Reinforcing meltdown attack by using a return stack buffer

Abstract

Meltdown is a microarchitectural side-channel attack that extracts sensitive data in the kernel space of operating systems (OSs). Meltdown deliberately creates transient executions by exploiting an out-of-order execution technique and obtains the execution results through a cache covert channel. In a previous attack, an OS signal handler and hardware transactional memory support (i.e., Intel TSX) were used to establish the cache covert channel. However, both methods restricted the effectiveness of the attack owing to the large amount of system noise caused by the context switching of signal handlers and the narrow range of TSX-enabled processors. Hence, we propose a new variant of the Meltdown attack using a return stack buffer (RSB). The RSB enables the establishment of a low-noise cache covert channel without relying on processor-specific hardware features, such as TSX. The wide usage of the RSB in commodity processors further improves the effectiveness of the proposed attack. We present the details of our implementation of the attack and evaluate the performance. Furthermore, we overview several existing countermeasures against the proposed attack.