the sandboxed memory region with JIT-compiled code is still possible with 80% accuracy on average.


Preferred Citation

Giorgi Maisuradze and Christian Rossow. Ret2Spec: Speculative Execution Using Return Stack Buffers. In: ACM Conference on Computer and Communications Security (CCS). 2018.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

ACM Conference on Computer and Communications Security (CCS)

Legacy Posted Date


Open Access Type

  • Unknown


@inproceedings{cispa_all_2730, title = "Ret2Spec: Speculative Execution Using Return Stack Buffers", author = "Maisuradze, Giorgi and Rossow, Christian", booktitle="{ACM Conference on Computer and Communications Security (CCS)}", year="2018", }

Usage metrics


    No categories selected


    Ref. manager