News & Events

UK SPS Seminar - 24th November Title: An Analysis of Speculative Type Confusion

Title: An Analysis of Speculative Type Confusion Vulnerabilities in the Wild 

Speaker: Adam Morrison (Tel Aviv University)


Abstract: Spectre v1 attacks, which exploit conditional branch misprediction, are often identified with attacks that bypass array bounds checking to leak data from a victim’s memory. Generally, however, Spectre v1 attacks can exploit any conditional branch misprediction that makes the victim execute code incorrectly. In this paper, we investigate speculative type confusion, a Spectre v1 attack vector in which branch mispredictions make the victim execute with variables holding values of the wrong type and thereby leak memory content.

We observe that speculative type confusion can be inadvertently introduced by a compiler, making it extremely hard for programmers to reason about security and manually apply Spectre mitigations. We thus set out to determine the extent to which speculative type confusion affects the Linux kernel. Our analysis finds exploitable and potentially-exploitable arbitrary memory disclosure vulnerabilities. We also find many latent vulnerabilities, which could become exploitable due to innocuous system changes, such as coding style changes.
Our results suggest that Spectre mitigations which rely on statically/manually identifying “bad” code patterns need to be rethought, and more comprehensive mitigations are needed.

Bio: Adam Morrison is an associate professor at the Blavatnik School of Computer Science, Tel Aviv University, Israel. His research is on the security and performance of shared-memory multiprocessors, from microarchitecture through operating systems to algorithms. His work has been awarded the Internet Defense Prize, the Intel Hardware Security Academic Award, several best paper awards (at the USENIX Security symposium, ASPLOS, and MICRO), as well as IEEE Micro Top Picks and Top Picks Honorable Mention distinctions.

Please feel free to forward to others who might be interested. 

UK-SPS is an inter-university seminar series on cyber security and privacy. Seminar details are also advertised on our websitecalendar and Twitter, and recordings will be available on our YouTube channel afterwards. 

Last modified: Mon, 29 Nov 2021 10:38:04 GMT